pwn – devel0pment.de

6. September 20206. September 2020

ALLES! CTF 2020 – Actual ASLR 1/2

The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.

Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.

The article is divided into the following sections:

→Actual ASLR 1
    – Binary
    – Random Algorithm
    – Reimplementation In Python
    – First Flag

→Actual ASLR 2
    – Custom Heap
    – Vulnerability
    – Heap Leak
    – Image Base Leak
    – Overwriting Function Pointer
    – Final Exploit

23. May 202024. May 2020

Hack The Box – Rope

This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂

The article is divided into the following parts:

→ User
    – Initial Recon
    – httpserver
    – Leak Memory Address
    – Exploit Format String Vulnerability
    – Escalating from john to r4j (readlogs)

→ Root
    – Local Recon
    – contact
    – Bruteforce
    – Libc Leak
    – Final Exploit

12. June 201912. June 2019

Hacky Easter 2019 writeup

As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year 🙂 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here).

	Easy
01 Twisted 02 Just Watch 03 Sloppy Encryption 04 Disco 2 05 Call for Papers 06 Dots 07 Shell we Argument 08 Modern Art 09 rorriM rorriM
	Medium
10 Stackunderflow 11 Memeory 2.0 12 Decrypt0r 13 Symphony in HEX 14 White Box 15 Seen in Steem 16 Every-Thing 17 New Egg Design 18 Egg Storage
	Hard
19 CoUmpact DiAsc 20 Scrambled Egg 21 The Hunt: Misty Jungle 22 The Hunt: Muddy Quagmire 23 The Maze 24 CAPTEG
	Hidden
25 Hidden Egg #1 26 Hidden Egg #2 27 Hidden Egg #3

3. February 20193. February 2019

nullcon HackIM 2019 – babypwn

The nullcon HackIM 2019 CTF (ctftime.org) ran from 01/02/2019, 16:30 UTC to 03/02/2019 04:30 UTC.

I did the pwn challenge babypwn, which was really fun to do. The following article contains my writeup being divided into the following sections:

→ Challenge description
→ Security mechanisms and disassembly
→ Signedness vulnerabilitiy
→ Format string vulnerabilitiy
→ Final exploit

Continue reading “nullcon HackIM 2019 – babypwn”

14. August 201814. August 2018

Heap Exploitation: Off-By-One / Poison Null Byte

The goal of this article is to explain in detail how an off-by-one vulnerability on the heap also known as poison null byte can be exploited. Although this technique does not work with the latest libc, I think it can be used very good in order to demonstrate how exploits based on heap-metadata corruption work (also check out shellphish’s how2heap).

In order to do this I created a vulnerable program, which we will use as an example to create such an exploit. If you like to, you can start by analyzing and exploiting the program on your own (at least check out Environment):

–> heap.zip

Though it is not required to the exploit the program, the source-code might be helpful:

–> heap.c

The article is divided into the following sections:

–> Environment
–> Vulnerable Program
–> Heap Basics
–> Libc-Leak
–> Control Instruction Pointer
–> One Gadget
–> Final Exploit

Continue reading “Heap Exploitation: Off-By-One / Poison Null Byte”

15. July 2018

Meepwn CTF Quals 2018 – babysandbox

The Meepwn CTF Quals 2018 (ctftime.org) ran from 13/07/2018, 19:00 UTC to 15/07/2018 19:00 UTC.

There were a lot of interesting-looking challenges. As always, time was the limiting factor 😉 I managed to spend 2 hours on saturday morning solving the pwn challenge babysandbox.

Continue reading “Meepwn CTF Quals 2018 – babysandbox”

22. May 2018

Hacky Easter 2018 writeup

As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. I could not spend as much time as I would have liked to on solving the challenges, but after all I managed to collect 25 of the 27 eggs and focused on this writeup.

	Easy
01 Prison Break 02 Babylon 03 Pony Coder 04 Memeory 05 Sloppy & Paste (mobile) 06 Cooking for Hackers 07 Jigsaw 08 Disco Egg 09 Dial Trial (mobile)
	Medium
10 Level Two 11 De Egg you must (not solved) 12 Patience (mobile) 13 Sagittarius… 14 Same same… 15 Manila greetings 16 git cloak –hard 17 Space Invaders 18 Egg Factory
	Hard
19 Virtual Hen 20 Artist: No Name Yet (not solved) 21 Hot Dog 22 Block Jane 23 Rapbid Learning 24 ELF
	Hidden
25 Hidden Egg #1 26 Hidden Egg #2 27 Hidden Egg #3

Continue reading “Hacky Easter 2018 writeup”

21. March 20183. January 2019

angstromCTF 2018 – writeup hellcode

The angstromCTF 2018 (ctftime.org) ran from 16/03/2018, 20:00 UTC to 23/03/2018 00:00 UTC.

As the description on ctftime.org states, the ctf is primarily geared towards high school students but with a very wide range of challenge difficulty.

There have been a lot of interesting challenges which have been fun to do. I decided to make a writeup for the pwn challenge hellcode.

Continue reading “angstromCTF 2018 – writeup hellcode”

10. March 201820. May 2018

RPISEC/MBE: writeup lab09 (C++)

In the last lab we focused on Misc and Stack Cookies. In this next to last lab some characteristics when dealing with C++ are introduced.

The lab contains only two levels:
–> lab9C
–> lab9A

Continue reading “RPISEC/MBE: writeup lab09 (C++)”

2. March 201820. May 2018

RPISEC/MBE: writeup lab08 (Misc and Stack Cookies)

While the last lab introduced the subject of Heap Exploitation, this lab focuses on Misc and Stack Cookies.

The lab contains three levels again ranging from C to A:
–> lab8C
–> lab8B
–> lab8A

Continue reading “RPISEC/MBE: writeup lab08 (Misc and Stack Cookies)”