prettify code

2018年9月5日 星期三

[Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe

The best KVM (Kernel-based Virtual Machine) challenge I've ever seen! Thanks @shift_crops for giving such great challenge. He released the source code of EscapeMe after the contest as well.

2018年6月26日 星期二

[Write-up] Google CTF 2018 - pwn420 sandbox compat

Basic Info
This is an interesting sandbox-escaping challenge! Though I solved it after the game, still want to share how fun this challenge is, so I make this writeup.


Attachment contains the binary and source code, you can find them in my github repository.

2018年4月5日 星期四

[Write-up] 0ctf quals 2018 - pwn1000 Mighty Dragon

Glad to say that we (HITCON) are the only team solved this challenge :D
But in my opinion this challenge is more like a reversing but not a pwnable one.
This is a pwn challenge - but the pwn part is extremely easy, and the hardest part is to understand what is this binary doing. Anyway, let's see the details.




2017年11月7日 星期二

[Official Write-up] HITCON CTF 2017 - pwn327 Real Ruby Escaping

Introduction


The attachment can be found in my repository: link

Many people ask me to give this writeup because I announced that all the 11 teams used unintended solution on IRC. Now comes the intended one :D

This task asks you to exploit the ruby interpreter, given arbitrary ruby code execution but protected by seccomp rules.

2017年9月11日 星期一

[Write-up] Tokyo Westerns CTF 2017 - rev500 Steganographer Revenge

It's a long time since I last wrote a writeup for reversing challenge! Since we(217) are the only team to solve this, and it's a great challenge, I decide to do so.This challenge was solved by me and my teammate +PZ Read.

2017年6月21日 星期三

[Write-up] Google CTF 2017 - pwn474 primary

Before Start

This challenge took me 40 hours (including sleeping) to solve! One reason is I'm not familiar with race condition bugs. Main reason is because there're too many strategies (seems) can solve it. I have tried at least four kinds of exploitation and finally got the correct and stable one. I will show the final solution I got and mention why other solutions failed.

Another reason hard to solve this challenge is that race condition is difficult to debug because whenever a debugger presents, the race condition will always fail 😢

Basic Info



Challenge's attachment files can be found in my github repo.

Source code, Makefile, and binary are given.
checksec of binary:

The Makefile is important, it reveals the compile options are:
$ clang-3.8 primary.c -Wall -Wextra -std=gnu11 -lpthread -O0 -o primary -ltcmalloc

It uses tcmalloc as memory allocator which is a package in google-perftools. This link has a nice explanation of it's malloc/free mechanism. I will briefly introduce it as well and explain how to exploit this kind of heap later.

2017年4月25日 星期二

[Write-up] PlaidCTF 2017 - pwn400 Plaid Party Planning


Introduction

The challenge files can be downloaded here.

Challenge contains three files: partyplanning.strippartyplanning.dump, and relocator.py

partyplanning.strip is the main binary, with less protection: