[CSR20] HowToHeap - Libc 2.32

HowToHeap was a medium rated challenge during the CyberSecurityRumble 2020 (CSR20) CTF. While not particular difficult, it allowed players to explore a new concept introduced with Libc 2.32: Safe-Linking.

In this writeup we will not only solve a CTF-Challenge, but also take a look at what at this new mitigation technique introduced in the latest glibc.

Read More

[plaidctf20] Emojidb

Emojidb was a 250 points pwn challenge during the PlaidCTF 2020. Unfortunately I didn't solve this challenge in time, which was mostly due to the fact it communicated only in emojis. To be specific, all data send and received was UTF-8 encoded . What's so difficult about that you ask? Read on and find out about my stupid journey through character encoding. Oh, and also: The bug which had to be exploited was super cool and it took a nice journey through glibc to find out why it happened.

Read More

[picoctf19] TCalc Writeup

TCalc was a pwnable challenge during the recent CTF 2019. It was worth 381 points and rated medium. As all somewhat more difficult exploit challenges, it was a heap challenge. Somewhat unusual was the usage of libc version 2.30, which I haven't seen much in CTFs. The bug was a very fascinating programming error resulting in an OOB array access that could be used to arbitrary free. This write-up will try to not only describe the solution but also the pitfalls and things that didn't work.

Read More

[picoctf19] Ghostdiary

Ghostdiary was a heap exploit challenge during the recent PicoCTF. The challenge was worth 500 points, i.e. it was one of the "big three" exploit challenges this year. It has the most solves out of the three, but was also unlocked from the beginning. Which means that probably a lot of people tried it who got distracted or stuck at a later point before unlocking the rest. It was one of the more "traditional" challenges. The technique used to exploit it was a nullbyte overflow to cause backwards coalescing, abusing overlapping chunks to overwrite FD and gain code execution by overwriting malloc_hook.

Read More