_blackb3ard/pwn_exhibit$

pwn notes from an exploit dev wannabe

Home CTF Writeups

CTF Writeups

pwnscripts tl;dr  
https://gist.github.com/blackbeard666/ Solve scripts for challs that I don’t have the time to create writeups for (or that the basic idea has been covered in other writeups here, only with a few additions). Might still create writeups for them tho.  
Hack The Box tl;dr
Script Kiddie [–redacted–]
Armageddon [–redacted–]
Laboratory gitlab 12.8.1 rce, docker-security path variable manipulation
Love [–redacted–]
Spectra [–redacted–]
Knife [–redacted–]
Delivery ticket tricks, rule-based hashcat
Ready gitlab 11.4.7 ssrf/csrf RCE, docker priviledged mode breakout, filesystem mount
Tenet [–redacted–]
Ophiuchi [–redacted–]
The Notebook [–redacted–]
Pit [–redacted–]
Atom [–redacted–]
Monitors [–redacted–]
Tryhackme tl;dr  
Inferno bruteforce basic auth, find CVE for web ide, write forged privs http basic auth, codiad cve, tee privesc
Watcher multiple privesc using different techniques lfi, cronjobs, multiple privesc, python library hijacking

2021

ROOTCON15 Capture the Flag

HTB: CyberApocalypse tl;dr  
Controller negative index leads to integer overflow which leads to bof integer overflow, z3
Minefield arbitrary write primitive to control destructor for RCE fini_array, destructors
Harvester just the simple stuff, made more complicated by a pokemon-themed menu canary leak, format string, bof
Save the Environment leak stack addresses from libc pointers to overwrite return address on stack environ variable
SanDiego CTF tl;dr  
Flag Dropper ret2shellcode  
Unique Lasso SIGROP syscall loop; mov rax, rdx
Pragyan CTF tl;dr  
login format string to overwrite size field for buffer overflow fmtstr_payload()
cachetroubles heap fengshui to get double free on tcache + unsortedbin libc-2.31
angstrom CTF tl;dr  
pawn still studying [–redacted–]
carpal tunnel syndrome still studying [–redacted–]
raiid shadow legends c++ uaf c++ raii, uaf, c++ alloc internals
Foobar CTF tl;dr  
deathnote partial solve; fastbin attack, allocate misaligned memory pointer to pass malloc check and overwrite malloc hook libc 2.23, fastbin attack, __malloc_hook misaligned technique
rOw Row roW seccomp -> open-read-write shellcode seccomp, orw, shellcode
Volga Quals tl;dr  
pennywise off-by-one to control chunk pointer which is added to bin list format string, off-by-one
Securinets Quals tl;dr  
killshot format string to leak, www primitive, ropchain on heap chunk tcache_perthread_struct, printf www, heap rop, seccomp, analysis
deathnote uaf, overwrite tcache entry in perthread struct to point to free hook tcache poison, negative index write
Nahamcon CTF tl;dr  
meddle usual tcache challenge, but tricky way to write to chunks tcache poison, libc 2.27, misaligned input
BsidesSF CTF tl;dr  
runme 1,2,3 didn’t allow syscall/int0x80 bytes self-modifying shellcode
reverseme 1,2 xor encoded, latter part was rng encoded shellcode
Charge Tracker hardcoded flag, but I wanted to try something adb dumpsys
zer0pts ctf tl;dr  
Not beginner’s stack read more about stack shadow stack shadow
Darkcon CTF tl;dr  
Intro prologue info
Easy-ROP bof + multiple approaches pwn, x64, sigrop
Warmup double free for leak and poison pwn, x64, libc-2.27, double free, tcache poison
ezpz exposed log messages android rev, adb logcat
Take it Easy used an online sympy ide to perform attack crypto, low exponent attack, e = 3
Trollcat CTF tl;dr  
msgbox simple stuff tcache poison
0x41414141 CTF tl;dr  
moving signals simple stuff sigrop
external program cleared the GOT after overflow, needed a way to fix it fixing GOT, rop
echo most fmtstr challs are named with echo not fmtstr
return of the rops learn ret2csu dummy unintended solve
babyheap my first heap solve! tcache double free

2020

2019