Posts

Showing posts from May, 2024

[NahamconCTF] Pwn Challenges (So Much Cache & Gopherflow Returns)

Image
  ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hoy, let's go through the challenges from NahamconCTF . I wanna thank Mohamed (ixSly) for his support in this CTF. 1. So Much Cache (hard) This one was easy and direct if we understand what it is doing we finish, let's start. it gives us the ability to allocate places in memory, free it, and jump to a location that the binary chooses, if we can control this location it will be a simple "ret2win" (we have a win function to read the flag). we can write in our allocation with size (input size * 3) if we create an allocation 8 we can write into the memory (8*3) size which will overflow and corrupt the next heap allocation metadata and that is what we need. what we will do? create allocation with size "16" (you can do it with different size). fill this allocation with "(A* ((16*3)-1) )" the "-1" for the "0x0a" newline. choose "Prepare...

DEFCON Qual CTF 2024 - PWN - suscall challenge

Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Solving "suscall" challenge from DEFCON Qual 2024. (challenge solved after the CTF) The first thing is reversing it with Ghidra and after some static and dynamic analysis we can see that there is a struct is created in the start of main if the file start with "sus" we will call the second function which is the challenge and this is a part of it we can notice that there is call to our input file " (*ppcVar1[5])(file_path); " with whatever in " ppcVar[5] " and it point to a function that print if there is a sus file detected and this var is an allocated location so i added a break point on it and did more dynamic analysis. lets say if we control it and added "system" and replace the function that print sus detection with filename "sus;sh;" to give us our shell code but how we can get the system function and control this location? if we c...