hacking, software, it-security
HackyEaster was awesome again. From a technical point of view there weren’t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of 37 challenges. These challenges were divided into different levels. You could only proceed to the next level, if you have earned enough points in the current level. I really liked that new idea.
Continue reading “Hacky Easter 2021 writeup”
The mpv media player provides a custom protocol handler (mf://) in order to merge multiple images to a video. An undocumented feature within this protocol handler allows the usage of a format specifier in the provided URL, which is evaluated using sprintf. This results in both, a format string vulnerability as well as a heap overflow (CVE-2021-30145).
After disclosing the vulnerability to the mpv team on the 3rd April 2021 I got an immediate response. The mpv team took the issue very seriously and immediately started to work on a patch with me. This was the first time I disclosed a vulnerability to an open source project and I was really impressed about the professional reaction and the passionate commitment. The patch was released only two days after my report on the 5th April 2021 (commit). Thanks a lot to avih, sfan5 and jeeb.
The impact of the format string vulnerability is limited on Linux, because the binary is compiled with FORTIFY_SOURCE by default. Though the heap overflow can be used to gain arbitrary code execution by overflowing into an adjacent heap chunk and setting a function pointer to an attacker controlled value. Nevertheless I estimate the probability of exploitation in real life as quite low, because a victim has to be tricked into opening a malicious playlist (e.g. via a URL like http://10.0.0.1/evil.m3u) and the attacker has to have detailed information about the victim’s system to fine-tune the exploit.
Within this article I describe the vulnerability itself as well as the development of a proof of concept exploit for Ubuntu 20.04.2 LTS with ASLR disabled. At the end of the article I outline a few thoughts on how ASLR can be bypassed and what changes if we develop an exploit for Windows. The article is divided into the following sections:
– Introduction
– Format String Vulnerability
– Heap Overflow
– Exploitation
– Further Thoughts
– Conclusion
 |
This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year. There was a total amount of 28 awesome challenges with varying difficulties. |
The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.
Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.
The article is divided into the following sections:
→Actual ASLR 1
– Binary
– Random Algorithm
– Reimplementation In Python
– First Flag
→Actual ASLR 2
– Custom Heap
– Vulnerability
– Heap Leak
– Image Base Leak
– Overwriting Function Pointer
– Final Exploit
One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:
→ Fuzzing
This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂
The article is divided into the following parts:
→ User
– Initial Recon
– httpserver
– Leak Memory Address
– Exploit Format String Vulnerability
– Escalating from john to r4j (readlogs)
→ Root
– Local Recon
– contact
– Bruteforce
– Libc Leak
– Final Exploit
 |
This year’s HACKvent was hosted on the brand new Hacking-Lab 2.0 plattform. Each day from the 1st of december until the 24th a new challenge is published raising in difficulty. The flag format changed from HV18-xxxx-xxxx-xxxx-xxxx-xxxx to HV19{...}. After all I managed to solve all 28 challenges 🙂 |
 |
Hidden |
| HV19.H1 Hidden One HV19.H2 Hidden Two HV19.H3 Hidden Three HV19.H4 Hidden Four |
|
 |
Easy |
| HV19.01 censored HV19.02 Triangulation HV19.03 Hodor, Hodor, Hodor HV19.04 password policy circumvention HV19.05 Santa Parcel Tracking HV19.06 bacon and eggs HV19.07 Santa Rider |
|
 |
Medium |
| HV19.08 SmileNcryptor 4.0 HV19.09 Santas Quick Response 3.0 HV19.10 Guess what HV19.11 Frolicsome Santa Jokes API HV19.12 back to basic HV19.13 TrieMe HV19.14 Achtung das Flag |
|
 |
Hard |
| HV19.15 Santa’s Workshop HV19.16 B0rked Calculator HV19.17 Unicode Portal HV19.18 Dance with me HV19.19 U+1F385 HV19.20 i want to play a game HV19.21 Happy Christmas 256 |
|
 |
Leet |
| HV19.22 The command … is lost HV19.23 Internet Data Archive HV19.24 ham radio |
|
This years online qualification for the Google Capture The Flag finals (ctftime.org) ran from 22/06/2019, 00:01 UTC to 23/06/2019 23:59 UTC.
As last year, there were plenty of diversified challenges, which were worked out very well.
I tried to take at least a look at as much challenges as possible and solved the challenge Quantum Key Distribution, which was relatively easy based on the amounts of solves. Within this article I want to share my writeup on this challenge.
The writeup is divided into the following sections:
Continue reading “Google CTF 2019 (Quals) – Quantum Key Distribution” |
As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year 🙂 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here). |
 |
Easy |
|
01 Twisted 02 Just Watch 03 Sloppy Encryption 04 Disco 2 05 Call for Papers 06 Dots 07 Shell we Argument 08 Modern Art 09 rorriM rorriM |
|
 |
Medium |
|
10 Stackunderflow 11 Memeory 2.0 12 Decrypt0r 13 Symphony in HEX 14 White Box 15 Seen in Steem 16 Every-Thing 17 New Egg Design 18 Egg Storage |
|
 |
Hard |
|
19 CoUmpact DiAsc 20 Scrambled Egg 21 The Hunt: Misty Jungle 22 The Hunt: Muddy Quagmire 23 The Maze 24 CAPTEG |
|
 |
Hidden |
|
25 Hidden Egg #1 26 Hidden Egg #2 27 Hidden Egg #3 |
|
The VolgaCTF 2019 Qualifier (ctftime.org) took place from 29/03/2019, 15:00 UTC to 31/03/2019 15:00 UTC.
There has been a really interesting RSA crypto challenge called Blind, which I would like to share with you in this writeup.
The article is divided into the following sections:
→ Challenge description
→ What does the script do?
→ Blind RSA Signature
→ Retrieving the Flag
