Skip to content

Instantly share code, notes, and snippets.

@parksjin01

parksjin01/CSAW 2013 Writeup.md

Last active November 26, 2022 17:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save parksjin01/50bcbaa6d5a96e2017a82a3cc2d92bf4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save parksjin01/50bcbaa6d5a96e2017a82a3cc2d92bf4 to your computer and use it in GitHub Desktop.
Download ZIP
CSAW 2013 Writeup
Raw
CSAW 2013 Writeup.md

network1

  • It's telnet packet and it's not encrypted so we can easily see packet
  • Flag: flag{d316759c281bf925d600be698a4973d5}

network2

  • It's pcap file but if you try to open it with wireshark you can't get enough information.
  • If you search all strings with 'string' command you can see very wierd mark and it's flag.
  • Flag: flag{f9b43c9e9c05be5e08ea163007af5144}

Black and White

  • I think it's kind of steganography problem.
  • There are two kind of white in this problem. One is pure white (255, 255, 255) and other is almost white(254, 254, 254).
  • So Change almost white to black then you can get flag
  • Flag: {forensics_is_fun}

Trivia1

  • If you type drink all the booze, google suggest drink all the booze hack all the things
  • Flag: hack

Trivia2

  • If you googling researchers name You can find issues title.
  • Flag: DARPA

Trivia3

  • Flag: gadget

Trivia4

  • If you googling full duplex communication over a single connection web server web browser you can find new protocol
  • Flag: websocket

Trivia5

  • If you googling x86 processor operating mode for running 64-bit code you can find mode name
  • Flag: long mode

IMG_0707

  • It's wierd image. If you tried to open file it saids it's corrupted.
  • If you check png with pngchecker you can see crc error in idhr
  • Now let's change CRC to FCC410A8
  • In text chunk it saids this piture is taken by iphone 5 so apply that ratio to width and height.
  • CRC changed again so we have to change CRC to F754DA63
  • Flag: TheISISPasswordIs

exploit1

  • It's network overflow.
  • At 0x0804886a recv function called, max_length is 0x3fc.
  • If we change $ebp-0xc we can get key file value. Distance between recv buffer and $ebp-0xc is 0x3f8.
  • 0x3f8 is less than 0x3fc so we can easily overflow it.
  • Flag: {7c1fbb502632bffa6e62ba6fa847681f}

exploit2

  • In this question it's easy to exploit as first question.
  • payload may be like this `[shellcode]+'A'*(0x800-len(shellcode))+[secret]+'A'*12+[ret_addr]
  • secret value is generated randomly and we have to send it correctly to overflow this question. ret_addr shoud be address of shellcode
  • We can get both values. Program send 4bytes of shellcode addr and 4bytes for secret value.
  • It's socket exploit so we need to use reverse shell or bind shell. I choose to use bind shell and find appropriate shellcode at 'here'
  • I uploaded my python script at 'here'
  • Flag: {53666e040caa855a9b27194c82a26366}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment