bricef

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/*
 * MCrypt API available online:
 * http://linux.die.net/man/3/mcrypt
 */
#include <mcrypt.h>

williballenthin

radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

• analyze all: aa
• show sections: iS
• list functions: afl
• list imports: ii
• list entrypoints: ie
• seek to function: s sym.main

BBoldt

.message-content {font-size: 120%}
.message-content {color: black;}
.message-content {font-family: "Segoe UI", Georgia, Serif;}
.message-content {line-height: 1.5;}
.user-name {font: bold 16px/30px Georgia, serif;}

terjanq

A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

• Link to the challenge: https://capturetheflag.withgoogle.com/challenges/web-security-driven
• Link to the PoC: https://github.com/google/google-ctf/tree/master/2021/quals/web-security-driven/solution

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.

Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

mate-h

Reverse engineering

Obtained binaries from Discord server. The download link: https://drive.google.com/file/d/1xPP9R2VKmJ9jwNY_1xf1sVVHlxZIsLcg

Basic information about binaries. There are two main versions of the program in question: aimful-kucoin.exe and aimful-binance.exe. They are both Windows executables. From the FAQ section of the discord server, the following information is available:

In what language was this bot written?

• Python.

tatumroaquin

QEMU-KVM in Arch Linux

Check Virtualization Support

lscpu | grep -i Virtualization

• VT-x for Intel
• AMD-Vi for AMD

Ensure that your kernel includes KVM modules

qtc-de

<#

DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
from ws2_32.dll.

This script should be used for educational purposes only (and maybe while playing CTF :D).
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as

LiveOverflow

import socket
import select
from logzero import logger

# python forwarder.py localhost:1337 ipinfo.io:80
# curl -v http://localhost.com:1337 -H "Host: ipinfo.io"

# video: https://www.youtube.com/watch?v=32KKwgF67Ho

class Forwarder:

WKL-Sec

#include <windows.h>
#include <string>
#include <vector>
#include <algorithm>

// White Knight Labs - Offensive Development Course
// DLL Guardrails Example

// This function extracts the file name from a given path
// It is used later to determine the executable name loading the DLL.

mfenniak

diff --git a/drivers/gpu/drm/i915/display/intel_backlight.c b/drivers/gpu/drm/i915/display/intel_backlight.c
index 071668bfe5d1..835aac02ee13 100644
--- a/drivers/gpu/drm/i915/display/intel_backlight.c
+++ b/drivers/gpu/drm/i915/display/intel_backlight.c
@@ -1465,7 +1465,7 @@ static bool cnp_backlight_controller_is_valid(struct drm_i915_private *i915, int
 
 	if (controller == 1 &&
 	    INTEL_PCH_TYPE(i915) >= PCH_ICP &&
-	    INTEL_PCH_TYPE(i915) <= PCH_ADP)
+	    INTEL_PCH_TYPE(i915) < PCH_MTP)