This is a writeup for the pwn challenge Variable-Machine in Defenit CTF 2020.
We are only provided with a binary called main .
Pwn problem. Get the shell
As the name says, this program has a slot for 256 variables. There are three variable types, INT, CHAR, and STRING. They are all managed by a structure. I named it variable.
00000000 variable struc ; (sizeof=0x10, mappedto_9)
This is the Write-Up from the CTF codegate 2020 teaser.
This problem analyzes, predicts and executes the user's expression. Various expressions are supported, starting from arithmatic operations to things such as loops, conditionals, and randoms. User can create a variable, assign a value to it, or print its value. The After parsing the input without syntax errors, it predicts the script's behavior by simulating it, preventing malicous behaviours such as reference to an undefined variable, or print of a negative number, which is going to be our main topic. The behaviours of variables are predicted using a domain, which is really a domain of all the numbers that a variable can be.
For example, assigning the random from 1 to 10 will make the variable's domain to [1,10]. Using the ternary operator of x > 5 to x = [1, 10] will split this domain into two, a True domain of x = [6, 10] and a False domain of x = [1, 5].
And adding two doma
this is a zer0pts2020 writeup for the pwn task syscallkit.
we are provided with binary called chall and its source code main.cpp. It's basically a system-call emulator, which lets you execute some system calls directly. But there are two limitations about it. Firstly, you can only execute system calls that it allows. juicy system calls like read, write...or execve is not allowed. Secondly, you can only execute 10 system calls.
It's pwn problem. Besides getting a shell, what are you trying to do?
First things first, let's take a look at their blacklist.
int Emulator::check() {
This is a write-up for the misc challenge of the problem Linker Chess from OMH CTF 2021
In this problem, we are required to craft a linker script which spawns a shell. We can't manipulate anything from the compilation process, as the source code of the challenge is fixed as the problem script below.
| #!/usr/bin/python3 | |
| import re | |
| import sys | |
| import docker | |
| ID_PATTERN = re.compile("[0-9a-f]{12}") | |
| DOCKER_CONTAINERS = docker.from_env().containers | |
| def get_ppid(pid: int) -> int: |
This is a write-up for the challenge eyes of a panther from Oh My Hack International CTF 2021.
We are only provided with a objdump-flavored disassembly. The disassembly is attached for you to take a look at. It is a bit modified so there are no disassemblies that spans over two lines.
This is the Write-Up from the CTF codegate 2020 teaser.
The problem is basically a brainfuck emulator, compromised of a python script main.py and a shared object runtime.so. These scripts use the llvmlite to introduce JIT into it.
according to the dockerfile, the flag is located at /home/user/flag, so we need to pwn the babyllvm to get a shell.