Fascinating Confusion

[HTB-CyberApocalypse-24] Gloater

Galile0 — Fri, 15 Mar 2024 00:00:00 +0100

Gloater was a pwn challenge with an insane difficulty rating during the Cyber Apocalypse 2024. While it had the most difficult rating, it wasn't the pwn with the least solves. But it was still an interesting challenge with many options to gain code execution. This writeup certainly presents a ... let's call it special way ;)

[HTB-CyberApocalypse-24] Deathnote

Galile0 — Thu, 14 Mar 2024 00:00:00 +0100

Deathnote was a pwn challenge with medium difficulty during the Hackthebox Cyber Apocalypse 2024. The challenge presented was a typical heap challenge allowing us to create, delete, and remove chunks. The LIBC given was Ubuntu GLIBC 2.35-0ubuntu3.6 . The solution involves getting a libc leak and calling a special helper function.

[HTB-Business22] Superfast Writeup

Galile0 — Wed, 20 Jul 2022 00:00:00 +0200

Superfast was an "easy" exploit challenge during the HTB Business CTF 2022. While rated easy I found it to be rather tricky. The challenge was based on a custom shared library loaded into php and exposed through a webserver.

[HTB-Business22] Insider Writeup

Galile0 — Mon, 18 Jul 2022 00:00:00 +0200

Time for another writeup on this totally well maintained blog 👀. Insider was an exploit challenge during the 2022 Business CTF from HackTheBox named DirtyMoney. It was based on a simple FTP Server with a fun easteregg and different bugs and ways to exploit it.

This writeup describes an exploit which does in fact not use libc or one_gadget or any hooks .

Pwn Challenges Setup Part 1 - Reversing

Galile0 — Tue, 10 Nov 2020 00:00:00 +0100

Once upon a time I wanted to join a CTF and solve some challenges. I settled out and chose a pwn challenge. I downloaded the binary, started GDB and lo and behold....

I had no clue how to proceed. GDB is barely usable and it's command line interface at best obscure. I had no idea of disassembler or decompilers. And what the hell is pwntools? This article series should provide some insight to the most basic setup for solving pwn challenges so you don't have to feel the same pain I once did.

[CSR20] HowToHeap - Libc 2.32

Galile0 — Sun, 01 Nov 2020 00:00:00 +0100

HowToHeap was a medium rated challenge during the CyberSecurityRumble 2020 (CSR20) CTF. While not particular difficult, it allowed players to explore a new concept introduced with Libc 2.32: Safe-Linking.

In this writeup we will not only solve a CTF-Challenge, but also take a look at what at this new mitigation technique introduced in the latest glibc.

[plaidctf20] Emojidb

Galile0 — Mon, 20 Apr 2020 00:00:00 +0200

Emojidb was a 250 points pwn challenge during the PlaidCTF 2020. Unfortunately I didn't solve this challenge in time, which was mostly due to the fact it communicated only in emojis. To be specific, all data send and received was UTF-8 encoded . What's so difficult about that you ask? Read on and find out about my stupid journey through character encoding. Oh, and also: The bug which had to be exploited was super cool and it took a nice journey through glibc to find out why it happened.

[plaidctf20] reee

Vance_ctf — Mon, 20 Apr 2020 00:00:00 +0200

reee was a reversing challenge during the PlaidCTF 2020. The challenge was worth 150 points, and thus being relatively easy.

[picoctf19] TCalc Writeup

Galile0 — Fri, 25 Oct 2019 00:00:00 +0200

TCalc was a pwnable challenge during the recent Hack.lu CTF 2019. It was worth 381 points and rated medium. As all somewhat more difficult exploit challenges, it was a heap challenge. Somewhat unusual was the usage of libc version 2.30, which I haven't seen much in CTFs. The bug was a very fascinating programming error resulting in an OOB array access that could be used to arbitrary free. This write-up will try to not only describe the solution but also the pitfalls and things that didn't work.

[picoctf19] Ghostdiary

Galile0 — Wed, 09 Oct 2019 00:00:00 +0200

Ghostdiary was a heap exploit challenge during the recent PicoCTF. The challenge was worth 500 points, i.e. it was one of the "big three" exploit challenges this year. It has the most solves out of the three, but was also unlocked from the beginning. Which means that probably a lot of people tried it who got distracted or stuck at a later point before unlocking the rest. It was one of the more "traditional" challenges. The technique used to exploit it was a nullbyte overflow to cause backwards coalescing, abusing overlapping chunks to overwrite FD and gain code execution by overwriting malloc_hook.

[picoctf19] Leapfrog

Galile0 — Mon, 07 Oct 2019 00:00:00 +0200

Leapfrog was a Binary Exploitation challenge during the recent PicoCTF. The challenge was worth 300 points, so in the mid to upper range of difficulty. My solution is a little unconventional since I didn't use the provided hints but it still led me to the right solution.