A couple days ago, our team CSUI participated in HeroCTF v7 and managed to secure 9th place at the end. One of the challenges there was Safe Device, a pwn challenge with the least solves, finishing with only 7 solves at the end of the event. Unfortunately, I was not able to solve it during the event. I only managed to solve it after the event had ended. Challenge Overview Download Challenge Files ...
About a week or two ago, I participated in Industrial Intursion, one of TryHackMe’s capture the flag events. In it was grid, a pwn challenge that revolved around writing shellcode to leak the contents of the flag file. While seemingly easy enough, upon further inspection, you would find that there has been a seccomp rule put in place to allow only the open and read syscalls. This poses an interesting challenge because while you are able to open and read the flag, you wouldn’t be able to write out its contents as the write syscall is not part of the whitelist. So, what next? Is it possible to leak the contents of memory without directly writing it out? That’s what we’ll be exploring today. ...
A couple months ago, I participated in a local CTF in which there was a very interesting pwn challenge authored by msfir, named www-0. The main twist of the challenge was that it’s run on an Alpine Linux container, unlike other challenges which usually run on an Ubuntu or Debian container. Since Alpine uses musl instead of glibc as its standard C library, this has the consequence that the binary will be linked to a musl libc, as opposed to the usual glibc. While mostly identical in function, musl is different in implementation when compared to glibc. So, some exploits that work on glibc might not automatically work on musl libc. In this writeup, we’ll be exploring how musl libc is implemented, specifically how it handles files and its exit procedures. ...