Bypassing GLIBC 2.32’s Safe-Linking Without Leaks into Code Execution: The House of Rust
The House of Rust is a heap exploitation technique that drops a shell against full PIE binaries that don’t leak any addresses.
The House of Rust is a heap exploitation technique that drops a shell against full PIE binaries that don’t leak any addresses.
Soluciones a los problemas de heap del CTF de Q4 del 2020: Wallet, Mision, Motoko, 420.
Aquí dejo un writeup cortito para el desafío Berlin de la categoría PWN, hecho por dplastico del CTF de SombreroBlanco, llevado a cabo el fin de semana del 25 de Julio. Tenia una puntuacion de 500 pts y, si bien el CTF tenia puntuacion dinámica, se mantuvo ahi por la baja cantidad de soluciones que tuvo.
Forwardslash is a hard-rated box (medium difficulty imo) in which we exploit an LFI in the web server to get access to some sensitive info that lets us SSH in. In our initial SSH session we exploit a SUID binary to obtain once again read access to a file with credentials that we use to move laterally to another user. From there we have sudo rights to access an encrypted luks image file, so we only have to bruteforce the key to then gain root and complete the machine.
ropmev2 was a fun binary exploitation challenge by r4j in which we needed to rop our way through some twists to be able to build a successful exploit.
Some time ago dplastico and I hosted an event called PWNDAY#01 in which people had to solve 3 binary exploitation challenges (Easy - Medium - Pro) with the opportunity to win a series of different prizes. This is the write up for the Pro category challenge Juujuu. It was the first challenge I created and it was the initial push for the PWNDAY idea.
Hackasat2020 Quals was a ctf that took place on the weekend of May 23rd. I wasn’t planning on doing it but then a buddy from the CTF team Cntr0llz invited me to participate with them (thanks :D!).
Acá dejo mi writeup para el challenge “Apruebo” hecho por dplastico para el CTF CuarenTeFa del 21 de Marzo de 2020 organizado por L4tinHTB. El desafío pertenecía a la categoría PWN y tenia un valor de 300 puntos (súbanle el puntaje a PWN!), y fue resuelto solamente por dos participantes. En este writeup voy a explicar detalladamente todos los procesos por los que se tiene que pasar para lograr un exploit exitoso, introduciendo el ataque ret2libc, los memory leaks y como este funciona relacionado a la PLT y GOT.