DVID : Characteristics 2

Hello Rootkitty

May 5, 2020

Event Challenge Category Points Solves ecsc Hello Rootkitty pwn 500 24 TL;DR A custom kernel module was vulnerable to a buffer overflow, with a small ropchain I escalated my privileges to root and with a sys_chmod syscalls I got the flag. Description Recon I’m not a Linux kernel expert, everything might not be 100% correct, but I’ll do my best to summarize what I understood.

DVID : Characteristics 2

Oct 10, 2019

Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how to solve the third challenge of the DVID project. In this challenge we need to write data to a special characteristic. Challenge Let’s flash the firmware, enable and setup the usb dongle: 1 2 3 sudo avrdude -c usbasp -p m328p -U flash:w:characteristics2.

DVID : Characteristics

Oct 10, 2019

Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how to solve the second Bluetooth challenge of the DVID project. In this challenge we need to read data from a special characteristic. Challenge Let’s flash the firmware, enable Bluetooth and setup the usb dongle: 1 2 3 sudo avrdude -c usbasp -p m328p -U flash:w:characteristics.

BLE introduction

Oct 10, 2019

Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how the Bluetooth protocol works and how we can solve the first Bluetooth challenge of the DVID project. Bluetooth protocol This talk is a good introduction to Bluetooth hacking, what’s following come from this document, but if you want more details you should read it. The next diagram shows how a typical connection between a phone and a Bluetooth device work.

TMNT

Oct 10, 2019

Event Challenge Category Points Solves AperiCtf TMNT web 300 6 TL;DR In this challenge we need to trigger an XSS, first we need to bypass the template engine of the browser to insert custom tags in the page. We can then trigger the XSS with some specific tag and use a DOM-based JavaScript injection vulnerability. Step 1 This is my first web write-up, I usually prefer popping shell, but this time we will pop some alert boxes !

Pwn Run See (part 1 & 2)

Oct 10, 2019

Event Challenge Category Points Solves AperiCtf PwnRunSee 1 pwn 175 5 AperiCtf PwnRunSee 2 pwn 250 2 TL;DR This challenge was a use after free vulnerability which allow the user to get a shell on the remote docker after a call to execve with some user controlled parameters. Once inside the docker, we can abuse some privileges to mount the host disk inside the container and get the last flag.

Filereader

May 5, 2019

Event Challenge Category Points Solves ecsc2019 filereader pwn 1000 20 TL;DR We need to exploit binary which read the content of files listed in an other file. A buffer-overflow is present in one of the function and we can leak the address of libc thanks to /proc/self/map since we can read files. A onegadget is then used to pop a shell.

Give Me Your Shell

May 5, 2019

Event Challenge Category Points Solves inshack-2019 gimme-your-shell pwn 50 67 TL;DR This is a remote buffer overflow challenge, there is no protection on the binary but ASLR is enable on the remote server. I redirected the execution flow to write my shellcode to a controled area, then jump to it and execute it. Getting informations First I looked at the protections on the binary :

Mission impossible 1

Dec 12, 2018

Event Challenge Category Points Solves santhacklausctf mi1 Forensic/Crypto 800 18 TL;DR After downloading the zip file we were faced with a linux memory dump. After building the correct profile for volatility you had to perform a known plain text attack on an encrypted and splited zip file to recover the file flag.txt. Introduction After downloading the file MI1.zip we had a memdump.

Mission impossible 2

Dec 12, 2018

Event Challenge Category Points Solves santhacklausctf mi2 Forensic/Crypto/network 500 22 TL;DR In the second part of the challenge we also had a memory dump of a Debian system and a network capture. When you analyse the network capture you can see that some data were exfiltrated, if you look into the memdup you can see that the tool DET (Data Exfiltration Toolkit), has been used to exfiltrate the data.

DVID : Characteristics 2

Introduction

Challenge

Hugo VINCENT

Hello Rootkitty

DVID : Characteristics 2

DVID : Characteristics

BLE introduction

TMNT

Pwn Run See (part 1 & 2)

Filereader

Give Me Your Shell

Mission impossible 1

Mission impossible 2