prettify code

2017年3月21日 星期二

[Write-up] 0ctf 2017 qual - pwn647 pages



This is not a normal but very interesting pwn challenge. The target of this chal is to "guess" random 64 bits.

When running binary, it'll fetch 64 random bits from /dev/urandom, and mmap 64 pages according to the following rule:
// bits = random 64 bits
void* base = 0x200000000;
for(int i=0;i<64;i++) {
  mmap(base+(2*i+bits[i]) * 0x1000, 0x1000, ...);

2017年3月3日 星期五

[Write-up] Boston Key Party 2017 - pwn99 Solitary Confinement


This is a rbash jail escaped challenge.
There're are many solutions of this chal. What we used is 1-day of CVE-2016-9401.
According to the administrator, we (HITCON) are the only team solved this challenge by using this CVE :p.

I'm too lazy to introduce what this challenge doing, if you're not similar with this challenge yet, you can see this writeup with nice introduction.

Exploit Target

Final target is to execute /flag/showFlag, to do this, we want to set PATH as /flag. After that we can execute showFlag directly.