This is a writeup of the challenge “golf.so”, from the PlaidCTF cybersecurity capture the flag competition in 2020.
I originally posted this writeup at https://rpis.ec/blog/plaidctf-golfso/
Description
The challenge description linked to golf.so.pwni.ng
, which had a scoreboard, and an upload page with the following instructions:
Upload a 64-bit ELF shared object of size at most 1024 bytes. It should spawn a shell (execute execve(“/bin/sh”, [“/bin/sh”], …)) when used like
LD_PRELOAD=<upload> /bin/true
This is a writeup of the challenge “Rusty CodePad” from the HackLU cybersecurity capture the flag competition in 2018.
I originally posted this writeup at https://ctftime.org/writeup/11859
Writeup
We initially tried submitting safe Rust that used the standard library’s File object to read the flag. Sandwiching this in between println!
’s showed that the process was silently dying after the first print, but before the second print, from which we inferred the existence of the seccomp filter. Attempting to use unsafe code to search the process’s own address space was stymied by the presence of -F unsafe_code
in the build script.
I then tried to find issues on Rust’s issue tracker that were tagged “I-unsound”, which are compiler bugs known to be able to violate memory safety in “safe” code.
This is a writeup of the challenge “Boombox”, from the CSAW Finals cybersecurity capture the flag competition in 2015.
I originally posted this writeup at https://github.com/aweinstock314/aweinstock-ctf-writeups/blob/master/csaw_finals_2015/exploitation500_boombox/boombox_writeup.md
CSAW Finals 2015 - Exploitation 500 boombox
What boombox
does normally
The
boombox
application allows non-malicious users to upload tapes consisting of a number of tracks of data.
It plays them by rendering them into a phonetic approximation of music.
Every 4 bits of the data are rendered into a phenome based on the following table:
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
A
|
B
|
C
|
D
|
E
|
F
|
beep
|
bop
|
zip
|
zam
|
flim
|
flam
|
ity
|
bad
|
do
|
dub
|
da
|
bez
|
um
|
yo
|
wop
|
bap
|
So for example, a track consisting of "AAAA"
would get rendered as flimbopflimbopflimbopflimbop
(since 'A' == 0x41
).