Mohamed Sayed - Blog

     ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hey guys, now we have a challenge from LA CTF 2025 it was an easy but hard -I made a mistake :(-, let's start. Reverse (code review) in the reverse process, we can notice the following the binary uses a struct called "Level" there is a heap overflow. no free in the challenge custom list (next-ptr) is used functions in the binary "init" creates a chunk to store the next addresses and this is the "start" variable "explore" function is used to move from level to level. "create" creates a new chunk with size "0x60" "test" to read from the chunk "edit" modify the chunk "vulnerable to overflow" "reset" is used to reset the "curr" pointer which points to the currently used level. "remember this" what I got from using the binary to point to a level you have to create a level ...

   ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hey guys, let's try to solve a kernel exploit, and challenge CPL0 from BlackhatMEA Quals 2024 thanks to Saif ( @wr3nchsr ) and Sameh ( @s4muii ) for help understanding this challenge. This challenge has a new idea for me so I learned a lot so let's talk about it. now we will do the following: do recon on the challenge files get root on the local version for debugging (by modifying the file system) use bash scripts to compress and decompress the file system to pass it to qemu list what we will have and do in the challenge EXPLOIT Recon we have  bzImage: Kernel rootfs.cpio: the file system run.sh: bash script to run qemu qemu-system-x86_64: a modified qemu binary qemu.diff: a diff file to the modified qemu binary if we check the diff file we can note that the check_cpl0 function is modified and will return "true" so we have access to CPL0, but what is CPL0??? Current Privile...

   ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hoy, it's a heap challenge from Nullcon CTF 2025 ;-), Thanks to Saif ( @wr3nchsr ). What will we try to do? Reversing the Binery List what we found. Exploit Leak the libc address using unsortedbin Leak heap address and do (mangling/demangling) Overwrite the next pointer of the free list Control the RIP with ROP-Chain Let's start ;-). Reverse the Binary after reversing the binary and the following screenshots are samples, we have 5 options to interact with the binary: what do we do? (about_us) add message (malloc) edit message View message remove message (free) leave (exit) List what we found we can control the allocation size without limit we have a leak in (about_us) function to a variable on the stack (stack-address). there is Use-After-Free (read & edit) after free()ing the chunk. the libc version is 2.36 (there is a protection on the free list addresses). Exploit first will ...