A collection of writeups for challenges that I've done that I thought were interesting
| Challenge | Type |
|---|---|
| No Handouts | ret2libc, Seccomp |
| Sailing The Sea | Read What Where |
| Spaceman | RiscV ROP |
| vip | whitelist |
| bop | seccomp ret2libc |
| babyqemu | QEMU Escape |
| typop | FULL Green ROP Ret2CSU |
| checksumz | Linux Kernel Modprobe Path |
| sus | ret2libc |
| flightscript | heap largebins attack |
| not another vm | vm flag checker |
| shellcrunch | restricted shellcoding |
| babyheap | house of botcake |
| lightftp | race condition |
| nolibc | custom heap |
| fallingrop | ret2system |
| fsop | fsop |
| helldivers | custom canary, house of spirit |
| mindmeld | srop, ptrace |
| ctf-simulator | srand |
| house-of-sus | house of force |
| flock-of-birds | custom canary |
| heap01 | tcache per thread struct |
| jungle | tcache pointer mangling |
| secure | house of force, seccomp |
| 321 | speed pwn |
| pointers | stack variable bof |
| seashells | shellcode |
Here below is a list of simple tricks/problems i have when pwning
movaps - when running your exploit if you end up crashing in libc with an instruction that ends in aps, then that means that your stack is not aligned by 0x10 bytes. to fix this add a single ret into your rop chain before calling the libc function.
pie - a trick for leaking pie is to use the __dso_handle ptr which is a ptr to itself. this can be useful if you have some sort of an array out of bounds or format leak
To leak libc, you can create an unsortedbin chunk and then free it. If you view it with no other chunks in the unsortedbin you can see a ptr to libc. If you want to reallocate it, then you need to change the is_mmapped field to on in the chunk.
This one you can view any freed chunk, or use the same unsortedbin trick with more chunks in the unsortedbinss
Sometimes pattern recognition is important to find vulnerabilities and weird things with the program.
- if the most significant byte is 0x7f (127), it is close to the highest signed value 0x7fffffff (highest int size) without being negative.
- a canary will be 16 bytes long and the least significant byte will be 0x00