Skip to content

Latest commit

 

History

History
502 lines (366 loc) · 26.6 KB

README.md

File metadata and controls

502 lines (366 loc) · 26.6 KB

Dans une tentative un peu vaine d'organiser le chaos, de donner une forme toute temporaire à tout ça, voici un index... (-----

Write-ups INDEX

Various Write-ups from various CTFs..

as a Pwner for various team (Blue Water, Water Paddler, RootMeUpBeforeYouGoGo, etc...)

or alone to practice..(Team --> Armitage)

this index is not exhaustive, it's mostly challenges that have a write-up (there are more challenges in write-ups/ directory)

Heap Challenges

libc 2.35

  • 0CTF TCTF 2022 --> babyheap

    seccomp in place, heap overflow due to type confusion, do chunk overlap for leak, then two tcache poisonning attacks
    code execution via forging dtor_list table in tls-storage, and erasing the random value at fs:0x30

  • DiceCTF HOPE 2022 --> catastrophe

    double free in fastbin, then overwrite libc strlen got entry with system() address
    code execution when calling puts() function (that calls strlen...)

  • BSides.Algiers.2023 --> just pwnme

    double free in fastbin, then get allocation on environ, leak environ, get allocation on stack, write ROP on stack

libc 2.34

  • MetaCTF 2021 --> hookless

    double free in delete function,uaf in edit function (usable once),uaf in display() function too
    House of Botcake attack, we overwrite IO_2_1_stdout with environ address to leak stack address
    we write a ROP directly on stack to achieve code execution

libc 2.32

  • vsCTF 2022 --> EZorange

    oob read/write in edit function, no free available, use same method than house of orange to free chunks
    we free two chunks, then do tcache poisonning with the oob, and overwrite __malloc_hook

libc 2.31

  • justCTF 2022 --> notes

    fastbin dup attack, then write to __free_hook

  • idek CTF 2021 --> stacknotes

    malloca alloc chunk on stack depending on size,we forge a fake chunk on stack, do a house of spirit attack on it
    then alloc a chunk on stack with our ROP that overwrite return address

  • Tamil CTF 2021 --> University

    overflow in edit because of strlen on a non-zero terminated string, will give us a read/write primitive
    we set tcache.count in tcache_perthread_struct to 7 , to make a chunk goes to unsorted, to have a libc address leak
    we edit tcache_entry of bloc of size 0x20 to __free_hook

  • HSCTF 8 CTF 2021 --> House of sice

    double free vulnerability, using fastbin dup attack, then allocation on __free_hook

  • DownUnder CTF 2021 --> DUCTF Note

    int8 overflow in edit function, then write in tcache metadata, then allocation on __free_hook

  • DigitalOverdose CTF 2021 --> flavor

    double free vulnerability and uaf, then allocation on __free_hook

  • justCTF 2023 --> Nucleus

    • overwrite __free_hook via tcache poisonning attack *

libc 2.29

  • GDG Algiers CTF 2022 --> Notes Keeper

    use null byte overflow to make 0x118 chunk goes to tcache 0x20 size when freed
    the do fastbin dup attack, to finally overwrite __free_hook

libc 2.27

  • RaR CTF 2021 --> unintended

    heap overflow because of strlen usage, then make overlapping chunk & tcache poisonning
    finally overwrite __free_hook

  • IJCTF 2021 --> ezpez

    double free on tcache_head to have allocation in unsorted, leak libc, double free on stdin to modify filedescriptor and leak flag

  • HSCTF 8 CTF 2021 --> Use after freedom

    unsorted bin attack, overwrite global_max_fast, then overwrite __free_hook

  • justCTF 2023 --> Welcome in my house

    • classic house of force challenge, overwrite another chunk on heap by "turning around" the memory address space *

libc 2.25

  • Tamil CTF 2021* --> Vuln Storage
Code execution after exit
  • Imaginary CTF 2022 --> rope

    code execution via overwriting _rtld_global+3848 , that is __rtld_lock_lock_recursive (GL(dl_load_lock))
    and pivoting in _rtld_global , via gets() and setcontext gadget

