PWN

This challenge involves exploiting Use-After-Free vulnerability. The note structure in this challenge stores puts function pointer besides the note content pointer. By properly allocating and free-ing memory, full control on EIP will be achieved. Initial Analysis The challenge provide 2 files, hacknote (the challenge binary) and libc_32.so.6 (the libc used in this challenge) File Analysis file hacknote hacknote: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter ./ld-2.23.so, for GNU/Linux 2.6.32, BuildID[sha1]=a32de99816727a2ffa1fe5f4a324238b2d59a606, stripped file libc_32.so.6 libc_32.so.6: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=d26149b8dc15c0c3ea8a5316583757f69b39e037, for GNU/Linux 2.6.32, stripped Security Mitigations: ...

This challenge leverages the behavior of the %s format specifier, which prints characters until it encounters a null terminator (\x00). By exploiting this property, it is possible to leak information about the libc base address. Additionally, the program contains an out-of-bounds (OOB) write operation; however, the writes are automatically sorted in ascending order. Initial Analysis File Analysis file dubblesort dubblesort: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter ./ld-2.23.so, for GNU/Linux 2.6.24, BuildID[sha1](/images/pwnabletw-dubblesort/)=12a217baf7cbdf2bb5c344ff14adcf7703672fb1, stripped file libc_32.so.6 libc_32.so.6: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1](/images/pwnabletw-dubblesort/)=d26149b8dc15c0c3ea8a5316583757f69b39e037, for GNU/Linux 2.6.32, stripped checksec --file ./dubblesort [*](/images/pwnabletw-dubblesort/) '/home/capang/Desktop/CTF/pwnable.tw/dubblesort/dubblesort' Arch: i386-32-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'.' FORTIFY: Enabled Key Findings:- ...

ACS2024 Quals Writeup by Teh Tarik Cendol Note: This is a team writeup and improved by Jeremy. Source : Jeremy’s Github Table of Contents Audit/no-name minor Rev/CS1338: Script Programming Rev/Secure Chat Web/Can You REDIRECT Me Misc/Drone Hijacking Misc/Lutella Misc/Hi Alien Crypto/Secret Encrypt Audit/no-name minor This was a challenge similar to the one I created for Battle of Hackers 2024 so we solved it relatively fast. The challenge provides us with a binary that presents a menu that allows the user to borrow a loan, repay the loan, mining for money, buy a name and change name. ...

This is an easy level challenge introducing Format String Vulnerability. The method used to solve this challenge is leaking any function address and find the base address for the system. With the known base address, we can overwrite a global variable into wanted value. Initial Analysis File Analysis Checking File type file fsb_overwrite fsb_overwrite: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ecbb8000934a34b30ea8deb3a7675e08f8a44cda, for GNU/Linux 3.2.0, not stripped File type analysis ...

This is the first challenge released during I-Hack 2024 Qualifier and I am so excited seeing the announcement of the challenge release. My adrenaline suddenly spike like crazy and more crazier I managed to get First Blood for this challenge Overview This challenge involves understanding of basic ROP and Shellcode Injection for ELF x86. The binary has no protection and the address of the input buffer were given. I would say a great challenge for beginners in PWN / Binary Exploitation ...

This challenge involves understanding on how Vector Variable were stored in memory for C++. The program able to overflow the Vector Pointer to change where it points to. Initial Analysis File Analysis To know more about the given executable, we can use file command. file vector_overflow vector_overflow: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4a0b824c662ee47b5cd3e73176c0092f1fcf714b, for GNU/Linux 3.2.0, not stripped Key Findings:- 64-bit executable not stripped means the executable has not had its symbol table and relocation information removed. Executable Security Check To figure out what security mitigations enabled in this executable, we can use checksec command that comes with pwntools library ...