来自强网杯线下赛的一题VbEscape(VE),真的想不到事隔一年多再为这个系列续上一篇。在强网杯的RealWorld题目遇到之前调过的漏洞,心里却是没底。为了做这道题目,眼睁睁看着三大桌面虚拟化软件在我的ThinkPad上大打出手。当然不是因为主力的Hyper-v虚拟机和主办方提供的vmware虚拟机镜像会打架,临时需要把windows系统升级到新的2004版本才能跑;也不是因为用现场龟速外网花了半天升级完成后发现Hyper-v还是会跟vmware嵌套虚拟化打架,而vmware里面的64位virtualbox一定要嵌套虚拟化才能运行;说到底就是因为太菜了,之前调试复现的时候都在debug版本上面,只是跟着exp照虎画猫过了一遍,也没有彻底弄懂。学艺不精因为偷懒欠下的债,始终都是要还的。
[QWB2020 Quals] - mipsgame
相信多年后想起2020的夏天还是会会心一笑 。
似乎永远花不完的夜宵券,腾云三楼铁板烧窗口,每周上新的免费雪糕承担了体重上升的借口,
亲身参与中国队伍首次DEFCON CTF夺冠,见识过顶级选手的神仙操作,多熬了几个通宵也是值得,
没有比赛的周末会和阿良到豫园站旁边的ChaletPlus喝可以续杯的Tequila Sunrise或Sea Breeze。
This is a challenge from QiangWangBei Quals this year. QiangWangBei is considered to be one of the top CTF game in China.The challenge is a http server in MIPS64, only two solved during the game (from 0ops and eee). I’ve found the vulnerability and constructed a PoC during the game, but didn’t have enough time to build a system-mode emulation environment to finish the expliot. Also, because unfamiliar with uclibc, I didn’t come up with a viable method to hijack the control flow.
After the game finished, I recalled how to build the QEMU debugging environement with buildroot. I shared this knowledge with my colleague @ruan, he wrote a detailed writeup (in chinese) about the building steps. So in this writeup I’ll focus on the challenge itself. I finished this challenge with some hints from @Himyth. Thanks @Himyth and @ruan!
源泉
多少个世纪以来,总会有人在新的道路上迈出宝贵的第一步, 而他们除了自己的洞察力之外并没有别的装备。 他们的目的各不相同,可是他们都有这样一个共性: 他们迈出的那一步是第一步,那条道路是前人没有走过的,那种洞察力不是剽窃而来的。 —— 艾茵·兰德
[DEFCON 2020 Quals] - nooopsled
Last weekend I played DEF CON CTF Quals 2020 with team A*0*E, having so much fun with my teammates and I successfully solved a shellcode challenge called nooopsled. At last 7 teams solved this challenge and you can download the files from OOO’s github repo.
This is a challenge in the format of golf 🏌️♂️, you can see the description of this new type of challenge on OOO’s official webpage. For short, we are required to input a shellcode in the length of 1024 bytes, in the architecture of RISC-V64 or arm64. The server will receive our shellcode and start to execute it from the index of 0, 1, 2 …..1024, and record the number of success attempt to read out the flag
file. The error threshold start from 1, and increase 1 every 84 seconds. Every team have 8 hours for preparing their shellcode.
[XCTF新春战疫] kernoob
今天是来到陌生城市的第66天,隔离起来的第52天,距离原定的复工日期已经18天。
总算等到重回正轨的好消息了。
国外的情况还是很严峻啊,祝福国外的朋友平安顺利。
This time is a challenge from last week’s CTF game organized by XCTF with many Chinese universities. This chanllenge is a linux kernel exploitation designed by SixStar Team. I didn’t finished it during the game, most of the time I spent on searching for objects to refill the size 0x20-0x70
, only at very last moment I realize there was a freelist harderned in the kernel. Many teams solved it by unexpected solution because of the deployment mistake, which is unpleasant, but it is still a good challenge.
I learned the solution from Kernoob: kmalloc without SMAP, thanks Kirin! Based on his writeup, I will make some notes about the debugging and details of the bypass.
V8 Exploit
春节期间学习了v8引擎exploit相关的知识,挑了几道经典题目练手:
- PlaidCTF2018:roll a d8
- *CTF2019:OOB
- GoogleCTF2018: Just-in-time
各路大神的writeup已经足够详细了,这里只记录一下解决v8题目比较关键的知识点。