  • DanteCTF 2023 --> Sentence To Hell

    code execution via overwriting l->l_info[DT_FINI_ARRAY] , to make it point to a forge _fini_array entry pointing to a onegadget
    challenge on libc 2.35 from Ubuntu 22.04

  • LakeCTF Quals 2023 --> Not Malloc

    code execution by creating a fake dtor_list in tls-storage, then pivoting in tls-storage & execute a ROP there

Kernel exploitation challenges
  • UTCTF 2022 --> bloat

    use write primitive in kernel module, to overwrite modprobe_path

  • FCSC 2023 --> ktruc

    kernel exploitation on recent ubuntu 5.19 kernel, use write primitive in kernel module, to overwrite modprobe_path

  • OffensiveCon 2023 --> Blue Frost Security , bfsmatrix challenge

    kernel exploitation on 6.0.15, an UAF on linked list matrix

SIGROP challenges
  • Tamil CTF 2021 --> Insecure system

    ROP & sigrop

  • Tamil CTF 2021 --> Stress Rope

    small echo server in assembly, very few gadgets --> ROP & sigrop

  • PBjar CTF 2021 --> Imdeghost

    restricted shellcode, resolved via connect back flag exfiltration done in sigrop

FSOP challenges
  • SECCON CTF 2022 Quals --> Baby file

    libc-2.31 based fsop exploitation, _wide_data is NULL and non reachable, we populate pointers first
    then leak libc & random value at fs:0x30, we forge onegagdet mangled address and have code execution via _cookie_write

  • Hack.lu CTF 2022 --> byor

    libc-2.35 based fsop exploitation, _wide_data points on NULL chunk, we can overwrite stdout
    code execution via _IO_wfile_underflow , we execute system('/bin/sh'), new standard for FSOP

  • FCSC 2022 --> RPG

    heap overflow in FILE structure, then we use FSOP read/write to overwrite __free_hook

  • Blackhat MEA CTF finals --> devpro

    OOB read/write in FILE structure, then we use FSOP write to overwrite stdout, and we do a FSOP for code execution

  • GlacierCTF 2023 --> Write Byte Where

    one byte pwn challenge, solved with a write in stdin to expand buffer, and write over stdout for FSOP

restricted shellcode challenges
  • Redpwn CTF 2021 --> gelcode-2

    shellcode with only opcodes from 0 to 5, and a seccomp that force open/read/write shellcode

  • MetaCTF 2021 --> sequential shellcode

    shellcode where every byte must be bigger then the preceding one

  • Maple CTF 2022 --> EBCSIC

    shellcode alphanumeric but restricted to cp037 charset

  • FCSC 2022 --> palindrome

    need to write a palindrome shellcode, that can be read and executed in two direction

  • Aero CTF 2021 --> Shell Master 2

    run and execute 16byte alphanumeric shellcodes

  • idek CTF 2021 --> Guardians of the Galaxy

    shellcode that finds an previously left opened filedescriptor to escape chroot

  • KITCTFCTF 2022 --> movsh

    shellcode composed only of mov and 2 syscalls only, with seccomp that only allow open,read,write,exit syscalls

  • FCSC 2023 --> keskidi

    shellcode where a child leak parent accessible only flag.txt via a random temporary file modified by parent

  • Blackhat MEA CTF finals --> babysbx

    escaping from a seccomp very restricted shellcode, and remapping a read-only zone for changing only allowed binary

  • 0CTF/TCTF 2023 --> Nothing is true

    *escaping from a seccomp very restricted with a 64 bit elf file, switching to 32bit and using sysenter *

Format string challenges
  • PBjar CTF 2021 --> wallstreet32

    restricted format string with many format chars forbidden, use trick '%\n' to get a leak (libc-2.31 based)*

  • MetaCTF 2021 --> Simple Format Returned

    well classical format string, need bruteforce

  • Maple CTF 2022 --> printf

    well classical format string, need bruteforce

  • Imaginary CTF 2021 --> inkaphobia

    well classical format string, need bruteforce

  • IJCTF 2021 --> baby sum

    simple format string

  • FCSC 2022 --> Formatage

    well classical format string, need bruteforce

  • DigitalOverdose CTF 2021 --> uncurved

    format string on heap with seccond that forbid execve, and bit a of bruteforce

  • Asis CTF Quals 2022* --> Baby Scan II

    abuse format string in snprintf to have a write anywhere primitive
    then overwrite exit got entry with _start, then overwrite atoi with printf for leaks
    then overwrite atoi() with system() for code execution

  • idekCTF 2022 --> relativity

    *format string on heap with only two %n allowed, need bruteforce...only solve script *

Various ROP challenges (or Buffer overflow style)
  • MetaCTF 2021 --> An Attempt Was Made

    restricted rop, execve forbidden, few gadgets (no libcsu_init gadget), use only add_gadget to forge gadgets

  • Hayyim CTF 2021 --> warmup

    simple rop challenge

  • Hayyim CTF 2021 --> cooldown

    more restricted rop challenge

  • Fword CTF 2021 --> blacklist revenge

    seccomp in place to forbid execve, no stdout/stderr output, so a mix of ROP+connect back shellc<brode

  • DefCamp CTF 2022 --> blindsight

    blind remote ROP with no binaries given

  • TamuCTF 2022 --> Rop Golf

    restricted ROP with few gadgets

  • SunshineCTF 2022 --> [RII] Magic the GatheRIIng

    oob write on stack, leak, then onegadget..

  • 404 CTF 2023 --> Calculatrice

    overflow in recursive processing of multiplication in a calculator application
    *little ROP, that transform stderr libc address on .bss in a onegadget *

  • Balsn CTF 2023 --> BabyPwn2023

    restricted ROP with few gadgets available
    *first ROP on .bss, then execute .puts to leave libc addresses on .bss, then reeuse stdout address to leak a libc address on .bss (stdout) *

other architecture based challenges (arm,mips,riscv,etc...)
  • LINE CTF 2022 --> simbox (arm)

    ARM challenge based on gnu simulator 11.2 (with custom patch), we rop it, and dump flag

  • JustCTF 2022 --> arm (aarch64)

    simple aarch64 exploitation challenge

  • HackIM CTF 2022 --> Typical ROP (riscv)

    simple riscv gets buffer overflow exploitation challenge

  • UTCTF 2023 --> Bing Chilling (loongarch64)

    simple loongarch64 gets buffer overflow exploitation challenge

  • Hack-A-Sat 4 Qualifiers 2023 --> Smash Babdy & Drop baby (riscv32)

    smash baby is a buffer overflow, and drop baby an overflow needed to be ROP, on riscv32

Automatic exploit generation challenges
  • Imaginary CTF 2021 --> speedrun

    automatic generated exploit, gets buffer overflow type

  • TamuCTF 2022 --> Quick Mafs

    *5 automatic generated exploits to exploit *

VM Escape challenges
  • Fword CTF 2021 --> Peaky and the brain

    funny challenge, web application written in python, convert an image to brainfuck language, then execute brainfuck code
    oob write on stack in brainfuck interpreter, seccomp in place forbid execve, so open/read/write shellcode translated in brainfuck

  • CyberSecurityRumble CTF 2022 --> riscv-jit

    escape from a riscv bson parser inside a riscv jit interpreter to a riscv shellcode,
    then escape from a riscv just in time interpreter via a oob write in rwx zone, and execute x86 shellcode

  • CyberSecurityRumble CTF 2020 --> bflol

    oob read/write in a brainfuck interpreter , we dump our leaks on stack
    then overwrite return address with a onegadget

  • 404 CTF 2022 --> Changement d'architecture II

    a sort of arm lite vm, oob read/write in registers access, that permit overwrite FILE structure
    then we get code execution via FSOP

