Event Challenge Category Points Solves ecsc Hello Rootkitty pwn 500 24 TL;DR A custom kernel module was vulnerable to a buffer overflow, with a small ropchain I escalated my privileges to root and with a sys_chmod syscalls I got the flag.
Description Recon I’m not a Linux kernel expert, everything might not be 100% correct, but I’ll do my best to summarize what I understood.
Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how to solve the third challenge of the DVID project. In this challenge we need to write data to a special characteristic.
Challenge Let’s flash the firmware, enable and setup the usb dongle:
1
2
3
sudo avrdude -c usbasp -p m328p -U flash:w:characteristics2.
Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how to solve the second Bluetooth challenge of the DVID project. In this challenge we need to read data from a special characteristic.
Challenge Let’s flash the firmware, enable Bluetooth and setup the usb dongle:
1
2
3
sudo avrdude -c usbasp -p m328p -U flash:w:characteristics.
Introduction I recently bought a DVID board which is an open source vulnerable designed IoT device. In this post I will try to explain how the Bluetooth protocol works and how we can solve the first Bluetooth challenge of the DVID project.
Bluetooth protocol This talk is a good introduction to Bluetooth hacking, what’s following come from this document, but if you want more details you should read it. The next diagram shows how a typical connection between a phone and a Bluetooth device work.
Event Challenge Category Points Solves AperiCtf TMNT web 300 6 TL;DR In this challenge we need to trigger an XSS, first we need to bypass the template engine of the browser to insert custom tags in the page. We can then trigger the XSS with some specific tag and use a DOM-based JavaScript injection vulnerability.
Step 1 This is my first web write-up, I usually prefer popping shell, but this time we will pop some alert boxes !
Event Challenge Category Points Solves AperiCtf PwnRunSee 1 pwn 175 5 AperiCtf PwnRunSee 2 pwn 250 2 TL;DR This challenge was a use after free vulnerability which allow the user to get a shell on the remote docker after a call to execve with some user controlled parameters. Once inside the docker, we can abuse some privileges to mount the host disk inside the container and get the last flag.
Event Challenge Category Points Solves ecsc2019 filereader pwn 1000 20 TL;DR We need to exploit binary which read the content of files listed in an other file. A buffer-overflow is present in one of the function and we can leak the address of libc thanks to /proc/self/map since we can read files. A onegadget is then used to pop a shell.
Event Challenge Category Points Solves inshack-2019 gimme-your-shell pwn 50 67 TL;DR This is a remote buffer overflow challenge, there is no protection on the binary but ASLR is enable on the remote server. I redirected the execution flow to write my shellcode to a controled area, then jump to it and execute it.
Getting informations First I looked at the protections on the binary :
Event Challenge Category Points Solves santhacklausctf mi1 Forensic/Crypto 800 18 TL;DR After downloading the zip file we were faced with a linux memory dump. After building the correct profile for volatility you had to perform a known plain text attack on an encrypted and splited zip file to recover the file flag.txt.
Introduction After downloading the file MI1.zip we had a memdump.
Event Challenge Category Points Solves santhacklausctf mi2 Forensic/Crypto/network 500 22 TL;DR In the second part of the challenge we also had a memory dump of a Debian system and a network capture. When you analyse the network capture you can see that some data were exfiltrated, if you look into the memdup you can see that the tool DET (Data Exfiltration Toolkit), has been used to exfiltrate the data.
