Posts


PlaidCTF 2020 golf.so

April 22, 2020 - ctf-writeups file-formats

This is a writeup of the challenge “golf.so”, from the PlaidCTF cybersecurity capture the flag competition in 2020. I originally posted this writeup at https://rpis.ec/blog/plaidctf-golfso/

Description

The challenge description linked to golf.so.pwni.ng, which had a scoreboard, and an upload page with the following instructions:

Upload a 64-bit ELF shared object of size at most 1024 bytes. It should spawn a shell (execute execve(“/bin/sh”, [“/bin/sh”], …)) when used like

LD_PRELOAD=<upload> /bin/true

Read more...

HackLU 2018 Rusty CodePad

October 18, 2018 - ctf-writeups

This is a writeup of the challenge “Rusty CodePad” from the HackLU cybersecurity capture the flag competition in 2018. I originally posted this writeup at https://ctftime.org/writeup/11859

Writeup

We initially tried submitting safe Rust that used the standard library’s File object to read the flag. Sandwiching this in between println!’s showed that the process was silently dying after the first print, but before the second print, from which we inferred the existence of the seccomp filter. Attempting to use unsafe code to search the process’s own address space was stymied by the presence of -F unsafe_code in the build script.

I then tried to find issues on Rust’s issue tracker that were tagged “I-unsound”, which are compiler bugs known to be able to violate memory safety in “safe” code.

Read more...

CSAW Finals 2015 Boombox

January 27, 2015 - ctf-writeups

This is a writeup of the challenge “Boombox”, from the CSAW Finals cybersecurity capture the flag competition in 2015. I originally posted this writeup at https://github.com/aweinstock314/aweinstock-ctf-writeups/blob/master/csaw_finals_2015/exploitation500_boombox/boombox_writeup.md

CSAW Finals 2015 - Exploitation 500 boombox

What boombox does normally

The boombox application allows non-malicious users to upload tapes consisting of a number of tracks of data. It plays them by rendering them into a phonetic approximation of music. Every 4 bits of the data are rendered into a phenome based on the following table:
0 1 2 3 4 5 6 7 8 9 A B C D E F
beep bop zip zam flim flam ity bad do dub da bez um yo wop bap

So for example, a track consisting of "AAAA" would get rendered as flimbopflimbopflimbopflimbop (since 'A' == 0x41).

Read more...