while playing UofTCTF I solved hash table as a service (htaas). we were given a simple heap menu, which lets us create, get and set hash table entries: 1. New Hash Table 2. Set 3. Get 4. Exit > upon inspecting the source, we spot some interesting things. there is an array that contains hashTables, i.e. it contains the number of entries in the hash table and its start address:…

heap_master was a kernel pwn challenge from n1ctf. I didn’t play the ctf, allthough the challenge seemed nice to upsolve. let’s get started for the environment, we were given a linux 6.1.110 image as well as a config file. before looking at the config file, the fact that we have an nsjail environment. in our case, this means a bunch of disabled syscalls, no setuid binaries, and only few useful files in /dev and /proc directories.…

TOY/2: this weekend we played as P1G SEKAI and managed to qualify to the finals. TOY/2 was a challenge I solved. in this challenge we’re given a C++ binary that emulates some 16-bit architecture. it had several instructions, one of them included an oob bug: case 13: /* STT */ mem_write(_regs.a & (size() - 1), _regs.t); break; this is bad code, since we write two bytes but the AND let’s us place those one byte before the emulator memory ends → one-byte oob write.…

last week we qualified for securinets finals. Java? was a pwn challenge I blooded. we were given a java program, which reads input three times and passes it to a library: import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; public class Main { private String first = ""; private String second = ""; private String last = ""; static { System.loadLibrary("Lib"); } public native void Kabom(); public native void Setup(); public static void main(String[] args) throws IOException{ BufferedReader reader = new BufferedReader(new InputStreamReader(System.…

physler was another challenge from BRICS CTF that I solved. we basically got a kernel module that has two ioctl requests defined: case IOCTL_MAP_PHYS_ADDR: { if (copy_from_user(&_map, (void*)arg, sizeof(_map))) { return -EFAULT; } if (mem) iounmap(mem); mem = ioremap(_map.phys_addr, _map.size); if (!mem) { return -EFAULT; } break; } case IOCTL_WRITE_PHYS_MEM: { if (!mem) return -EFAULT; if (copy_from_user(&_write, (void*)arg, sizeof(_write))) { return -EFAULT; } size = _write.size; if (size > sizeof(kernel_buffer)) size = sizeof(kernel_buffer); if (copy_from_user(kernel_buffer, (char *)_write.…

two weeks ago, I played BRICS CTF with r3kapig, and we ranked 1st! chains was one of the challanges I solved. we were given a program to add/remove proxies and chains. upon executing we’re presented with: 1. Add Proxy 2. Delete Proxy 3. Add Chain 4. View Chain 5. Delete Chain 6. Exit that resembles a typical heap challenge. it turns out to be one, since the following structures are getting allocated dynamically:…

this weekend I played snakeCTF for fun and managed to solve a few pwns. one of them was TLN. the challenge code was pretty simple, introducing a classical oob index vulnerability: case OPT_SET: print("Index: "); index = get_int(); print("Content: "); read_exact(&(notes[index].content), sizeof(item_t) - 1); notes[index].content[sizeof(item_t) - 1] = 0; break; as you can see, no bounds checks at all. the notes array consists of elements of item_t, which is defined like the following:…

my long-time project is writing a kernel fuzzer named lxfuzz. it is a coverage-guided fuzzer for the linux kernel. I chose that project for some reasons: to learn about fuzzing, its mechanisms etc. in general to learn more about the linux kernel, especially to improve my C++ skills :) (the language used for lxfuzz) profit (finding CVEs) undert the hood it’s using qemu to run the kernel and kcov for coverage collection.…

I had a fun time playing BlackHat MEA CTF. this pwn challenge was particulary nice. in “the ring” you were given a FLAC audio file parser, written in C++. you can provide such a custom audio file and get presented the output of the program. notice that there is a python wrapper handling the file and outputs readable text only. now the general functionality of the program: the program checks the magic bytes first (#define FLAC_MAGIC 0x664c6143U) and then immedeately starts looking for the initial TYPE_STREAMINFO block, which may be followed by more blocks.…

I solved the easy pwn chall “valorn’t” during PlaidCTF while playing with Friendly Maltese Citizens. as usual, the goal was to win the game and read the flag int ret = play_pew_pew_game(); if (ret == 0) { read_flage(); } in order to win, is_cheater had to be set and the enemy team win-counter has to be 0 int play_pew_pew_game() { // ... if (is_cheater) { if (res->enemy_team == 0) { return 0; } else { puts("Dang, you're dogwater.…