https://blog.zars.me/tags/pwn/Recent content in Pwn on Tyler's BlogHugoen-us© AthulSat, 27 Apr 2024 12:13:32 +0530https://blog.zars.me/posts/hitb-gsec-2017/Sat, 27 Apr 2024 12:13:32 +0530https://blog.zars.me/posts/hitb-gsec-2017/This was an old challenge, but one of my friends was teaching to it and I knew nothing about QEMU and physical hardware. I went into it know it was a QEMU escape so I won’t be covering the mindset of finding that out but I’ll break down the indepth meaning behind what the exploit does and some of the QEMU internals that make this problem solvable. The Problem The provided resources for the challenge allude to it being a QEMU challenge:https://blog.zars.me/posts/nahamctf2023/Sat, 17 Jun 2023 12:13:32 +0530https://blog.zars.me/posts/nahamctf2023/I keep having busy weekends and I wish I had a touch more time to grind out the challenges I had left for this CTF. Awesome challenges by the authors! Thanks for the fun CTF nahamsec team! Glasses 50 points - Warmups - 955 Solves - easy Author: @JohnHammond#6971 Everything is blurry, I think I need glasses! We can’t inspect element with a mouseclick. No worries, just use the keyboard shortcut (or on Mac the menu still pops).https://blog.zars.me/posts/heroctfv5/Mon, 15 May 2023 12:13:32 +0530https://blog.zars.me/posts/heroctfv5/Overview HeroCTF was my first solo team attempt at CTF’ing. It was a blast and huge props to the authors of the challenges. I had fun solving all the ones I did and had plenty of time to experiment with the ones I couldn’t. The CTF was hosted here: link. I’ll break down my solves below in no particular order. dev.corp 1/4 The famous company dev.corp was hack last week.. They don't understand because they have followed the security standards to avoid this kind of situation.https://blog.zars.me/posts/irisctf-babyseek/Wed, 01 Feb 2023 12:13:32 +0530https://blog.zars.me/posts/irisctf-babyseek/The Challenge I’ll let you seek around my file as far as you want, but you can’t go anywhere since it’s /dev/null. Author: sera seek.zip nc seek.chal.irisc.tf 10004 The Provided ZIP chal Provided binary chal.c Source which binary comes from Makefile Provided compilation flags Dockerfile Dockerfile running on the server Protections [*] '/root/workspace/vr_pres2/seek/chal' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled Welp, if we can overflow and overwrite the GOT, seems like we’re in the home stretch.https://blog.zars.me/posts/irisctf-ret2libm/Wed, 01 Feb 2023 12:13:32 +0530https://blog.zars.me/posts/irisctf-ret2libm/The Challenge I need to make a pwn? Let’s go with that standard warmup rop thing… what was it… ret2libm? Author: sera ret2libm.zip / Dockerfile The Provided ZIP chal Provided binary chal.c Source which binary comes from libc-2.27.so Provided libc version libm-2.27.so Provided libm version Makefile Provided compilation flags What is libm? #include <math.h> libm is the standard math library for C. Where does libm live? $ ldd chal linux-vdso.so.1 (0x00007fffd53f5000) libm.