07 Feb 2021
This weekend I wrote flippidy and babyrop, both easy (relatively speaking) pwn challenges for DiceCTF 2021.
Flippidy
Checksec:
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
This was a heap note challenge. The provided libc version is 2.27 without the tcache double free check.
We are allowed to choose the size of our notebook.
We are given two functions:
- Add - create a note (
malloc(0x30)) at an index and write to the chunk. Doesnāt care if the index is taken, will not free it.
- Flip - flip the notebook (swap
d c b a to a b c d)
Further, the menu prints 4 pointers from a char * array, which correspond to the four lines that comprise the menu.
16 Nov 2020
b1c takes third global and first in highschools (We stole Gabe for one algo challenge again).
We also maintained the b1c tradition of dropping from 1st to 3rd due to a single challenge (ahem veggie factory 5 ahem) š
gcalc
Pwn 700, 23 solves
Weighted averaging is too hard, so I made a program to do it for you!
nc challenges.ctfd.io 30253
-asphyxia
This solution takes approx. 2 minutes and 30 seconds to run on remote lol.
We are given three important functions:
1) Add a category
2) Set grades in a category
3) Print report
Each grade category is implemented as a struct.
There is a global array of category entry structs, which is below:
There is enough space in the global category array for 16 structs.
09 Aug 2020
Good quality CTF from From Sousse, with love. DiceGang takes second.
Notably I helped with 1 heap, which got 4-5 solves. Unfortunately I had to go to sleep right before getting libc leaks so OP pepsi on the West Coast solved submitted, but I solved afterwards for fun.
OldNote
Old, but gold
nc poseidonchalls.westeurope.cloudapp.azure.com 9000
Full security checks are in place, so itās a heap chall. The provided libc and ld are for glibc 2.26, which has tcache included.
The program allows us 4 slots which hold pointers to mallocāed chunks. We can only create and delete these chunks, so no easy :leeks:
We also cannot allocate chunks larger than 0x100 size.
02 Aug 2020
High quality CTF from bi0s.
I played with DiceGang, and we got 2nd.
During the CTF I realized that I like harder pwn a lot more than harder web.
Party Planner
We are given the linker, libc, and binary.
The challenge uses glibc 2.29, with full security protections, so itās a heap exploit.
We get a menu with 9 options:
- Create a house
- Create a person
- Add person to house
- Remove person to house
- View house
- View person
- Party
- Destroy house
- Give up (exit)
The program maintains two arrays, an array of houses, and an array of free agents (people that havenāt been assigned to a house).
The program also maintains a ācacheā person pointer. The pointer is updated on viewing / deleting a person.
28 Jun 2020
b1c 1st place high schools :D
Four Function Heap
Pwn, 490
When ctf writers canāt think of interesting problems, thereās always four function heap
nc 2020.redpwnc.tf 31774
My first decent heap solve :)
The idea is to get a write and overwrite one of the hooks (I chose to overwrite __free_hook) with a one_gadget to get a shell.
Usual security checks gives us:
boshua@cybersec:~/fourfunction/bin$ pwn checksec four-function-heap
[*] '/home/boshua/fourfunction/bin/four-function-heap'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled