I have not written for a long time… It’s nothing new, but it made me want to write something for the blog. I was reading the 44con’s talk: “Subverting Direct X KernelFor Gaining Remote System”[1] And I said myself, I’ll try to do the infoleak, CVE-2018-8121[2]. CVE-2018-8121 The infoleak consists in get uninitialized memory in […]
Ricardo Narvaja’s pwnable – basic exercise 11
The Ricardo Narvaja’s challenge aims to learn about IDA Pro, and use it as much as possible. The challenge can be found here and I modified the IDB for a better understanding. This challenge interacts with a file called fichero.dat, read and store in local variables (struct). Since is a small file, I can infer that there […]
VolgaCTF 2017 – time_is
I solved this challenge with my teammate @javierprtd. Category: Exploiting. Points: 150. Binary: time_is. By executing the binary, we can see.
1 2 3 4 5 6 7 8 9 |
$ ./time_is Enter time zones separated by whitespace or q to quit hola hola: 05:54 Enter time zones separated by whitespace or q to quit %x.%x.%x.%x.%x.%x.%x.%x.%x 5.66666667.70a3d70b.2ce33e7.e40.bac364a0.350c30aa.2400010.78: 05:54 Enter time zones separated by whitespace or q to quit |
Well, format string vulnerability found The binary read from stdin using __getlimit function, and the unique limiter is ‘\n’.
1 |
v3 = __getdelim(&lineptr, &n, 10, stdin); |
The __printf_chk function is used for printing in stdout and checking if the […]
Mod-X Central Command Level 4 [solution]
Agent apok…I don’t know how you did it, but good work! Your decryption helped us to see that the file was a registry installation file. It was used to place an executable file into our start up, so all the time since the break in this mystery program has been running. We had a brief […]
Mod-X Central Command Levels 2 and 3 [solutions]
Level 2 Continuing with the game this time we get this: Agent apok… Good Work on your previous mission – you are ready for your next mission. We now have access to the terminals. We think the intruder is telling the truth – other changes have been made to the system. A file has been […]
Mod-X Central Command Level 1 [solution]
I started this game some days ago, but I hadn’t had time for writting about it. The web page is http://www.mod-x.co.uk and invite us to solve some challenges, the great thing about it is that has an increasing level. No more words and let’s go: Level 1 Agent apok… I am sorry you have had to […]
XiomaraCTF 2017 – mint
In this challenge debugging was unneccesary . If I execute it, this is the output:
1 2 3 4 5 6 7 |
$ ./mint ^^^^^^^^^^^^^^ Welcome to My Mini Text editor (Mint) ^^^^^^^^^^^^^^^^^^^^^^^^ [1] Add text [2] Edit text [3] Display text [4] Exit Enter ur option : |
We can add a text, edit and show it. The vulnerability So, I add a text, the max length is 0x30, but if edit the text, there are two options:
1 2 3 |
Enter ur option :2 [1] Append text [2] Overwrite |
When I choose the first option, we can […]
FwhibbitCTF 2017 – Bomb
Category: Reversing. Points: 450. We need an 8 digits code to disable the bomb. That code is used to operate with two arrays of bytes. Any mistake will make the bomb to explode.
1 2 3 4 5 |
#first array of bytes aof = [0xF7, 0xFC, 0xB5, 0x83, 0x81, 0xA7, 0x83, 0x89, 0xBD, 0xFD, 0xBF, 0x9E, 0xFA, 0xA6, 0x9A, 0xF4, 0x84, 0xA2] #second array of bytes aof2 = [0xBB, 0xA8, 0xEA, 0x84, 0xD7, 0xCA, 0x80, 0x80, 0xEE, 0xA9, 0xB9, 0xDB, 0x91, 0xF0, 0x9D, 0xFB, 0x81, 0xE2, 0xF7, 0xFD, 0xE4, 0x80, 0x86, 0xF1, 0xCC, 0xC5, 0xE5, 0xA9, 0xEF, 0xC0, 0xA6, 0xE3, 0xC8] |
My solution is below: The code is 8 digits long, every digit goes from 0 to 9, that code is used to operate with […]
FwhibbitCTF – Crazy serial
Last week, I played the FwhibbitCTF for a few hours, it was a CTF organized by Follow The White Rabbit. They used the Facebook platform, and this challenge is the corresponding to Congo country. My solution for Crazy serial is below . Category: Reversing. Points: 330pts. When I opened this challenge… As it can be seen, […]
AlexCTF – catalyst system
Thanks AlexCTF for challenges!