  • 0CTF TCTF 2022 --> ezvm

    escape a stack machine type of vm, via an oob write, we leak an address on heap via program logic trick
    then we get execution on exit, by forging a dtors_table in tls-storage and erasing random val at fs:0x30

  • RCTF 2022 --> bfc

    escape a brainfuck recompiler, via an oob read/write underflow on heap, then do heap exploitation via brainfuck (crazy)
    then we get code execution by overwriting libc GOT entries of strlen and memcpy, and causing a malloc error
    the malloc error will launch __libc_message() function that will call strlen and memcpy

  • UTCTF 2023 --> UTCTF Sandbox

    escape a unicorn sandbox, via vulnerabilities in syscall emulation
    we exploit first program running in guest, to get code execution via ROP
    then we exploit syscall emulation vulnerabilities in host loader, to leak host addresses, and execute an execve syscall

  • zer0pts CTF 2023 --> Brainjit

    escape from a JIT brainfuck x86 compiler
    by exploiting code x86 generation error, then executing a shellcode

  • Hitcon Quals 2023 --> Wall Maria

    a basic qemu escape challenge, via an oob read/write in a pci qemu driver

  • m0lecon CTF Finals 2023 --> Ptmoon

    an advanced qemu escape challenge, on qemu 8.1.1 running ubuntu 23.10
    an oob read/write introduced in the vmware svga driver, and a code execution via writing a ROP in another thread stack

  • bi0s CTF 2024 --> virtio-note

    an qemu escape challenge, on qemu 8.2.0
    an oob read/write in a virtio backend driver, and a code execution via writing a shellcode in qemu RWX zone

PTRACE related challenges
  • Balsn CTF 2022 --> Asian Parents

    interesting challenge where a parent process trace a child process to filter his syscalls via ptrace

  • NahamCon EU CTF 2022 --> Limited resources

    challenge where a parent process trace a child process to modify his code via PTRACE_POKEDATA
    and like this, escape of the restricted seccomp to dump the flag via child

Windows challenges
  • INTENT CTF 2022 --> PwnMe

    simple buffer overflow, we do a little ROP that makes stack executable via a call to VirtualProtect()
    then we jump to a simple windows shellcode that calls cmd.exe

Uncategorized challenges (but worth reading)
  • Google CTF Quals 2022 --> FixedASLR

    great challenge, attack on LFSR based with a known output, to calculate canary (generated by the LFSR)
    use a ROP and a SIGROP for shell execution

  • Google CTF Quals 2023 --> write-flag-where 1,2 and 3

    a series of 3 challenges, each one more restricted, where you are give a write primitive to write flag anywhere

  • FCSC 2022 --> httpd

    interesting challenge, exploitation of syslog() format string vuln by child process, that exploit the parent process
    child process http authentification has a buffer overflow in base64 decoding to a fixed buffer on stack

  • FCSC 2022 --> deflation

    buffer overflow when decompressing zlib compressed data, then restricted ROP

  • Balsn CTF 2021 --> orxw

    interesting challenge where a parent can only write, and a child process can only open and read
    stdin,stdout,stderr are closed, so we use time to extract flag content by testing each char, and blocking when right guess

  • RealWorld CTF 2022 --> Shellfind

    exploiting a 0 day in a DLINK DCS-960L camera, via a buffer overflow in an udp service

  • justCTF 2023 --> Tic Tac PWN!

    • interesting challenge, where we can call libc functions via a rpc server, that can call a dynamic library imported functions (tic tac toe game) *
    • but we can pass only 32bits values to functions, and cannot map memory zone in the low 32bits of address space, nor use returned functions results *
    • we mmap a shellcode written in a temp file as rwx, and we finally use on_exit() libc function to have code execution at exits (very trikcy one..) *
  • Codegate CTF 2023 --> sea

    • interesting challenge, we can aes encrypt and decrypt data, we can overflow aes sboxes to zero them and leak the random key *
    • some signed and unsigned trick in padding to leak data on stack, and an overflow in encrypt function.. *

you find my work usefull? well you can tip me here to support it.. I will drink to you ! (probably not coffee)

bender1