CTF Writeups
0
CTF Writeups: Collection of CTF "technical" writeups by PersianCats.
Security
Preparing the Docker Containers
In order to run the challenge POCs without any problem, I prepared docker containers for various Ubuntu releases. The instructions for using the containers can be found here.
Writeups
| CTF | Challenge | Info | Exploitation | Links |
|---|---|---|---|---|
| UTCTF 2019 | babyecho | x86_32 NX Partial RELRO ASLR | GOT format string libc database | CTFtime Writeups Archives |
| BSidesSF 2019 | slowfire | x86_64 Partial RELRO ASLR | GOT PLT shellcode socket stack overflow syscall | CTFtime Writeups Archives |
| TAMUctf 2019 | pwn3 | x86_32 Full RELRO PIE ASLR | shellcode stack overflow syscall | CTFtime Writeups Archives |
| TAMUctf 2019 | pwn5 | x86_32 NX Partial RELRO ASLR | ret2libc stack overflow | CTFtime Writeups Archives |
| ASIS 2018 Finals | asvdb | x86_64 NX Canary Full RELRO ASLR | __free_hook double free heap one gadget smallbin tcache dup tcache poisoning tcache unsorted bin use after free | CTFtime Writeups Archives |
| ASIS 2018 Finals | inception | x86_64 NX Partial RELRO ASLR | GOT ROP fork one gadget pipe return-to-csu stack overflow | CTFtime Writeups Archives |
| SECCON 2018 Quals | profile | x86_64 NX Canary Partial RELRO ASLR | C++ GOT arbitrary read buffer overflow one gadget string | CTFtime Writeups Archives |
| SECCON 2018 Quals | classic | x86_64 NX Partial RELRO ASLR | GOT ROP one gadget stack overflow stack pivoting | CTFtime Writeups Archives |
| BSidesDelhi 2018 | data_bank | x86_64 NX Canary Full RELRO PIE ASLR | __malloc_hook heap one gadget tcache poisoning tcache use after free | CTFtime Writeups Archives |
| HITCON 2018 | children_tcache | x86_64 NX Canary Full RELRO PIE ASLR | __malloc_hook double free heap off-by-one overlapping chunks poison-null-byte tcache dup tcache poisoning tcache | CTFtime Writeups Archives |
| Hack.lu 2018 | babyphp | Web PHP | assert code injection unintended behaviors unsanitized input | CTFtime Writeups Archives |
| InCTF 2018 | warmup | arm arm32 armhf Partial RELRO ASLR | shellcode stack overflow syscall | CTFtime Writeups Archives |
| InCTF 2018 | yawn | x86_64 NX Canary Full RELRO ASLR | GOT __malloc_hook fastbin dup heap off-by-one one gadget | CTFtime Writeups Archives |
| InCTF 2018 | securepad | x86_64 NX Canary Full RELRO PIE ASLR | __free_hook arbitrary free fastbin dup heap uninitialized var unsorted bin | CTFtime Writeups Archives |
| CSAW 2018 Quals | alien_invasion | x86_64 NX Canary Partial RELRO PIE ASLR | GOT heap off-by-one overlapping chunks poison-null-byte | CTFtime Writeups Archives |
| CSAW 2018 Quals | bigboy | x86_64 NX Canary Partial RELRO ASLR | stack overflow | CTFtime Writeups Archives |
| CSAW 2018 Quals | get_it | x86_64 NX Partial RELRO ASLR | stack overflow | CTFtime Writeups Archives |
| CSAW 2018 Quals | shell_code | x86_64 Full RELRO PIE ASLR | shellcode stack overflow | CTFtime Writeups Archives |
| WhiteHat 2018 Quals | pwn02 | x86_64 NX Canary Full RELRO FORTIFY ASLR | glibc tcache heap off-by-one overlapping chunks poison-null-byte | CTFtime Writeups Archives |
| MeePwn 2018 Quals | babysandbox | x86_32 NX Partial RELRO PIE ASLR | openat readv shellcode socket syscall writev | CTFtime Writeups Archives |
| 0CTF 2018 Finals | freenote2018 | x86_64 NX Canary Full RELRO PIE ASLR | __malloc_hook double free fastbin dup heap metadata heap overlapping chunks | CTFtime Writeups Archives |
| RCTF 2018 | rnote3 | x86_64 NX Canary Full RELRO PIE ASLR | __free_hook fastbin heap one gadget overlapping chunks uninitialized var | CTFtime Writeups Archives |
| RCTF 2018 | babyheap | x86_64 NX Canary Full RELRO PIE ASLR | PREV_IN_USE bit __malloc_hook heap off-by-one poison-null-byte | CTFtime Writeups Archives |
