Skip to content

Instantly share code, notes, and snippets.

View PAndaContron's full-sized avatar

ContronThePanda PAndaContron

21 followers · 24 following
View GitHub Profile
@PAndaContron
PAndaContron / Googlectf22-weather.md
Last active July 18, 2022 03:35
GoogleCTF 2022 Weather Challenge Writeup

In this challenge, we're given a datasheet and firmware source code for an embedded device, along with an address and port to access it remotely. The firmware allows us to read and write from certain I2C ports on the device. We're also told in the datasheet that the firmware is stored on an EEPROM which can be read from and written to over I2C, but we aren't given the I2C port for this device. The datasheet also tells us that the flag is stored in a "FlagROM" device which we can only read using an SFR (special function register) interface.

The firmware has a whitelist of I2C ports we can access, but the implementation has a bug in it. The ports are checked as strings, but the equality check actually only checks if some allowed port number is a prefix of the inputted port, not if they're equal. This means that if 101 is an allowed port, then 101000 is also an allowed port according to this function. Then, this string is converted to an 8-bit integer, and only the lowest 7 bits are used for the port nu

@PAndaContron
PAndaContron / Googlectf22-segfault-labyrinth.md
Last active July 18, 2022 02:42
GoogleCTF 2022 Segfault Labyrinth Challenge Writeup

This challenge gives us a binary which is running on a remote server. Opening the binary in Ghidra, we can take a look at what it does. First, it creates the "labyrinth". The labyrinth is made up of memory pages which point to each other. The first ("entrance") page contains an array of 16 pointers; one of these pointers points to an actual page, while the others are invalid. The one actual page again has the same structure, which goes on for 10 layers, until the final page has the flag.

Next, the program installs a seccomp filter. This is a Linux feature which allows a program to filter what system calls can be made by its process later on. Seccomp filters use the Berkley Packet Filter (BPF) language. We can extract the code for the filter and use a tool like this to see what it does. The filter used by this program is essentially a simple whitelist that allows the following system calls:

0: read
1: write
4: stat
5: fstat
9:
@PAndaContron
PAndaContron / Googlectf22-appnote-txt.md
Last active July 18, 2022 02:42
GoogleCTF 2022 Appnote.txt Challenge Writeup

For this challenge, we get what looks like a zip archive called dump.zip with the hint "Every single archive manager unpacks this to a different file...". Unzipping normally gives us a single file called hello.txt which doesn't contain anything useful.

However, running binwalk dump.zip shows us another file called hi.txt, along with many other files named flag00 to flag18. Each flagNN is repeated several times. Binwalk also tells us that all of the files have the same compressed/uncompressed size, indicating that they're too small to be compressed, and that each flagNN is only 1 byte, indicating that each one probably represents a single character of the flag.

Running strings dump.zip suggests, based on looking at hello.txt, that each file's contents are stored immediately after the filename followed by a PK:

V~uK)
hello.txtThere's more to it than meets the eye...
V~uK)
@PAndaContron
PAndaContron / Googlectf22-treebox.md
Last active July 18, 2022 02:42
GoogleCTF 2022 Treebox Challenge Writeup

This challenge takes a Python script, checks if it's safe to execute, then executes it. The safety check is done using Python's ast module; it first converts the source code to an AST, then checks if it contails any node of type Import, ImportFrom, or Call. If any of these nodes are found, then the script is considered insecure; otherwise, it's secure, and it gets executed. Essentially, we're not allowed to use import statements or function calls.

Luckily, there are ways we can get around both restrictions, by using the functionality of both of these statements without actually putting them in our source code. First, to get around import statements, we can use the __import__ builtin function. Basically, the statement

import module

in Python is actually just syntax sugar for

@PAndaContron
PAndaContron / xss-img.gif
Created June 23, 2020 15:25
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
@PAndaContron
PAndaContron / TerasologyHelpingFriendRunFromSource.md
Created December 25, 2017 18:03
Feedback on the process of helping someone else run Terasology from source code

I helped my friend run Terasology from source via Discord. He had almost nothing installed other than a Java IDE, so we had to start from the very beginning. First we installed Git Bash to make it easier to interact with GitHub for parts of the task where it was required. This was the hardest part of the entire process because of all of the options in the installer, but even then it was relatively easy. He also didn't have a GitHub account, but that didn't take long to create. After that, getting the game up and running was a breeze. The instructions are so simple I was able to give them to him from memory and getting it to properly run from source didn't take long at all.

Screenshot

Next, we added a simple block, which went quickly as well. Forking and cloning the Sample repository went well, and adding the block itself was very simple. Getting the changes pushed to his repository took a little while because we h

@PAndaContron
PAndaContron / TerasologyServerFeedback.md
Last active December 24, 2017 20:21
Feedback on the process of setting up a server

I tested setting up a Terasology server under several different conditions. First, I tried the normal way of running a server from the same computer as the client. Then I did a second test, where I ran a headless server on a separate computer. I also ran both going over LAN as well as WAN. For all tests, I used a relatively high-performance desktop and a low-performance laptop for the 2 clients.

The setup process was very simple for the standard scenario. I clicked “Host Game” on one computer, created a new world, added a couple modules, and it worked. Then joining the game from the other computer worked as well. I clicked “Join Game”, entered the IP address, and it connected. Setting up a headless server was relatively easy as well. I followed the instructions exactly as written on this guide and it worked with exactly the same results.

It didn’t really work perfectly on the first try though; there was one minor snag. For some reaso

@PAndaContron
PAndaContron / NewTerasologyHomepage.md
Created December 9, 2017 14:10
Feedback on the new Terasology homepage design: https://xd.adobe.com/view/569dad11-8fa8-4719-b56f-e5a354538ef9/

Overall, I think that the new design is an improvement over the old one. The color palette is much more attractive than the one used on the current site, and there is much more information clearly presented on the homepage. However, it definitely needs a few changes.

First of all, it would be nice to add a brief summary of this page along with a link to the original. This would be best placed above the features section as a sort of introduction/background to the game.

The features section should definitely be elaborated on more. "Mod Friendly" should have a brief overview of the module system and mention that most of the game's features are implemented through modules, not in the base game. "Forever Free" doesn't really need much elaboration, but adding a couple of sentences to make it match the other 2 in length wouldn't hurt. "Community Oriented" should mention some of the community sites and describe briefly what the interaction betwee