Last weekend sixstar team brought a series of RISC-V challenges in their CTF. As their name suggested, I enjoy playing RISC-V challenges very much, three flags could be found in the checkpoints:

• Favourite Architecture 0: Reverse challenge, 25 solved
• Favourite Architecture 1: Userspace pwn challenge, read /home/pwn/flag.24 solved
• Favourite Architecture 2: Qemu userspace escape pwn challenge, execute /readflag2. 6 solved
  閱讀全文 »

讲道理会在每年最后一天写下读过的书，然而大家都知道今年是最不讲道理的一年。这么说来好像也找到了一个比：“我把时间都花在youtube上面了”之外更为冠冕堂皇的理由。翻看前几年写下的书单，今年列表是越来越短了，但分量还是挺重的。

11月总是会有好事发生的。

This is a challenge from ByteCTF2020, a simple heap challenge but ran on android. I learned a lot about webview and native interface from it. Four teams solved it during the game, I’m lucky enough to get the flag in the last hour.

来自强网杯线下赛的一题VbEscape(VE)，真的想不到事隔一年多再为这个系列续上一篇。在强网杯的RealWorld题目遇到之前调过的漏洞，心里却是没底。为了做这道题目，眼睁睁看着三大桌面虚拟化软件在我的ThinkPad上大打出手。当然不是因为主力的Hyper-v虚拟机和主办方提供的vmware虚拟机镜像会打架，临时需要把windows系统升级到新的2004版本才能跑；也不是因为用现场龟速外网花了半天升级完成后发现Hyper-v还是会跟vmware嵌套虚拟化打架，而vmware里面的64位virtualbox一定要嵌套虚拟化才能运行；说到底就是因为太菜了，之前调试复现的时候都在debug版本上面，只是跟着exp照虎画猫过了一遍，也没有彻底弄懂。学艺不精因为偷懒欠下的债，始终都是要还的。

相信多年后想起2020的夏天还是会会心一笑 。
似乎永远花不完的夜宵券，腾云三楼铁板烧窗口，每周上新的免费雪糕承担了体重上升的借口，
亲身参与中国队伍首次DEFCON CTF夺冠，见识过顶级选手的神仙操作，多熬了几个通宵也是值得，
没有比赛的周末会和阿良到豫园站旁边的ChaletPlus喝可以续杯的Tequila Sunrise或Sea Breeze。

This is a challenge from QiangWangBei Quals this year. QiangWangBei is considered to be one of the top CTF game in China.The challenge is a http server in MIPS64, only two solved during the game (from 0ops and eee). I’ve found the vulnerability and constructed a PoC during the game, but didn’t have enough time to build a system-mode emulation environment to finish the expliot. Also, because unfamiliar with uclibc, I didn’t come up with a viable method to hijack the control flow.

After the game finished, I recalled how to build the QEMU debugging environement with buildroot. I shared this knowledge with my colleague @ruan, he wrote a detailed writeup (in chinese) about the building steps. So in this writeup I’ll focus on the challenge itself. I finished this challenge with some hints from @Himyth. Thanks @Himyth and @ruan!

多少个世纪以来，总会有人在新的道路上迈出宝贵的第一步，
而他们除了自己的洞察力之外并没有别的装备。
他们的目的各不相同，可是他们都有这样一个共性：
他们迈出的那一步是第一步，那条道路是前人没有走过的，那种洞察力不是剽窃而来的。
—— 艾茵·兰德