Posts

This challenge involves exploiting Use-After-Free vulnerability. The note structure in this challenge stores puts function pointer besides the note content pointer. By properly allocating and free-ing memory, full control on EIP will be achieved. Initial Analysis The challenge provide 2 files, hacknote (the challenge binary) and libc_32.so.6 (the libc used in this challenge) File Analysis file hacknote hacknote: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter ./ld-2.23.so, for GNU/Linux 2.6.32, BuildID[sha1]=a32de99816727a2ffa1fe5f4a324238b2d59a606, stripped file libc_32.so.6 libc_32.so.6: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=d26149b8dc15c0c3ea8a5316583757f69b39e037, for GNU/Linux 2.6.32, stripped Security Mitigations: ...

This challenge leverages the behavior of the %s format specifier, which prints characters until it encounters a null terminator (\x00). By exploiting this property, it is possible to leak information about the libc base address. Additionally, the program contains an out-of-bounds (OOB) write operation; however, the writes are automatically sorted in ascending order. Initial Analysis File Analysis file dubblesort dubblesort: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter ./ld-2.23.so, for GNU/Linux 2.6.24, BuildID[sha1](/images/pwnabletw-dubblesort/)=12a217baf7cbdf2bb5c344ff14adcf7703672fb1, stripped file libc_32.so.6 libc_32.so.6: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1](/images/pwnabletw-dubblesort/)=d26149b8dc15c0c3ea8a5316583757f69b39e037, for GNU/Linux 2.6.32, stripped checksec --file ./dubblesort [*](/images/pwnabletw-dubblesort/) '/home/capang/Desktop/CTF/pwnable.tw/dubblesort/dubblesort' Arch: i386-32-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'.' FORTIFY: Enabled Key Findings:- ...

Malware Analysis Report: ASEAN Notes.iso from Mustang Panda Campaign Author: Capang Date: 24-01-2025 Analysis Environment: Windows 10 VM Associated Campaign: Mustang Panda ASEAN Notes.iso Ref: https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/ Executive Summary The ASEAN Notes.iso file is a component of a Mustang Panda campaign targeting entities in Myanmar. The attack leverages DLL sideloading via a hijacked Microsoft GetCurrentRollback.exe process (renamed office.exe) to execute the malicious GetCurrentDeploy.dll. The malware establishes persistence through registry modification and attempts C2 communication with fallback infrastructure. Primary objectives include initial access, persistence, and command execution, with suspected espionage motivations. ...

ACS2024 Quals Writeup by Teh Tarik Cendol Note: This is a team writeup and improved by Jeremy. Source : Jeremy’s Github Table of Contents Audit/no-name minor Rev/CS1338: Script Programming Rev/Secure Chat Web/Can You REDIRECT Me Misc/Drone Hijacking Misc/Lutella Misc/Hi Alien Crypto/Secret Encrypt Audit/no-name minor This was a challenge similar to the one I created for Battle of Hackers 2024 so we solved it relatively fast. The challenge provides us with a binary that presents a menu that allows the user to borrow a loan, repay the loan, mining for money, buy a name and change name. ...

A bubarparlimen.docx file with an external RemoteLoad.dotm attached template file where it contains malicious VBA Macro which will write PE files, fetch .exe + .dll file and executing it in the infected machine. The macro uses base64 encoding method and constructing the encoded string little by little to avoid suspicion. 2. Case Details File Name bubarparlimen.docx File Size 214.91 KiB File Type Microsoft Office Word(15.0000) MD5 afbe00e755a2cf963f0eedbb4e310198 SHA1 a55bd3f15ce743c9cda7bec05afe50b9aefa4683 SHA256 ab541df861c6045a17006969dac074a7d300c0a8edd0a5815c8b871b62ecdda7 Created Time 15/5/2024 11:47:03 PM File Name RemoteLoad.dotm File Size 23.76 KiB File Type Microsoft Office Word(15.0000) MD5 8114e5e15d4086843cf33e3fca7c945b SHA1 5f7f0b1419448c5fe1a8051ac8cb2cf7b95a3ffa SHA256 145daf50aefb7beec32556fd011e10c9eaa71e356649edfce4404409c1e8fa30 Created Time 15/5/2024 11:52:02 PM 3. Case Specific Requirements Machine Windows Environment Tools hashmyfiles olevba Microsoft Word CyberChef 4. Static Analysis 4.1 bubarparlimen.docx bubarparlimen.docx is a .docx. To go further into the analysis, it is necessary to understand what .docx structure is. ...

Morpheus is a THM box created for MCC 2023 registration. I am not a MCC 2023 candidate but this is my take on this box :3 Initial Recon Nmap nmap -sC -sV 10.10.13.181 -oA nmap/initial Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-11 05:56 EST Nmap scan report for 10.10.13.181 Host is up (0.24s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.18.22.45 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 65534 65534 1075835 May 27 2023 CONFIDENTIAL.pdf 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c9:c9:90:01:44:d3:be:ce:8f:ed:9d:f5:79:fe:1d:01 (RSA) | 256 67:43:55:86:5a:6b:db:80:13:68:d1:ee:0f:76:8d:47 (ECDSA) |_ 256 8c:e1:85:36:1d:ba:77:05:95:36:4e:c3:3b:33:aa:5c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.88 seconds Based on our port scanning result, there is a web server. Time to look into it ...