PicoCTF - ROPFU

Intro Classic ROP challange. File Info $ file vuln vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=3aa2bb6a5bf44d90a355da83fa909bbf5d9d90ce, for GNU/Linux 3.2.0, not stripped Statically linked binary. Source code #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFSIZE 16 void vuln() { char buf[16]; printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"); return gets(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); vuln(); } Running Executable $ ....

November 12, 2022 · 6 min · Rizal

PicoCTF - Buffer Overflow 3

Intro Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this program to protect against buffer overflows. We are given compiled binary, its source and the host and port where challenge is hosted. saturn.picoctf.net 63181 #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include <wchar.h>#include <locale.h> #define BUFSIZE 64 #define FLAGSIZE 64 #define CANARY_SIZE 4 void win() { char buf[FLAGSIZE]; FILE *f = fopen("flag....

November 12, 2022 · 18 min · Rizal

PicoCTF X-Sixty-What

Intro Overflow the buffer and change the return address to the flag function. We are given the compiled binary, the application source code along with the hostname and port to connect to. #include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h> #define BUFFSIZE 64 #define FLAGSIZE 64 void flag() { char buf[FLAGSIZE]; FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag....

November 10, 2022 · 16 min · Rizal

PicoCTF - Here's A LibC

Investigation When connecting to challenge server on the given hostname and port, it is an echo server which echoes back the user input in alternate case. $ nc mercury.picoctf.net 37289 WeLcOmE To mY EcHo sErVeR! test TeSt ^C We are given following files: $ ls -lR .: total 20 drwxr-xr-x 2 kali kali 4096 Nov 9 00:32 libc -rw-r--r-- 1 kali kali 95 Mar 15 2021 Makefile -rw-r--r-- 1 kali kali 8560 Mar 15 2021 vuln ....

November 9, 2022 · 9 min · Rizal

Ropasaurusrex PlaidCTF 2013

Introduction This is walkthrough for Ropasaurusrex challenge from PlaidCTF 2013. Repo for binary: https://github.com/adamdoupe/ctf-training/tree/master/ropasaurusrex Docker: docker run -p 127.0.0.1:31337:31337 -it adamdoupe/ropasaurusrex Crashing the Program: Enable Core Dumps: $ ulimit -c unlimited Sending large string: $ python -c "print ('A'*300)" | ./ropasaurusrex zsh: done python -c "print ('A'*300)" | zsh: segmentation fault (core dumped) ./ropasaurusrex Inspecting core dump: $ gdb ./ropasaurusrex -q core Reading symbols from ./ropasaurusrex... (No debugging symbols found in ....

November 7, 2022 · 26 min · Rizal

Rop Primer Level2

Introduction This is walkthrough for level2 of ROP Primer from vulnhub. Running the Application level0@rop:/home/level2$ ls -l total 588 -rw-r----- 1 root root 27 Jan 20 2015 flag -rwsr-xr-x 1 root root 595252 Jan 20 2015 level2 level0@rop:/home/level2$ level0@rop:/home/level2$ ./level2 level0@rop:/home/level2$ ./level2 AAAAAAAAAA [+] ROP tutorial level2 [+] Bet you can't ROP me this time around, AAAAAAAAAA! level0@rop:/home/level2$ Application accepts command line arguments. Crashing the Application Enable core dump - ulimit -c unlimited...

November 7, 2022 · 17 min · Rizal

Rop Primer Level1

Introduction This is walkthrough for level1 of ROP Primer from vulnhub. Exploit Development Running the Application level0@rop:/home/level1$ ./level1 [!] error bind()ing! [+] retrying bind() [!] error bind()ing! ^C This means that a service is already listening on the port. Inspecting netstat to look for listening ports. level0@rop:~$ su root Password: root@rop:/home/level0# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0....

November 7, 2022 · 20 min · Rizal

Rop Primer Level0

Introduction This is walkthrough for level0 of ROP Primer from vulnhub. ROP Primer This VM is meant as a small introduction to 32-bit return-oriented-programming on Linux. It contains three vulnerable binaries, that must be exploited using ROP. The machine is built and tested in VirtualBox 4.3.20. It’s an Ubuntu 32 bit VM, with ASLR disabled. Useful tools like gdb-peda are installed. A description of the levels, including instructions, can be found on the webserver....

November 7, 2022 · 10 min · Rizal

Black Hat MEA 2022 - Qualifier - Black Note

Challenge Description Difficulty : Medium Points : 250 Categoty : Web Walkthrough The black note application allows us to self register and save notes. After self registering and logging in, I noticed a cookie named notes. Inspecting it revealed that it is Base 64 encoded JSON data for the notes which are displayed in the page. Since we know that the backend is Node.JS and the cookie is actaully getting deserialized, it obviously a JSON deserialisation vulnerability via the notes cookie....

October 4, 2022 · 1 min · Rizal

Black Hat MEA 2022 - Qualifier - Jimmy's Blog

Challenge Description Difficulty : Hard Points : 400 Categoty : Web Source Code File and directory structure of given source code. index.js const express = require("express"); const cookieParser = require("cookie-parser"); const sessions = require('express-session'); const body_parser = require("body-parser"); const multer = require('multer') const crypto = require("crypto") const path = require("path"); const fs = require("fs"); const utils = require("./utils"); const app = express(); app.set('view engine', 'ejs'); app....

October 4, 2022 · 8 min · Rizal