prettify code

2017年11月7日 星期二

[Official Write-up] HITCON CTF 2017 - pwn327 Real Ruby Escaping


The attachment can be found in my repository: link

Many people ask me to give this writeup because I announced that all the 11 teams used unintended solution on IRC. Now comes the intended one :D

This task asks you to exploit the ruby interpreter, given arbitrary ruby code execution but protected by seccomp rules.

2017年9月11日 星期一

[Write-up] Tokyo Westerns CTF 2017 - rev500 Steganographer Revenge

It's a long time since I last wrote a writeup for reversing challenge! Since we(217) are the only team to solve this, and it's a great challenge, I decide to do so.This challenge was solved by me and my teammate +PZ Read.

2017年6月21日 星期三

[Write-up] Google CTF 2017 - pwn474 primary

Before Start

This challenge took me 40 hours (including sleeping) to solve! One reason is I'm not familiar with race condition bugs. Main reason is because there're too many strategies (seems) can solve it. I have tried at least four kinds of exploitation and finally got the correct and stable one. I will show the final solution I got and mention why other solutions failed.

Another reason hard to solve this challenge is that race condition is difficult to debug because whenever a debugger presents, the race condition will always fail 😢

Basic Info

Challenge's attachment files can be found in my github repo.

Source code, Makefile, and binary are given.
checksec of binary:

The Makefile is important, it reveals the compile options are:
$ clang-3.8 primary.c -Wall -Wextra -std=gnu11 -lpthread -O0 -o primary -ltcmalloc

It uses tcmalloc as memory allocator which is a package in google-perftools. This link has a nice explanation of it's malloc/free mechanism. I will briefly introduce it as well and explain how to exploit this kind of heap later.

2017年4月25日 星期二

[Write-up] PlaidCTF 2017 - pwn400 Plaid Party Planning


The challenge files can be downloaded here.

Challenge contains three files: partyplanning.strippartyplanning.dump, and

partyplanning.strip is the main binary, with less protection:

2017年3月21日 星期二

[Write-up] 0ctf 2017 qual - pwn647 pages



This is not a normal but very interesting pwn challenge. The target of this chal is to "guess" random 64 bits.

When running binary, it'll fetch 64 random bits from /dev/urandom, and mmap 64 pages according to the following rule:
// bits = random 64 bits
void* base = 0x200000000;
for(int i=0;i<64;i++) {
  mmap(base+(2*i+bits[i]) * 0x1000, 0x1000, ...);

2017年3月3日 星期五

[Write-up] Boston Key Party 2017 - pwn99 Solitary Confinement


This is a rbash jail escaped challenge.
There're are many solutions of this chal. What we used is 1-day of CVE-2016-9401.
According to the administrator, we (HITCON) are the only team solved this challenge by using this CVE :p.

I'm too lazy to introduce what this challenge doing, if you're not similar with this challenge yet, you can see this writeup with nice introduction.

Exploit Target

Final target is to execute /flag/showFlag, to do this, we want to set PATH as /flag. After that we can execute showFlag directly.

2017年2月23日 星期四

[Project] The one-gadget in glibc

One-gadget is a useful gadget in glibc, which leads to call execve('/bin/sh', NULL, NULL). It's convenient to use it to get RCE (remote code execution) whenever we can only control ip (i.e. the program counter). For example, sometimes the vulnerability only leads to an arbitrary function call without controlling the first argument, which forbids us to call system("sh"). But one-gadgets can do the magic in this situation. I used to use IDA-pro to find these gadgets every time, even I found it before. So I decided to stop doing such routine and develop an easy-to-use tool for it.

one_gadget is the product, it not only finds one-gadgets but also shows the constraints need to be satisfied.

This article records how one_gadget works.