HACKvent20 writeup

This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year.
There was a total amount of 28 awesome challenges with varying difficulties.
HV20.(-1) Twelve steps of christmas
HV20.01 Happy HACKvent 2020
HV20.02 Chinese Animals
HV20.03 Packed gifts
HV20.04 Br❤celet
HV20.05 Image DNA
HV20.13 Twelve steps of christmas
HV20.14 Santa’s Special GIFt
HV20.15 Man Commands, Server Lost
HV20.16 Naughty Rudolph
HV20.17 Santa’s Gift Factory Control
HV20.18 Santa’s lost home
HV20.19 Docker Linter Service
HV20.06 Twelve steps of christmas
HV20.07 Bad morals
HV20.08 The game
HV20.09 Santa’s Gingerbread Factory
HV20.10 Be patient with the adjacent
HV20.11 Chris’mas carol
HV20.12 Wiener waltz
HV20.20 Twelve steps of Christmas
HV20.21 Threatened Cat
HV20.22 Padawanlock
HV20.23 Those who make backups are cowards!
HV20.24 Santa’s Secure Data Storage
HV20.H1 It’s a secret!
HV20.H2 Oh, another secret!
HV20.H3 Hidden in Plain Sight
Continue reading “HACKvent20 writeup”

ALLES! CTF 2020 – Actual ASLR 1/2

The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.

Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.

The article is divided into the following sections:

Actual ASLR 1
    – Binary
    – Random Algorithm
    – Reimplementation In Python
    – First Flag

Actual ASLR 2
    – Custom Heap
    – Vulnerability
    – Heap Leak
    – Image Base Leak
    – Overwriting Function Pointer
    – Final Exploit


Continue reading “ALLES! CTF 2020 – Actual ASLR 1/2”

AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)

One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:

Fuzzing
Bug
Exploit
    – Strategy
    – The v in vsnprintf
    – Gaining arbitrary write
    – Controlling the instruction pointer
    – Hitting our shellcode: dynamic field width
    – Final exploit
Conclusion

Continue reading “AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)”

Hack The Box – Rope

This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂

The article is divided into the following parts:

User
    – Initial Recon
    – httpserver
    – Leak Memory Address
    – Exploit Format String Vulnerability
    – Escalating from john to r4j (readlogs)

Root
    – Local Recon
    – contact
    – Bruteforce
    – Libc Leak
    – Final Exploit

Continue reading “Hack The Box – Rope”