07 July : Devmaster 8000 and devmaster 8001

Setup This is a docker container that runs a “job server”, that can be reached over the Internet. A job description contains: Set of input files that are sent to the server, and saved in a sandboxed directoryThe command to run in the sandbox (for example: gcc ./inputfile.c -o binary)Set

READ MORE

07 July : sandbox-caas

Setup The server receives a 0x800 shellcode from the user, and runs it in a forked process. The process configurations is as follows: All namespaces are NEW namespaces chroot into ./tmp/.challenge rlimit of one second of CPU time with no core files The process sent a kill signal after 2

READ MORE

01 January : Notifico

This is a writeup for how we solved the notifico 35c3 CTF challenge. The task: We are presented with a tar file which contains another tar file, an executable named check, and the python script check.py. The tar file contains 225 folders, each of which contains one regular file and

READ MORE

01 January : Logrotate / ZajeBiste / 500 points

The challenge (as stated in the 35C3 website) “Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It

READ MORE

01 January : Post Quantum

I will describe my solution to the “post quantum” crypto challenge from the 2018 CCC CTF. We begin the challenge by downloading a tar.gz file containing two python scripts: “challenge.py”, “generate.py” and a directory called data. As always, we are requested to find the flag. Let’s start by looking at

READ MORE

01 January : Crypto Challenge – Unofficial

Original Challenge: Solves: 35 The NSA gave us these packets, they said it should be just enough to break this crypto. Challenge files Difficulty estimate: medium In the files we have one pcap file - surveillance.pcap which contains 40 TCP streams (wireshark → Statistics → Conversations) When we follow the TCP stream

READ MORE

07 July : A Tale of Two Mallocs: On Android libc Allocators – Part 3 – exploitation

In the two previous posts of this series, we’ve discussed how the Android libc allocators work. In this last post of the series, we can try to determine what we need to do in order to exploit a heap memory corruption or use-after-free, in light of these allocators. Exploiting these

READ MORE

07 July : A Tale of Two Mallocs: On Android libc Allocators – Part 2 – jemalloc

In the first post of this series, we discussed why it is important to understand the inner workings of the libc heap allocator, and did a deep dive into the original Android libc allocator: dlmalloc. In this post, we’ll examine the allocator which replaced dlmalloc as Android’s allocator. The new

READ MORE

07 July : A Tale of Two Mallocs: On Android libc Allocators – Part 1 – dlmalloc

In this series of three posts, we’re going to try to cover a deep dive into the pertinent details of the two Android libc allocators, followed by some thoughts on exploitation in light of those allocators. All of the information I’ll impart is the result of our own research into

READ MORE

RECENT POSTS

defcon 2020 quals – fountain_ooo_relive

fountain-ooo-reliving Problem description We have found the fountain OOO RElive.

July 07,2020
defcon 2020 quals – uploooadit

Defcon Quals - uploooadit challenge We started off with a

July 07,2020
The dragon sleeps at night

Challenge overview The challenge description provided solely an ip &

March 03,2020