| RCTF 2018 | stringer | x86_64 NX Canary Full RELRO PIE ASLR | IS_MMAPED __malloc_hook calloc double free fastbin dup heap off-by-one | CTFtime Writeups Archives |
| PlaidCTF 2018 | shop | x86_64 NX Canary Partial RELRO ASLR | GOT buffer overflow heap one gadget | CTFtime Writeups Archives |
| ASIS 2018 Quals | cat | x86_64 NX Canary Partial RELRO ASLR | GOT fastbin heap | CTFtime Writeups Archives |
| ASIS 2018 Quals | fifty_dollars | x86_64 NX Canary Full RELRO PIE ASLR | double free fastbin heap use after free | CTFtime Writeups Archives |
| ASIS 2018 Quals | just_sort | x86_64 NX Canary Partial RELRO ASLR | GOT heap overflow one gadget | CTFtime Writeups Archives |
| ASIS 2018 Quals | message_me | x86_64 NX Canary Partial RELRO ASLR | __malloc_hook double free fastbins heap overlapping chunks use after free | CTFtime Writeups Archives |
| StarCTF 2018 | babystack | x86_64 NX Canary Full RELRO ASLR | GOT pthread stack overflow stack_guard thread local storage | CTFtime Writeups Archives |
| StarCTF 2018 | note | x86_64 NX Full RELRO ASLR | GOT LSB ROP off-by-one saved rbp stack overflow | CTFtime Writeups Archives |
| StarCTF 2018 | warmup | x86_64 NX Full RELRO ASLR | GOT one gadget stack overflow | CTFtime Writeups Archives |
| WPICTF 2018 | forker.level1 | x86_64 Partial RELRO ASLR | GOT ROP return-to-csu shellcode stack overflow | CTFtime Writeups Archives |
| WPICTF 2018 | forker.level2 | x86_64 NX Canary Partial RELRO ASLR | fork socket stack canary stack cookie stack overflow | CTFtime Writeups Archives |
| UIUCTF 2018 | how2heap | x86_64 NX Canary Full RELRO PIE ASLR | heap one gadget | CTFtime Writeups Archives |
| 0CTF 2018 Quals | babyheap | x86_64 NX Canary Full RELRO PIE ASLR | __malloc_hook double free fastbin dup heap off-by-one one gadget top chunk | CTFtime Writeups Archives |
| 0CTF 2018 Quals | babystack | x86_32 NX Partial RELRO ASLR | Elf_Rel Elf_Sym GOT PLT ROP dynstr dynsym rel_plt stack overflow | CTFtime Writeups Archives |
| iCTF 2018 | fantasticiot | x86_32 NX Canary ASLR | attack & defense binary patching strncmp | CTFtime Writeups Archives |
| TAMUctf 2018 | pwn5 | x86_32 NX Partial RELRO ASLR | ROP stack overflow syscall | CTFtime Writeups Archives |
| NullconHackIM 2018 | pwn2-box | x86_64 Partial RELRO ASLR | ROP one gadget shellcode syscall | CTFtime Writeups Archives |
| Codegate 2018 Quals | baskin_robins31 | x86_64 NX Partial RELRO ASLR | GOT ROP one gadget stack overflow stack pivot | CTFtime Writeups Archives |
| Codegate 2018 Quals | super_marimo | x86_64 NX Canary Partial RELRO ASLR | GOT fastbin heap one gadget | CTFtime Writeups Archives |
| 0CTF 2017 Quals | babyheap | x86_64 NX Canary Full RELRO PIE ASLR | IS_MMAPED __malloc_hook calloc fastbin attack fastbin heap overflow one gadget smallbin | CTFtime Writeups Archives |
| C3CTF 2017 | simplegc | x86_64 NX Canary Partial RELRO ASLR | GOT fastbin glibc tcache heap use after free | CTFtime Writeups Archives |
| SECCON 2017 Quals | election | x86_64 NX Canary Full RELRO ASLR | GOT __malloc_hook fastbin null byte overflow null byte poisoning off-by-one one gadget | CTFtime Writeups Archives |
| SECCON 2017 Quals | secure_keymanager | x86_64 NX Canary Partial RELRO ASLR | GOT PLT double free fastbin format string heap | CTFtime Writeups Archives |
| SECCON 2017 Quals | video_player | x86_64 NX Canary Partial RELRO ASLR | GOT __malloc_hook fastbin heap one gadget overlapping chunks use after free virtual calls vtable | CTFtime Writeups Archives |
| CSAW 2017 Quals | scv | x86_64 NX Canary Partial RELRO ASLR | ROP buffer over-read buffer overflow information disclosure one gadget stack overflow | CTFtime Writeups Archives |