Mohamed Sayed - Blog

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) I decided to go back to a challenge from RITSEC-CTF 2024 called "gadget_database" After months, it was an ROP challenge in ARM64 binary, let's start. Let's drop the binary into Ghidra to understand what it is doing, "main" function checks the return value from the "answer" function. If it is right we will trigger a branch that is vulnerable to buffer overflow because it takes "0x200" byte and the buf size "32" byte. "answer" function checks a password value and it is fixed. now it is an ARM64 binary and we running on Intel Processor so we have to setup the script for debugging using "gdb-mutliarch" and "qemu" when we run the script with "GDB" argument it will run "qemu-aarch64-static -g 2020 ./gadget_database" to start a listener for gdb and in our "gdb-mutliarch" session we ca...

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) User Management it is a format string challenge, let's start it. First, our menu contains the following after reversing the binary with Ghidra and trying the options we know that there is a Format String in the view description and we can hit it when we create a new user and login with it but to create a user we have to login as admin first and the admin password is random :-). with some static/dynamic analysis, we know that there something weird with the admin login function it reads 21 bytes and it just needs 12 ;-) so we have a trigger here if we check the address (DAT_555555559340) it is close to the address of the password on (DAT_555555559350) and we have an overflow on the first address so we can overwrite the password. When we overwrite the password with the following payload we will get the "strncmp" check for the username and we can get it after logging in with admin we...

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Table of Content Vector Overflow (100 points) Yawa (109 points) Pac Shell (228 points)

  ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hoy, let's go through the challenges from NahamconCTF . I wanna thank Mohamed (ixSly) for his support in this CTF. 1. So Much Cache (hard) This one was easy and direct if we understand what it is doing we finish, let's start. it gives us the ability to allocate places in memory, free it, and jump to a location that the binary chooses, if we can control this location it will be a simple "ret2win" (we have a win function to read the flag). we can write in our allocation with size (input size * 3) if we create an allocation 8 we can write into the memory (8*3) size which will overflow and corrupt the next heap allocation metadata and that is what we need. what we will do? create allocation with size "16" (you can do it with different size). fill this allocation with "(A* ((16*3)-1) )" the "-1" for the "0x0a" newline. choose "Prepare...

( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Solving "suscall" challenge from DEFCON Qual 2024. (challenge solved after the CTF) The first thing is reversing it with Ghidra and after some static and dynamic analysis we can see that there is a struct is created in the start of main if the file start with "sus" we will call the second function which is the challenge and this is a part of it we can notice that there is call to our input file " (*ppcVar1[5])(file_path); " with whatever in " ppcVar[5] " and it point to a function that print if there is a sus file detected and this var is an allocated location so i added a break point on it and did more dynamic analysis. lets say if we control it and added "system" and replace the function that print sus detection with filename "sus;sh;" to give us our shell code but how we can get the system function and control this location? if we c...