Anciety 0CTF/TCTF 2018 Summary

Preface

This time with Lotus-r3kapig dozen 0CTF, the topic is very good, learned a lot of things, but finally really is a dish, the topic is either teammate seconds, or completely do not know how to start, indeed there is a summary of the necessary. Time based Day 1

The first day compared to fuck is we in addition to 0CTF there is a Nuit du CTF to play, two time is coincident, more embarrassing, fortunately Nuit du CTF only a day, the difficulty is also relatively limited, coupled with the strength of the teammates (thanks @f0r_1st and @nonick) Nuit du CTF I saw a 300 problem, stack overflow ROP, but uncomfortable in the end did not write, the whole problem is not used to write, there is no way to leak, in addition to jump out of the loop only when fread! = 0x14, once out can not send things, and finally @f0r_ 1st with shutdown seconds, here to show admiration for the Queen fortune Teller.

Day1 Basic I just in that zer0fs, originally is a simple problem, mainly the whole structure seems to have shuffle, and the normal structure of the order is not the same, the first is more confused, always thought is the problem of debug info, and then found that there are problems in order, Just simply rely on the information in the Init to directly guess field, and finally smooth, at night basically reverse clean. Method originally found very early, the inverse of the time has been found out of the cross-reading, and later @ne0 also to help me to see the next, confirm that I did not find the wrong, adjusted a bit found in the kernel heap, should be very sure of the method, however, I was too food, after I tried a few times, found that cred has been in the This time I thought cred must be in front, cross-border writing can not go forward, so began to enter the endless do not know how to do the period ... Until later @ne0 found it could be done with EBPF CVE, and he was halfway to find out. Cred is likely in the back, before the trial several times is bad luck, that time @ne0 exp has been debugged, but he stuck in the file of haha haha (musl-gcc no ebpf,gcc compiled file great), and finally get flag. Unfortunately, the idea of a method should still be a blood, this time is two blood, more embarrassing. Day 2

This day is more embarrassing, the first time there are CLUB3 (Web-bound pwn), Dragon (ARMHF pwn), and @nonick looked down dragon, found that I did not move, probably counter a bit, guessed maybe a VM, and then abandoned, Throw to the @atum and @nonick continue to engage, and then try and @bestwing see provision, helpless look at the day did not read, really is not playing firmware what, traffic is not very clear, club3 is really strange I pit, because more a return, To the end also rice has got binary ... (I'm really sorry for teammates.) Always thought there was no/proc) and that House of Cards really did not think, fortunately teammates thought of. Overall

These days more awkward, on the first day a little output, relatively bleak, but time is long, then learn slowly. Chall based Zer0fs do not know how the struct unexpectedly Shuflle, the beginning of a long time delay in this above, there is really no need, see what situation on the deal with what situation on the line. Kernel heap changes greatly, before really unexpectedly, the gap can be more than 0x4000000, in other words kernel heap address really should not be too sure location, relative position change a bit big. In the process of stepping on the pit also tried a method, but did not finish, should continue to try, is to forge the entire cred structure, task and cred no longer together, so sometimes in case you can change task cannot change cred, perhaps can use. But encountered a few problems, one is the original cred several kernel address does not seem to be 0, otherwise it will be null Deref panic, there is a kernel address seems to be kernel heap can kfree. (I don't know what Kfree Kmalloc will be.) club3 burp The carriage return is useful when the contract is contracted. Do not have to enter the end of the line. (After the game only found me Cao) House of Cards flock can lock the file, but just locked open, although found that the last found no use, lock failure will exit. There are also environment variables on the stack. Don't forget to touch the environment variables to see if the stack can write past. Dragon VM is not experienced enough (by @Atum) to see how to improve the reverse horizontal arm how to debug, there is no reliable solution, you can study the provisioning Completely not, the firmware reverse how to engage. other House of Orange for a long time without debugging, find a time to adjust, quickly forget the unsorted bin and large bin related things long time no use, need to review Ret2 dl-resolve for a long time not adjusted , Forget about