Showing posts from May, 2024

DEFCON Qual CTF 2024 - PWN - suscall challenge

( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Solving "suscall" challenge from DEFCON Qual 2024. (challenge solved after the CTF) The first thing is reversing it with Ghidra and after some static and dynamic analysis we can see that there is a struct is created in the start of main if the file start with "sus" we will call the second function which is the challenge and this is a part of it we can notice that there is call to our input file " (*ppcVar1[5])(file_path); " with whatever in " ppcVar[5] " and it point to a function that print if there is a sus file detected and this var is an allocated location so i added a break point on it and did more dynamic analysis. lets say if we control it and added "system" and replace the function that print sus detection with filename "sus;sh;" to give us our shell code but how we can get the system function and control this location? if we c