[Self-Practice] Defcon 22

defcon

As you know, DEFCON CTF 23 Quals is coming up! And I want to self-practice by resolving challenges from last year.
Firstly, I’m just going to upload my exploit code, if I have a free time, i will make the full write-up. Hope you enjoy!

let’s start the journey

bbgp (selir-2 points)

The vulnerable function is located at 0x185D. Which let you overwrite return-EIP. The last thing you need to to do is brute-force the PIE base address.

Exploit code here.

shitsco (gyno-2 points)

There was a classical vulnerability, use-after-free. When the exploit runs, you’re supposed to get the password. Precisely, you would be able to get the FLAG with it.

Exploit code here.

sftp (gyno-3 points)

Well, I’ve just done this one. It was common problem when you try to handle file-manager. It’s suppose to be pretty confused because func_RETR at 0x08049239 tries to read until EOF instead of reading n bytes like it printed out.

Exploit code here.

nonameyet (hj-3 points)

This one was about handling HTTP PAYLOAD. Since that binary (nonameyet.cgi) has no NX, we would be able to jump in our data. My shellcode was “Reverse TCP” to my own remote host.

Exploit code here.

byhd (hj-2 points)

It was about reversing Huffman Tree. I did it, but you may wanna see my teammate’s write-up here. It’s kind of tricky to solve :).

Exploit code here.

turdedo (selir-3 points)

Omg, this one was so hard! I found the bug at 0x0804969B, when you probably overwrite the previous heap block and bypass a format-string filter function 0x080495CD. Obviously, it looks very hard to understand. If you are interested in, you can do it yourself or go search the full write-up on google.

Exploit code here.

 

DEFCON 21 QUALS

linked (shellcode-3 points)

I’ve solved it with 13 bytes shellcode (less than the solution given by organizers) 😀

 

musicman (reverse-3 points)

It was about integer overflow, which leads us to read FLAG_WAV 0x0804C100. BTW, I did some trick to decode wave to characters 😀

Code here.

thyself (reverse-2 points)

Hm, This problem is mixing Crypto and Reversing. The “bug” is placed at aeslite_encrypt. It is not quite hard, you can do it by yourself :D.

incest (shellcode-1 point)

Shellcode here.

 

updating soon…

manhluat Written by:

8 Comments

  1. Avatar
    Anonymous
    May 1, 2015
    Reply

    Looking forward to your full-writeup;-)

    • Avatar
      manhluat
      May 2, 2015
      Reply

      I would give a try later XD.

      • Avatar
        Anonymous
        May 7, 2015
        Reply

        Practicing with you~ XDDDD

        • Avatar
          Anonymous
          May 7, 2015
          Reply

          Can you give me nonameyet (hj-3 points)’s binary?

  2. Avatar
    peter
    May 11, 2015
    Reply

    In bbpg challenges, you don’t need to bruteforce binary base address because, in function located at 0x2002, it calls send(1, &buf, 46u, 0) , size larger than buf have, and just enough to leak PIE base address 🙂

    • Avatar
      manhluat
      May 11, 2015
      Reply

      Well, I didnt even notice that @@

  3. Avatar
    peter
    May 14, 2015
    Reply

    In sftp , i find another bug to trigger buffer overflow , in List_CMD i finds something special sprintf(&s, “%s/%s”, name, v7->d_name), name is path we controlled and the v7->d_name is file name, and size of s is only 0x100 so i will overflow easily 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *