lordidiot

11B, Please [Misc]: Author Writeup

Overview

This challenge was based on a behaviour I learnt from reading Attacking Network Protocols (James Forshaw). The bug has to do with some integer trickery and I thought it was pretty neat. Fun fact, I crafted the challenge idea while on security trooper duty (screw NS T.T), hence the security trooper theme of the challenge.

TL;DR

The writeup is a bit lengthy, here's the quick solution run through. Bribe -2147483648 (INT_MIN) which won't be turned positive by positive, causing money_left to be negative and giving us the flag.

Code Analysis

lordidiot

#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/syscall.h>

#define ADD 548

lordidiot

IC, Please [Author Writeup]

Challenge Motivations

This challenge was inspired by the series of clone-and-pwn challenges I saw in Real World CTF. It's quite a cool category where they just spin up a random github repository and ask you to find bugs in it. It feels quite "realistic" compared to the usual CTF challenges and gives a different kind of satisfaction when solving.

lordidiot

"""
To use the extension, place the file somewhere and add
`source /path/to/extension`
in your ~/.gdbinit file

Use just as you would with `dereference` (https://gef.readthedocs.io/en/master/commands/dereference/)
but s/deref/veref/g

Many missing features because I quickly whipped this up to solve a challenge.
1) Doesn't check for v8 version (Older versions don't use compressed pointers)

lordidiot

ALU

Have you tried the AoC 22 24 VM?

MD5 (alu.zip) = 8b04d09040e879f7558d59b14e9ef191
- enigmatrix

nc challs.nusgreyhats.org 13500