11月总是会有好事发生的。

This is a challenge from ByteCTF2020, a simple heap challenge but ran on android. I learned a lot about webview and native interface from it. Four teams solved it during the game, I’m lucky enough to get the flag in the last hour.

来自强网杯线下赛的一题VbEscape(VE)，真的想不到事隔一年多再为这个系列续上一篇。在强网杯的RealWorld题目遇到之前调过的漏洞，心里却是没底。为了做这道题目，眼睁睁看着三大桌面虚拟化软件在我的ThinkPad上大打出手。当然不是因为主力的Hyper-v虚拟机和主办方提供的vmware虚拟机镜像会打架，临时需要把windows系统升级到新的2004版本才能跑；也不是因为用现场龟速外网花了半天升级完成后发现Hyper-v还是会跟vmware嵌套虚拟化打架，而vmware里面的64位virtualbox一定要嵌套虚拟化才能运行；说到底就是因为太菜了，之前调试复现的时候都在debug版本上面，只是跟着exp照虎画猫过了一遍，也没有彻底弄懂。学艺不精因为偷懒欠下的债，始终都是要还的。

相信多年后想起2020的夏天还是会会心一笑 。
似乎永远花不完的夜宵券，腾云三楼铁板烧窗口，每周上新的免费雪糕承担了体重上升的借口，
亲身参与中国队伍首次DEFCON CTF夺冠，见识过顶级选手的神仙操作，多熬了几个通宵也是值得，
没有比赛的周末会和阿良到豫园站旁边的ChaletPlus喝可以续杯的Tequila Sunrise或Sea Breeze。

This is a challenge from QiangWangBei Quals this year. QiangWangBei is considered to be one of the top CTF game in China.The challenge is a http server in MIPS64, only two solved during the game (from 0ops and eee). I’ve found the vulnerability and constructed a PoC during the game, but didn’t have enough time to build a system-mode emulation environment to finish the expliot. Also, because unfamiliar with uclibc, I didn’t come up with a viable method to hijack the control flow.

After the game finished, I recalled how to build the QEMU debugging environement with buildroot. I shared this knowledge with my colleague @ruan, he wrote a detailed writeup (in chinese) about the building steps. So in this writeup I’ll focus on the challenge itself. I finished this challenge with some hints from @Himyth. Thanks @Himyth and @ruan!

多少个世纪以来，总会有人在新的道路上迈出宝贵的第一步，
而他们除了自己的洞察力之外并没有别的装备。
他们的目的各不相同，可是他们都有这样一个共性：
他们迈出的那一步是第一步，那条道路是前人没有走过的，那种洞察力不是剽窃而来的。
—— 艾茵·兰德

Last weekend I played DEF CON CTF Quals 2020 with team A*0*E, having so much fun with my teammates and I successfully solved a shellcode challenge called nooopsled. At last 7 teams solved this challenge and you can download the files from OOO’s github repo).

This is a challenge in the format of golf 🏌️‍♂️, you can see the description of this new type of challenge on OOO’s official webpage). For short, we are required to input a shellcode in the length of 1024 bytes, in the architecture of RISC-V64 or arm64. The server will receive our shellcode and start to execute it from the index of 0, 1, 2 …..1024, and record the number of success attempt to read out the flag file. The error threshold start from 1, and increase 1 every 84 seconds. Every team have 8 hours for preparing their shellcode.

今天是来到陌生城市的第66天，隔离起来的第52天，距离原定的复工日期已经18天。
总算等到重回正轨的好消息了。
国外的情况还是很严峻啊，祝福国外的朋友平安顺利。

This time is a challenge from last week’s CTF game organized by XCTF with many Chinese universities. This chanllenge is a linux kernel exploitation designed by SixStar Team. I didn’t finished it during the game, most of the time I spent on searching for objects to refill the size 0x20-0x70, only at very last moment I realize there was a freelist harderned in the kernel. Many teams solved it by unexpected solution because of the deployment mistake, which is unpleasant, but it is still a good challenge.

I learned the solution from Kernoob: kmalloc without SMAP, thanks Kirin! Based on his writeup, I will make some notes about the debugging and details of the bypass.