2015/05/22

Small introduction to ROP and format string

As the title indicates, this is a very small introduction to return oriented programing (ROP) and format strings for people that don't yet know what this techniques are and what they are used for.

This post is meant for people willing to understand what this 2 exploitation techniques are so experts will get bored only seeing the title :).

2015/05/21

Defcon 2015 Quals - babycmd writeup


We are given the folowing information and a binary to download:
babycmd_3ad28b10e8ab283d7df81795075f600b.quals.shallweplayaga.me:15491 (Download)
$ file babycmd_3ad28b10e8ab283d7df81795075f600b
babycmd_3ad28b10e8ab283d7df81795075f600b: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

$ checksec.sh --file babycmd_3ad28b10e8ab283d7df81795075f600b
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   babycmd_3ad28b10e8ab283d7df81795075f600b

Running the binary, it provides us with 3 functionalities: ping, host, dig

2015/05/19

Defcon 2015 Quals - mathwhiz solution

Category: Baby's First Points: 1

The information given to us:

mathwhiz_c951d46fed68687ad93a84e702800b7a.quals.shallweplayaga.me:21249
After connecting to it we can see it's giving us mathematical operations and he's waiting for the result. The solution is pretty easy. Get the data and pass it to python eval and return the result to the server.

Defcon 2015 Quals - Babyecho Writeup

This write-up is made by boogy of the on_est_pas_contents ctf team

This was an cool challenge which was worth 1 point. But nevertheless we enjoyed solving it. The binary is 32bit and striped:


2015/01/18

Ghost in the Shellcode 2015: Cloudfs writeup

Category: Forensics Points: 200
The file we were given if a pcapng file. To be able to read'it with scapy we need to convert it to pcap. The easiest way is to use tcpdump as so:
tcpdump -r cloudfs-31c938df3531611b82fddf0685784a2b67373305ec689015f193a555b756beb2 -w cloudfs.pcap
Use scapy to extract all icmp packets: