 |
This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year. There was a total amount of 28 awesome challenges with varying difficulties. |
ALLES! CTF 2020 – Actual ASLR 1/2
The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.
Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.
The article is divided into the following sections:
→Actual ASLR 1
– Binary
– Random Algorithm
– Reimplementation In Python
– First Flag
→Actual ASLR 2
– Custom Heap
– Vulnerability
– Heap Leak
– Image Base Leak
– Overwriting Function Pointer
– Final Exploit
Continue reading “ALLES! CTF 2020 – Actual ASLR 1/2”
AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)
One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:
→ Fuzzing→ Bug
→ Exploit
– Strategy
– The v in vsnprintf
– Gaining arbitrary write
– Controlling the instruction pointer
– Hitting our shellcode: dynamic field width
– Final exploit
→ Conclusion
Continue reading “AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)”
Hack The Box – Rope
This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂
The article is divided into the following parts:
→ User
– Initial Recon
– httpserver
– Leak Memory Address
– Exploit Format String Vulnerability
– Escalating from john to r4j (readlogs)
→ Root
– Local Recon
– contact
– Bruteforce
– Libc Leak
– Final Exploit
HACKvent19 writeup
 |
This year’s HACKvent was hosted on the brand new Hacking-Lab 2.0 plattform. Each day from the 1st of december until the 24th a new challenge is published raising in difficulty. The flag format changed from HV18-xxxx-xxxx-xxxx-xxxx-xxxx to HV19{...}. After all I managed to solve all 28 challenges 🙂 |
Google CTF 2019 (Quals) – Quantum Key Distribution
This years online qualification for the Google Capture The Flag finals (ctftime.org) ran from 22/06/2019, 00:01 UTC to 23/06/2019 23:59 UTC.
As last year, there were plenty of diversified challenges, which were worked out very well.
I tried to take at least a look at as much challenges as possible and solved the challenge Quantum Key Distribution, which was relatively easy based on the amounts of solves. Within this article I want to share my writeup on this challenge.
The writeup is divided into the following sections:
Continue reading “Google CTF 2019 (Quals) – Quantum Key Distribution”Hacky Easter 2019 writeup
 |
As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year 🙂 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here). |
VolgaCTF 2019 Qualifier – Blind
The VolgaCTF 2019 Qualifier (ctftime.org) took place from 29/03/2019, 15:00 UTC to 31/03/2019 15:00 UTC.
There has been a really interesting RSA crypto challenge called Blind, which I would like to share with you in this writeup.
The article is divided into the following sections:
→ Challenge description
→ What does the script do?
→ Blind RSA Signature
→ Retrieving the Flag
nullcon HackIM 2019 – babypwn
The nullcon HackIM 2019 CTF (ctftime.org) ran from 01/02/2019, 16:30 UTC to 03/02/2019 04:30 UTC.
I did the pwn challenge babypwn, which was really fun to do. The following article contains my writeup being divided into the following sections:
→ Challenge description
→ Security mechanisms and disassembly
→ Signedness vulnerabilitiy
→ Format string vulnerabilitiy
→ Final exploit
Hack The Box – Dab
This article contains my first writeup on a machine from Hack The Box. If you have not checked out Hack The Box yet, I really suggest you do. Aside from providing classical CTF-style challenges, the plattform hosts plenty of vulnerable machines (boxes), which are supposed to be exploited. The boxes tend to be geared to realistic scenarios and are thus an awesome opportunity to increase your own pen testing skills.
In order to prove the exploitation of a machine, there are two different flag files stored on each machine. The first one to acquire is a file called user.txt, which can be read by a low privileged user. The next step after initially exploiting the machine is to escalate privileges gaining access to an administrative user (root access). With this high privileged user a second file called root.txt can be read. Both files contain a flag (an md5sum), which is supposed to be submitted on the Hack The Box website rewarding you with the corresponding points for this machine.
According to those two steps/files the article is divided into the following sections:
→ User
– Port Scan
– FTP (Port 21)
– SSH (Port 22)
– HTTP nginx (Port 80)
– HTTP nginx (Port 8080)
– Back to SSH
→ Root
– Initial Enumeration
– SUID binaries
– myexec
– libseclogin.so
– myexec’s password
– ldconfig
– Compile own shared Library