nobodyisnobody/write-ups — Gitpedia

Dans une tentative un peu vaine d'organiser le chaos, de donner une forme toute temporaire à tout ça,
voici un index...
(-----

Write-ups INDEX

Various Write-ups from various CTFs..

as a Pwner for various team (Blue Water, Water Paddler, RootMeUpBeforeYouGoGo, etc...)

or alone to practice..(Team --> Armitage)

this index is not exhaustive, it's mostly challenges that have a write-up (there are more challenges in write-ups/ directory)

<details> <summary>Heap Challenges</summary>

libc 2.35

0CTF TCTF 2022 --> babyheap
- write-up
seccomp in place, heap overflow due to type confusion, do chunk overlap for leak, then two tcache poisonning attacks 
code execution via forging dtor_list table in tls-storage, and erasing the random value at fs:0x30
DiceCTF HOPE 2022 --> catastrophe
- write-up
double free in fastbin, then overwrite libc strlen got entry with system() address 
code execution when calling puts() function (that calls strlen...)
BSides.Algiers.2023 --> just pwnme
- solve script
double free in fastbin, then get allocation on environ, leak environ, get allocation on stack, write ROP on stack

libc 2.34

MetaCTF 2021 --> hookless
- write-up
double free in delete function,uaf in edit function (usable once),uaf in display() function too 
House of Botcake attack, we overwrite IO_2_1_stdout with environ address to leak stack address 
we write a ROP directly on stack to achieve code execution

libc 2.32

vsCTF 2022 --> EZorange
- write-up
oob read/write in edit function, no free available, use same method than house of orange to free chunks 
we free two chunks, then do tcache poisonning with the oob, and overwrite __malloc_hook

libc 2.31

justCTF 2022 --> notes
- write-up
fastbin dup attack, then write to __free_hook
idek CTF 2021 --> stacknotes
- write-up
malloca alloc chunk on stack depending on size,we forge a fake chunk on stack, do a house of spirit attack on it 
then alloc a chunk on stack with our ROP that overwrite return address
Tamil CTF 2021 --> University
- write-up
overflow in edit because of strlen on a non-zero terminated string, will give us a read/write primitive 
we set tcache.count in tcache_perthread_struct to 7 , to make a chunk goes to unsorted, to have a libc address leak 
we edit tcache_entry of bloc of size 0x20 to __free_hook
HSCTF 8 CTF 2021 --> House of sice
- write-up
double free vulnerability, using fastbin dup attack, then allocation on __free_hook
DownUnder CTF 2021 --> DUCTF Note
- write-up
int8 overflow in edit function, then write in tcache metadata, then allocation on __free_hook
DigitalOverdose CTF 2021 --> flavor
- write-up
double free vulnerability and uaf, then allocation on __free_hook
justCTF 2023 --> Nucleus
- write-up
- overwrite __free_hook via tcache poisonning attack *

libc 2.29

GDG Algiers CTF 2022 --> Notes Keeper
- write-up
use null byte overflow to make 0x118 chunk goes to tcache 0x20 size when freed 
the do fastbin dup attack, to finally overwrite __free_hook

libc 2.27

RaR CTF 2021 --> unintended
- write-up
heap overflow because of strlen usage, then make overlapping chunk & tcache poisonning 
finally overwrite __free_hook
IJCTF 2021 --> ezpez 
- write-up
double free on tcache_head to have allocation in unsorted, leak libc, double free on stdin to modify filedescriptor and leak flag
HSCTF 8 CTF 2021 --> Use after freedom
- write-up
unsorted bin attack, overwrite global_max_fast, then overwrite __free_hook
justCTF 2023 --> Welcome in my house
- write-up
- classic house of force challenge, overwrite another chunk on heap by "turning around" the memory address space *

libc 2.25

Tamil CTF 2021* --> Vuln Storage
- write-up

</details> <details> <summary>Code execution after exit</summary>

Imaginary CTF 2022 --> rope
- write-up
code execution via overwriting _rtld_global+3848 , that is __rtld_lock_lock_recursive (GL(dl_load_lock)) 
and pivoting in _rtld_global , via gets() and setcontext gadget
DanteCTF 2023 --> Sentence To Hell
- write-up
code execution via overwriting l->l_info[DT_FINI_ARRAY] , to make it point to a forge _fini_array entry pointing to a onegadget 
challenge on libc 2.35 from Ubuntu 22.04
LakeCTF Quals 2023 --> Not Malloc
- write-up
code execution by creating a fake dtor_list in tls-storage, then pivoting in tls-storage & execute a ROP there

</details> <details> <summary>Kernel exploitation challenges</summary>

UTCTF 2022 --> bloat
- write-up
use write primitive in kernel module, to overwrite modprobe_path
FCSC 2023 --> ktruc
- write-up
kernel exploitation on recent ubuntu 5.19 kernel, use write primitive in kernel module, to overwrite modprobe_path
OffensiveCon 2023 --> Blue Frost Security , bfsmatrix challenge
- write-up
kernel exploitation on 6.0.15, an UAF on linked list matrix

</details> </details> <details> <summary>SIGROP challenges</summary>

Tamil CTF 2021 --> Insecure system
- write-up
ROP & sigrop
Tamil CTF 2021 --> Stress Rope
- write-up
small echo server in assembly, very few gadgets --> ROP & sigrop
PBjar CTF 2021 --> Imdeghost
- write-up
restricted shellcode, resolved via connect back flag exfiltration done in sigrop

</details> <details> <summary>FSOP challenges</summary>

SECCON CTF 2022 Quals --> Baby file
- write-up
libc-2.31 based fsop exploitation, _wide_data is NULL and non reachable, we populate pointers first 
then leak libc & random value at fs:0x30, we forge onegagdet mangled address and have code execution via _cookie_write
Hack.lu CTF 2022 --> byor
- write-up
libc-2.35 based fsop exploitation, _wide_data points on NULL chunk, we can overwrite stdout 
code execution via _IO_wfile_underflow , we execute system('/bin/sh'), new standard for FSOP
FCSC 2022 --> RPG
- write-up
heap overflow in FILE structure, then we use FSOP read/write to overwrite __free_hook
Blackhat MEA CTF finals --> devpro
- write-up
OOB read/write in FILE structure, then we use FSOP write to overwrite stdout, and we do a FSOP for code execution
GlacierCTF 2023 --> Write Byte Where
- write-up
one byte pwn challenge, solved with a write in stdin to expand buffer, and write over stdout for FSOP

</details> <details> <summary>restricted shellcode challenges</summary>

Redpwn CTF 2021 --> gelcode-2
- write-up
shellcode with only opcodes from 0 to 5, and a seccomp that force open/read/write shellcode
MetaCTF 2021 --> sequential shellcode
- write-up
shellcode where every byte must be bigger then the preceding one
Maple CTF 2022 --> EBCSIC
- write-up
shellcode alphanumeric but restricted to cp037 charset
FCSC 2022 --> palindrome
- write-up
need to write a palindrome shellcode, that can be read and executed in two direction
Aero CTF 2021 --> Shell Master 2
- write-up
run and execute 16byte alphanumeric shellcodes
idek CTF 2021 --> Guardians of the Galaxy
- write-up
shellcode that finds an previously left opened filedescriptor to escape chroot
KITCTFCTF 2022 --> movsh
- write-up
shellcode composed only of mov and 2 syscalls only, with seccomp that only allow open,read,write,exit syscalls
FCSC 2023 --> keskidi
- write-up
shellcode where a child leak parent accessible only flag.txt via a random temporary file modified by parent
Blackhat MEA CTF finals --> babysbx
- write-up
escaping from a seccomp very restricted shellcode, and remapping a read-only zone for changing only allowed binary
0CTF/TCTF 2023 --> Nothing is true
- write-up
*escaping from a seccomp very restricted with a 64 bit elf file, switching to 32bit and using sysenter *

</details> <details> <summary>Format string challenges</summary>

PBjar CTF 2021 --> wallstreet32
- write-up
restricted format string with many format chars forbidden, use trick '%\n' to get a leak (libc-2.31 based)*
MetaCTF 2021 --> Simple Format Returned
- write-up
well classical format string, need bruteforce
Maple CTF 2022 --> printf
- write-up
well classical format string, need bruteforce
Imaginary CTF 2021 --> inkaphobia
- write-up
well classical format string, need bruteforce
IJCTF 2021 --> baby sum
- write-up
simple format string
FCSC 2022 --> Formatage
- write-up
well classical format string, need bruteforce
DigitalOverdose CTF 2021 --> uncurved
- write-up
format string on heap with seccond that forbid execve, and bit a of bruteforce
Asis CTF Quals 2022* --> Baby Scan II
- write-up
abuse format string in snprintf to have a write anywhere primitive 
then overwrite exit got entry with _start, then overwrite atoi with printf for leaks 
then overwrite atoi() with system() for code execution
idekCTF 2022 --> relativity
- write-up
*format string on heap with only two %n allowed, need bruteforce...only solve script *

</details> <details> <summary>Various ROP challenges (or Buffer overflow style)</summary>

MetaCTF 2021 --> An Attempt Was Made
- write-up
restricted rop, execve forbidden, few gadgets (no libcsu_init gadget), use only add_gadget to forge gadgets
Hayyim CTF 2021 --> warmup
- write-up
simple rop challenge
Hayyim CTF 2021 --> cooldown
- write-up
more restricted rop challenge
Fword CTF 2021 --> blacklist revenge
- write-up
seccomp in place to forbid execve, no stdout/stderr output, so a mix of ROP+connect back shellc<brode
DefCamp CTF 2022 --> blindsight
- write-up
blind remote ROP with no binaries given
TamuCTF 2022 --> Rop Golf
- write-up
restricted ROP with few gadgets
SunshineCTF 2022 --> [RII] Magic the GatheRIIng
- write-up
oob write on stack, leak, then onegadget..
404 CTF 2023 --> Calculatrice
- write-up
overflow in recursive processing of multiplication in a calculator application 
*little ROP, that transform stderr libc address on .bss in a onegadget *
Balsn CTF 2023 --> BabyPwn2023
- write-up
restricted ROP with few gadgets available 
*first ROP on .bss, then execute .puts to leave libc addresses on .bss, then reeuse stdout address to leak a libc address on .bss (stdout) *

</details> <details> <summary>other architecture based challenges (arm,mips,riscv,etc...)</summary>

LINE CTF 2022 --> simbox (arm)
- write-up
ARM challenge based on gnu simulator 11.2 (with custom patch), we rop it, and dump flag
JustCTF 2022 --> arm (aarch64)
- write-up
simple aarch64 exploitation challenge
HackIM CTF 2022 --> Typical ROP (riscv)
- write-up
simple riscv gets buffer overflow exploitation challenge
UTCTF 2023 --> Bing Chilling (loongarch64)
- write-up
simple loongarch64 gets buffer overflow exploitation challenge
Hack-A-Sat 4 Qualifiers 2023 --> Smash Babdy & Drop baby (riscv32)
- write-up
smash baby is a buffer overflow, and drop baby an overflow needed to be ROP, on riscv32

</details> <details> <summary>Automatic exploit generation challenges</summary>

Imaginary CTF 2021 --> speedrun
- write-up
automatic generated exploit, gets buffer overflow type
TamuCTF 2022 --> Quick Mafs
- write-up
*5 automatic generated exploits to exploit *

</details> <details> <summary>VM Escape challenges</summary>

Fword CTF 2021 --> Peaky and the brain
- write-up
funny challenge, web application written in python, convert an image to brainfuck language, then execute brainfuck code 
oob write on stack in brainfuck interpreter, seccomp in place forbid execve, so open/read/write shellcode translated in brainfuck
CyberSecurityRumble CTF 2022 --> riscv-jit
- write-up
escape from a riscv bson parser inside a riscv jit interpreter to a riscv shellcode, 
then escape from a riscv just in time interpreter via a oob write in rwx zone, and execute x86 shellcode
CyberSecurityRumble CTF 2020 --> bflol
- write-up
oob read/write in a brainfuck interpreter , we dump our leaks on stack 
then overwrite return address with a onegadget
404 CTF 2022 --> Changement d'architecture II
- write-up
a sort of arm lite vm, oob read/write in registers access, that permit overwrite FILE structure 
then we get code execution via FSOP
0CTF TCTF 2022 --> ezvm
- write-up
escape a stack machine type of vm, via an oob write, we leak an address on heap via program logic trick 
then we get execution on exit, by forging a dtors_table in tls-storage and erasing random val at fs:0x30
RCTF 2022 --> bfc
- write-up
escape a brainfuck recompiler, via an oob read/write underflow on heap, then do heap exploitation via brainfuck (crazy) 
then we get code execution by overwriting libc GOT entries of strlen and memcpy, and causing a malloc error 
the malloc error will launch __libc_message() function that will call strlen and memcpy
UTCTF 2023 --> UTCTF Sandbox
- write-up
escape a unicorn sandbox, via vulnerabilities in syscall emulation 
we exploit first program running in guest, to get code execution via ROP 
then we exploit syscall emulation vulnerabilities in host loader, to leak host addresses, and execute an execve syscall
zer0pts CTF 2023 --> Brainjit
- write-up
escape from a JIT brainfuck x86 compiler 
by exploiting code x86 generation error, then executing a shellcode
Hitcon Quals 2023 --> Wall Maria
- write-up
a basic qemu escape challenge, via an oob read/write in a pci qemu driver
m0lecon CTF Finals 2023 --> Ptmoon
- write-up
an advanced qemu escape challenge, on qemu 8.1.1 running ubuntu 23.10 
an oob read/write introduced in the vmware svga driver, and a code execution via writing a ROP in another thread stack
bi0s CTF 2024 --> virtio-note
- write-up
an qemu escape challenge, on qemu 8.2.0 
an oob read/write in a virtio backend driver, and a code execution via writing a shellcode in qemu RWX zone
cor CTF 2025 --> tua-cugina-systems
- write-up
well, more nsjail escape in fact 
various tricks to get code execution, privesc, then a nsjail escape, worth to remember

</details> <details> <summary>PTRACE related challenges</summary>

Balsn CTF 2022 --> Asian Parents
- write-up
interesting challenge where a parent process trace a child process to filter his syscalls via ptrace
NahamCon EU CTF 2022 --> Limited resources
- write-up
challenge where a parent process trace a child process to modify his code via PTRACE_POKEDATA 
and like this, escape of the restricted seccomp to dump the flag via child

</details> <details> <summary>Windows challenges</summary>

INTENT CTF 2022 --> PwnMe
- write-up
simple buffer overflow, we do a little ROP that makes stack executable via a call to VirtualProtect() 
then we jump to a simple windows shellcode that calls cmd.exe

</details> <details> <summary>Uncategorized challenges (but worth reading)</summary>

Google CTF Quals 2022 --> FixedASLR
- write-up
great challenge, attack on LFSR based with a known output, to calculate canary (generated by the LFSR) 
use a ROP and a SIGROP for shell execution
Google CTF Quals 2023 --> write-flag-where 1,2 and 3
- write-up
a series of 3 challenges, each one more restricted, where you are give a write primitive to write flag anywhere
FCSC 2022 --> httpd
- write-up
interesting challenge, exploitation of syslog() format string vuln by child process, that exploit the parent process 
child process http authentification has a buffer overflow in base64 decoding to a fixed buffer on stack
FCSC 2022 --> deflation
- write-up
buffer overflow when decompressing zlib compressed data, then restricted ROP
Balsn CTF 2021 --> orxw
- write-up
interesting challenge where a parent can only write, and a child process can only open and read 
stdin,stdout,stderr are closed, so we use time to extract flag content by testing each char, and blocking when right guess
RealWorld CTF 2022 --> Shellfind
- quick write-up
exploiting a 0 day in a DLINK DCS-960L camera, via a buffer overflow in an udp service
justCTF 2023 --> Tic Tac PWN!
- write-up
- interesting challenge, where we can call libc functions via a rpc server, that can call a dynamic library imported functions (tic tac toe game) * 
- but we can pass only 32bits values to functions, and cannot map memory zone in the low 32bits of address space, nor use returned functions results * 
- we mmap a shellcode written in a temp file as rwx, and we finally use on_exit() libc function to have code execution at exits (very trikcy one..) *
Codegate CTF 2023 --> sea
- write-up
- interesting challenge, we can aes encrypt and decrypt data, we can overflow aes sboxes to zero them and leak the random key * 
- some signed and unsigned trick in padding to leak data on stack, and an overflow in encrypt function.. *