Dans une tentative un peu vaine d'organiser le chaos, de donner une forme toute temporaire à tout ça, voici un index... (-----
Various Write-ups from various CTFs..
as a Pwner for various team (Blue Water, Water Paddler, RootMeUpBeforeYouGoGo, etc...)
or alone to practice..(Team --> Armitage)
this index is not exhaustive, it's mostly challenges that have a write-up (there are more challenges in write-ups/ directory)
Heap Challenges
-
0CTF TCTF 2022 --> babyheap
seccomp in place, heap overflow due to type confusion, do chunk overlap for leak, then two tcache poisonning attacks
code execution via forging dtor_list table in tls-storage, and erasing the random value at fs:0x30 -
DiceCTF HOPE 2022 --> catastrophe
double free in fastbin, then overwrite libc strlen got entry with system() address
code execution when calling puts() function (that calls strlen...) -
BSides.Algiers.2023 --> just pwnme
double free in fastbin, then get allocation on environ, leak environ, get allocation on stack, write ROP on stack
- MetaCTF 2021 --> hookless
double free in delete function,uaf in edit function (usable once),uaf in display() function too
House of Botcake attack, we overwrite IO_2_1_stdout with environ address to leak stack address
we write a ROP directly on stack to achieve code execution
- vsCTF 2022 --> EZorange
oob read/write in edit function, no free available, use same method than house of orange to free chunks
we free two chunks, then do tcache poisonning with the oob, and overwrite __malloc_hook
-
justCTF 2022 --> notes
fastbin dup attack, then write to __free_hook
-
idek CTF 2021 --> stacknotes
malloca alloc chunk on stack depending on size,we forge a fake chunk on stack, do a house of spirit attack on it
then alloc a chunk on stack with our ROP that overwrite return address -
Tamil CTF 2021 --> University
overflow in edit because of strlen on a non-zero terminated string, will give us a read/write primitive
we set tcache.count in tcache_perthread_struct to 7 , to make a chunk goes to unsorted, to have a libc address leak
we edit tcache_entry of bloc of size 0x20 to __free_hook -
HSCTF 8 CTF 2021 --> House of sice
double free vulnerability, using fastbin dup attack, then allocation on __free_hook
-
DownUnder CTF 2021 --> DUCTF Note
int8 overflow in edit function, then write in tcache metadata, then allocation on __free_hook
-
DigitalOverdose CTF 2021 --> flavor
double free vulnerability and uaf, then allocation on __free_hook
-
justCTF 2023 --> Nucleus
- overwrite __free_hook via tcache poisonning attack *
- overwrite __free_hook via tcache poisonning attack *
- GDG Algiers CTF 2022 --> Notes Keeper
use null byte overflow to make 0x118 chunk goes to tcache 0x20 size when freed
the do fastbin dup attack, to finally overwrite __free_hook
-
RaR CTF 2021 --> unintended
heap overflow because of strlen usage, then make overlapping chunk & tcache poisonning
finally overwrite __free_hook -
IJCTF 2021 --> ezpez
double free on tcache_head to have allocation in unsorted, leak libc, double free on stdin to modify filedescriptor and leak flag
-
HSCTF 8 CTF 2021 --> Use after freedom
unsorted bin attack, overwrite global_max_fast, then overwrite __free_hook
-
justCTF 2023 --> Welcome in my house
- classic house of force challenge, overwrite another chunk on heap by "turning around" the memory address space *
- classic house of force challenge, overwrite another chunk on heap by "turning around" the memory address space *
- Tamil CTF 2021* --> Vuln Storage
Code execution after exit
-
Imaginary CTF 2022 --> rope
code execution via overwriting
_rtld_global+3848
, that is__rtld_lock_lock_recursive (GL(dl_load_lock))
and pivoting in_rtld_global
, viagets()
and setcontext gadget -
DanteCTF 2023 --> Sentence To Hell
code execution via overwriting
l->l_info[DT_FINI_ARRAY]
, to make it point to a forge_fini_array
entry pointing to a onegadget
challenge on libc 2.35 from Ubuntu 22.04 -
LakeCTF Quals 2023 --> Not Malloc
code execution by creating a fake dtor_list in tls-storage, then pivoting in tls-storage & execute a ROP there
Kernel exploitation challenges
-
UTCTF 2022 --> bloat
use write primitive in kernel module, to overwrite modprobe_path
-
FCSC 2023 --> ktruc
kernel exploitation on recent ubuntu 5.19 kernel, use write primitive in kernel module, to overwrite modprobe_path
-
OffensiveCon 2023 --> Blue Frost Security , bfsmatrix challenge
kernel exploitation on 6.0.15, an UAF on linked list matrix
SIGROP challenges
FSOP challenges
-
SECCON CTF 2022 Quals --> Baby file
libc-2.31 based fsop exploitation, _wide_data is NULL and non reachable, we populate pointers first
then leak libc & random value at fs:0x30, we forge onegagdet mangled address and have code execution via _cookie_write -
Hack.lu CTF 2022 --> byor
libc-2.35 based fsop exploitation, _wide_data points on NULL chunk, we can overwrite stdout
code execution via _IO_wfile_underflow , we execute system('/bin/sh'), new standard for FSOP -
FCSC 2022 --> RPG
heap overflow in FILE structure, then we use FSOP read/write to overwrite __free_hook
-
Blackhat MEA CTF finals --> devpro
OOB read/write in FILE structure, then we use FSOP write to overwrite stdout, and we do a FSOP for code execution
-
GlacierCTF 2023 --> Write Byte Where
one byte pwn challenge, solved with a write in stdin to expand buffer, and write over stdout for FSOP
restricted shellcode challenges
-
Redpwn CTF 2021 --> gelcode-2
shellcode with only opcodes from 0 to 5, and a seccomp that force open/read/write shellcode
-
MetaCTF 2021 --> sequential shellcode
shellcode where every byte must be bigger then the preceding one
-
Maple CTF 2022 --> EBCSIC
shellcode alphanumeric but restricted to cp037 charset
-
FCSC 2022 --> palindrome
need to write a palindrome shellcode, that can be read and executed in two direction
-
Aero CTF 2021 --> Shell Master 2
run and execute 16byte alphanumeric shellcodes
-
idek CTF 2021 --> Guardians of the Galaxy
shellcode that finds an previously left opened filedescriptor to escape chroot
-
KITCTFCTF 2022 --> movsh
shellcode composed only of mov and 2 syscalls only, with seccomp that only allow open,read,write,exit syscalls
-
FCSC 2023 --> keskidi
shellcode where a child leak parent accessible only flag.txt via a random temporary file modified by parent
-
Blackhat MEA CTF finals --> babysbx
escaping from a seccomp very restricted shellcode, and remapping a read-only zone for changing only allowed binary
-
0CTF/TCTF 2023 --> Nothing is true
*escaping from a seccomp very restricted with a 64 bit elf file, switching to 32bit and using sysenter *
Format string challenges
-
PBjar CTF 2021 --> wallstreet32
restricted format string with many format chars forbidden, use trick '%\n' to get a leak (libc-2.31 based)*
-
MetaCTF 2021 --> Simple Format Returned
well classical format string, need bruteforce
-
Maple CTF 2022 --> printf
well classical format string, need bruteforce
-
Imaginary CTF 2021 --> inkaphobia
well classical format string, need bruteforce
-
IJCTF 2021 --> baby sum
simple format string
-
FCSC 2022 --> Formatage
well classical format string, need bruteforce
-
DigitalOverdose CTF 2021 --> uncurved
format string on heap with seccond that forbid execve, and bit a of bruteforce
-
Asis CTF Quals 2022* --> Baby Scan II
abuse format string in snprintf to have a write anywhere primitive
then overwrite exit got entry with _start, then overwrite atoi with printf for leaks
then overwrite atoi() with system() for code execution -
idekCTF 2022 --> relativity
*format string on heap with only two
%n
allowed, need bruteforce...only solve script *
Various ROP challenges (or Buffer overflow style)
-
MetaCTF 2021 --> An Attempt Was Made
restricted rop, execve forbidden, few gadgets (no libcsu_init gadget), use only add_gadget to forge gadgets
-
Hayyim CTF 2021 --> warmup
simple rop challenge
-
Hayyim CTF 2021 --> cooldown
more restricted rop challenge
-
Fword CTF 2021 --> blacklist revenge
seccomp in place to forbid execve, no stdout/stderr output, so a mix of ROP+connect back shellc<brode
-
DefCamp CTF 2022 --> blindsight
blind remote ROP with no binaries given
-
TamuCTF 2022 --> Rop Golf
restricted ROP with few gadgets
-
SunshineCTF 2022 --> [RII] Magic the GatheRIIng
oob write on stack, leak, then onegadget..
-
404 CTF 2023 --> Calculatrice
overflow in recursive processing of multiplication in a calculator application
*little ROP, that transformstderr
libc address on.bss
in a onegadget * -
Balsn CTF 2023 --> BabyPwn2023
restricted ROP with few gadgets available
*first ROP on .bss, then execute .puts to leave libc addresses on .bss, then reeuse stdout address to leak a libc address on .bss (stdout) *
other architecture based challenges (arm,mips,riscv,etc...)
-
LINE CTF 2022 --> simbox (arm)
ARM challenge based on gnu simulator 11.2 (with custom patch), we rop it, and dump flag
-
JustCTF 2022 --> arm (aarch64)
simple aarch64 exploitation challenge
-
HackIM CTF 2022 --> Typical ROP (riscv)
simple riscv gets buffer overflow exploitation challenge
-
UTCTF 2023 --> Bing Chilling (loongarch64)
simple loongarch64 gets buffer overflow exploitation challenge
-
Hack-A-Sat 4 Qualifiers 2023 --> Smash Babdy & Drop baby (riscv32)
smash baby is a buffer overflow, and drop baby an overflow needed to be ROP, on riscv32
Automatic exploit generation challenges
VM Escape challenges
-
Fword CTF 2021 --> Peaky and the brain
funny challenge, web application written in python, convert an image to brainfuck language, then execute brainfuck code
oob write on stack in brainfuck interpreter, seccomp in place forbid execve, so open/read/write shellcode translated in brainfuck -
CyberSecurityRumble CTF 2022 --> riscv-jit
escape from a riscv bson parser inside a riscv jit interpreter to a riscv shellcode,
then escape from a riscv just in time interpreter via a oob write in rwx zone, and execute x86 shellcode -
CyberSecurityRumble CTF 2020 --> bflol
oob read/write in a brainfuck interpreter , we dump our leaks on stack
then overwrite return address with a onegadget -
404 CTF 2022 --> Changement d'architecture II
a sort of arm lite vm, oob read/write in registers access, that permit overwrite FILE structure
then we get code execution via FSOP -
0CTF TCTF 2022 --> ezvm
escape a stack machine type of vm, via an oob write, we leak an address on heap via program logic trick
then we get execution on exit, by forging a dtors_table in tls-storage and erasing random val at fs:0x30 -
RCTF 2022 --> bfc
escape a brainfuck recompiler, via an oob read/write underflow on heap, then do heap exploitation via brainfuck (crazy)
then we get code execution by overwriting libc GOT entries of strlen and memcpy, and causing a malloc error
the malloc error will launch __libc_message() function that will call strlen and memcpy -
UTCTF 2023 --> UTCTF Sandbox
escape a unicorn sandbox, via vulnerabilities in syscall emulation
we exploit first program running in guest, to get code execution via ROP
then we exploit syscall emulation vulnerabilities in host loader, to leak host addresses, and execute an execve syscall -
zer0pts CTF 2023 --> Brainjit
escape from a JIT brainfuck x86 compiler
by exploiting code x86 generation error, then executing a shellcode -
Hitcon Quals 2023 --> Wall Maria
a basic qemu escape challenge, via an oob read/write in a pci qemu driver
-
m0lecon CTF Finals 2023 --> Ptmoon
an advanced qemu escape challenge, on qemu 8.1.1 running ubuntu 23.10
an oob read/write introduced in the vmware svga driver, and a code execution via writing a ROP in another thread stack -
bi0s CTF 2024 --> virtio-note
an qemu escape challenge, on qemu 8.2.0
an oob read/write in a virtio backend driver, and a code execution via writing a shellcode in qemu RWX zone
PTRACE related challenges
-
Balsn CTF 2022 --> Asian Parents
interesting challenge where a parent process trace a child process to filter his syscalls via
ptrace
-
NahamCon EU CTF 2022 --> Limited resources
challenge where a parent process trace a child process to modify his code via
PTRACE_POKEDATA
and like this, escape of the restricted seccomp to dump the flag via child
Windows challenges
- INTENT CTF 2022 --> PwnMe
simple buffer overflow, we do a little ROP that makes stack executable via a call to
VirtualProtect()
then we jump to a simple windows shellcode that calls cmd.exe
Uncategorized challenges (but worth reading)
-
Google CTF Quals 2022 --> FixedASLR
great challenge, attack on LFSR based with a known output, to calculate canary (generated by the LFSR)
use a ROP and a SIGROP for shell execution -
Google CTF Quals 2023 --> write-flag-where 1,2 and 3
a series of 3 challenges, each one more restricted, where you are give a write primitive to write flag anywhere
-
FCSC 2022 --> httpd
interesting challenge, exploitation of syslog() format string vuln by child process, that exploit the parent process
child process http authentification has a buffer overflow in base64 decoding to a fixed buffer on stack -
FCSC 2022 --> deflation
buffer overflow when decompressing zlib compressed data, then restricted ROP
-
Balsn CTF 2021 --> orxw
interesting challenge where a parent can only write, and a child process can only open and read
stdin,stdout,stderr are closed, so we use time to extract flag content by testing each char, and blocking when right guess -
RealWorld CTF 2022 --> Shellfind
exploiting a 0 day in a DLINK DCS-960L camera, via a buffer overflow in an udp service
-
justCTF 2023 --> Tic Tac PWN!
- interesting challenge, where we can call libc functions via a rpc server, that can call a dynamic library imported functions (tic tac toe game) *
- but we can pass only 32bits values to functions, and cannot map memory zone in the low 32bits of address space, nor use returned functions results *
- we mmap a shellcode written in a temp file as rwx, and we finally use
on_exit()
libc function to have code execution at exits (very trikcy one..) *
- interesting challenge, where we can call libc functions via a rpc server, that can call a dynamic library imported functions (tic tac toe game) *
-
Codegate CTF 2023 --> sea
- interesting challenge, we can aes encrypt and decrypt data, we can overflow aes sboxes to zero them and leak the random key *
- some signed and unsigned trick in padding to leak data on stack, and an overflow in encrypt function.. *
- interesting challenge, we can aes encrypt and decrypt data, we can overflow aes sboxes to zero them and leak the random key *
you find my work usefull? well you can tip me here to support it.. I will drink to you ! (probably not coffee)