Posts

[PWN-heap] SunshineCTF 2024 - "secure_flag_terminal" Challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) let's try to exploit a heap challenge. Reverse now we have the following options to do and we have a leak for "rand" function from libc and we have an opened flag with a fd number already stored in the heap and there is a bug in the write (option 2) which is an overflow, we can use it to modify the chunks metadata (note we are dealing with libc version 2.27) we have a libc leak and a heap overflow vulnerability (we just have 4 chunks to allocate at a time), what we will try to do is corrupt the metadata of chunks with the overflow to: read the dup_fd -> read stack address from libc -> overwrite the RIP Exploit first, i did a setup in my script to communicate with the binary in a simple way we have standards to leak an address from the heap or allocate an exact address and read from it using the overflow, so we will start with leaking the heap address in the next block, we w...
Post a Comment
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
1 comment
Read more

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Post a Comment
Read more

[PWN] [RITSIC-CTF 2024] gadget_database Challenge ARM64 Exploitation

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) I decided to go back to a challenge from RITSEC-CTF 2024 called "gadget_database" After months, it was an ROP challenge in ARM64 binary, let's start. Let's drop the binary into Ghidra to understand what it is doing, "main" function checks the return value from the "answer" function. If it is right we will trigger a branch that is vulnerable to buffer overflow because it takes "0x200" byte and the buf size "32" byte. "answer" function checks a password value and it is fixed. now it is an ARM64 binary and we running on Intel Processor so we have to setup the script for debugging using "gdb-mutliarch" and "qemu" when we run the script with "GDB" argument it will run "qemu-aarch64-static -g 2020 ./gadget_database" to start a listener for gdb and in our "gdb-mutliarch" session we ca...
Post a Comment
Read more