In the last lab we focused on Misc and Stack Cookies. In this next to last lab some characteristics when dealing with C++ are introduced.
RPISEC/MBE: writeup lab08 (Misc and Stack Cookies)
While the last lab introduced the subject of Heap Exploitation, this lab focuses on Misc and Stack Cookies.
The lab contains three levels again ranging from C to A:
–> lab8C
–> lab8B
–> lab8A
Continue reading “RPISEC/MBE: writeup lab08 (Misc and Stack Cookies)”
TAMUctf 18 – writeup pwn1-5
The Texas A&M University CTF (ctftime.org) ran for over one week from 17/02/2018, 00:00 UTC to 26/02/2018 00:00 UTC. There have been a lot of challenges starting at a very easy difficulty.
I did the five pwn challenges ranging from 25 to 200 points:
–> pwn1 (25 pts)
–> pwn2 (50 pts)
–> pwn3 (75 pts)
–> pwn4 (125 pts)
–> pwn5 (200 pts)
RPISEC/MBE: writeup lab07 (Heap Exploitation)
After we have introduced ASLR and ways to bypass it in the last writeup, we will expand our exploits to the Heap in this lab.
In this lab there are only two levels:
–> lab7C
–> lab7A
Continue reading “RPISEC/MBE: writeup lab07 (Heap Exploitation)”
RPISEC/MBE: writeup lab06 (ASLR)
The previous lab focused on the subject of return oriented programming in order to circumvent data execution prevention. The next lab described in this writeup introduces ASLR.
The single levels of this lab range from C to A:
–> lab6C
–> lab6B
–> lab6A
Note: ASLR should be enabled by now.
RPISEC/MBE: writeup lab05 (DEP and ROP)
In the last writeup we used different format string vulnerabilites in order to exploit the provided binaries. This writeup continues with lab05 which introduces DEP and ROP.
As usual there are three levels ranging from C to A:
–> lab5C
–> lab5B
–> lab5A
RPISEC/MBE: writeup lab04 (Format Strings)
In the last lab, which writeup can be found here, we used publicly available shellcodes as well as shellcodes we had to write on our own, in order to exploit the provided binaries. In this writeup we proceed with the next lab, which focuses on the subject of Format Strings.
As usual there are three levels ranging from C to A:
–> lab4C
–> lab4B
–> lab4A
Continue reading “RPISEC/MBE: writeup lab04 (Format Strings)”
RPISEC/MBE: writeup lab03 (Shellcoding)
The last writeup for RPISEC/MBE lab02 dealt with the subject of Memory Corruption. We used different buffer-overflow vulnerabilities to execute a predefined function shell, which kindly spawned a shell for us. In real life there usually isn’t such a function, we can simply call. Thus we have to inject our own code. Accordingly the next lab described in this writeup brings up the topic of Shellcoding.
Yet again there are three levels ranging from C to A:
–> lab3C
–> lab3B
–> lab3A
RPISEC/MBE: writeup lab02 (Memory Corruption)
In the last writeup for RPISEC/MBE lab01 we used radare2 to reverse three different binaries in order to reveal a secret password or serial. In this writeup we continue with lab02 which broaches the issue of Memory Corruption.
As well as in the last lab there are three levels ranging from C to A:
–> lab2C
–> lab2B
–> lab2A
Continue reading “RPISEC/MBE: writeup lab02 (Memory Corruption)”
RPISEC/MBE: writeup lab01 (Reverse Engineering)
RPISEC is the resident computer security club at Rensselaer Polytechnic Institute. They developed a university course to teach skills in vulnerability research, reverse engineering and binary exploitation. The course material can be found on github including a detailed explanation on how to run the provided VM: https://github.com/RPISEC/MBE.
This article contains my writeup for the first lab (lab01). The lab’s topic is Reverse Engineering and it consists of the following levels:
–> lab1C
–> lab1B
–> lab1A
Continue reading “RPISEC/MBE: writeup lab01 (Reverse Engineering)”