Insomnihack 2016 microwave writeup

I participated to the 2016 Insomni'hack CTF with my team Fourchette Bombe. It was a really cool CTF with lots of cool challenges. We finished on 8th place this year. So here is my writeup for one of the pwnable challenges I solved. We are given a x86_64 ELF ...

more ...

Insomnihack 2016 smartstove writeup

Here is another writeup for a pwnable challenge I solved during the Insomni'hack CTF. We are given a x86_64 ELF, so as usual we'll check the binary protections first with checksec:

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE

OK, it ...

more ...

The Memory Sinkohole

Unleashing An X86 Design Flaw Allowing Universal Privilege

In x86, beyond ring 0 lie the more privileged realms of execution, where our code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS. The architecture has heaped layers upon layers of protections ...

more ...

Radare2 cheat sheets

I'm new to radare2, and I'm beginning to like it a lot. But the commands are sometimes hard to remember and when you're used to gdb+peda it's not that easy at all. So I've decided to post this cheat sheet that I forked from ...

more ...

Small introduction to ROP and format string

As the title indicates, this is a very small introduction to return oriented programing (ROP) and format strings for people that don't yet know what this techniques are and what they are used for.

This post is meant for people willing to understand what this 2 exploitation techniques are ...

more ...

Defcon 2015 Quals - Babyecho Writeup

This write-up is made by boogy of the Fourchette Bombe ctf team This was an cool challenge which was worth 1 point. But nevertheless we enjoyed solving it. The binary is 32bit and striped:

$ file babyecho_eb11fdf6e40236b1a37b7974c53b6c3d
babyecho_eb11fdf6e40236b1a37b7974c53b6c3d: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, for GNU ...
more ...

Defcon 2015 Quals - babycmd writeup

We are given the folowing information and a binary to download:

babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me:15491

$ file babycmd_3ad28b10e8ab283d7df81795075f600b
babycmd_3ad28b10e8ab283d7df81795075f600b: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

And lets make a checksec also:

$ checksec.sh --file babycmd_3ad28b10e8ab283d7df81795075f600b ...
more ...

Defcon 2015 Quals - mathwhiz solution

Category: Baby's First Points: 1

The information given to us:

mathwhiz_c951d46fed68687ad93a84e702800b7a.quals.shallweplayaga.me:21249

After connecting to it we can see it's giving us mathematical operations and he's waiting for the result. The solution is pretty easy. Get the data and pass it to python eval ...

more ...

31c3ctf devilish writeup

This is my first ctf writeup so I hope it won't be to horrible. And sorry in advance for my bad English.

I'll talk about devilish a web challenge from the 31c3ctf 2014 CTF. I'll give credit to one of our team members on this one "Michael ...

more ...

Ghost in the shellcode cloudfs writeup 2015

Category: Forensics Points: 200 Description:Find the key! (File)

The file we were given if a pcapng file. To be able to read'it with scapy we need to convert it to pcap. The easiest way is to use tcpdump as so:

tcpdump -r cloudfs-31c938df3531611b82fddf0685784a2b67373305ec689015f193a555b756beb2 -w cloudfs.pcap

Use scapy ...

more ...