One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8300180 |
| Date de publication | 2022-06-17 20:19:14 (vue: 2023-01-11 16:56:04) |
| Titre | BSidesSF 2022 Writeups: Tutorial Challenges (Shurdles, Loadit, Polyglot, NFT) |
| Texte | Hey folks, This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy! Here are the four BSidesSF CTF blogs: shurdles1/2/3, loadit1/2/3, polyglot, and not-for-taking mod_ctfauth, refreshing turtle, guessme loca, reallyprettymundane Shurdles - Shellcode Hurdles The Shurdles challenges are loosely based on a challenge from last year, Hurdles, as well as a Holiday Hack Challenge 2021 challenge I wrote called Shellcode Primer. It uses a tool I wrote called Mandrake to instrument shellcode to tell the user what's going on. It's helpful for debugging, but even more helpful as a teaching tool! The difference between this and the Holiday Hack version was that this time, I didn't bother to sandbox it, so you could pop a shell and inspect the box. I'm curious if folks did that.. probably they couldn't damage anything, and there's no intellectual property to steal. :) I'm not going to write up the solutions, but I did include solutions in the repository. Although I don't work for Counter Hack anymore, a MUCH bigger version of this challenge that I wrote is included in the SANS NetWars version launching this year. It covers a huge amount, including how to write bind- and reverse-shell shellcode from scratch. It's super cool! Unfortunately, I don't think SANS is doing hybrid events anymore, but if you find yourself at a SANS event be sure to check out NetWars! Loadit - Learning how to use LD_PRELOAD I wanted to make a few challenges that can be solved with LD_PRELOAD, which is where loadit came from! These are designed to be tutorial-style, so I think the solutions mostly speak for themselves. One interesting tidbit is that the third loadit challenge requires some state to be kept - rand() needs to return several different values. I had a few folks ask me about that, so I'll show off my solution here: #include int rand(void) { int answers[] = { 20, 22, 12, 34, 56, 67 }; static int count = 0; return answers[count++]; } // Just for laziness unsigned int sleep(unsigned int seconds) { return 0; } I use the static variable type to keep track of how many times rand() has been called. When you declare something as static inside a function, it means that the variable is initialized the first time the function is called, but changes are maintained as if it's a global variable (at least conceptually - in reality, it's initialized when the program is loaded, even if the function is never called). Ironically, this solution actually has an overflow - the 7th time and onwards rand() is called, it will start manipulating random memory. Luckily, we know that'll never happen. :) |
| Envoyé | Oui |
| Condensat | #include '$ 'b /polyglot 0x21 0x4c01 0x88 0x8c 0x8d 0x8f 0x90 0x96 0x97 0x9a 0x9b 0x9e 0xab 0xc5 0xdb 0xdd 0xdf 0xff 100 2021 2022 7th about above actually although amount and answer: answers anymore anything are ask asm assumption author based been between bigger bind bird bit blogs: bother bottom bottom: box bsides bsidessf but byte call called came can cannot cannotberun cannotberun: caption case cat challenge challenges changes character characters… check claims clicking cmp code conceptually cool correct could couldn count count++ counter covers cropped css ctf ctfauth ctrl curious damage debugging dec declare decoder designed developer did didn difference different disabled distributed dockerfile doing don dos dosbox easy ecx either embedded encrypted enjoy enough enter even event events every everything exe executable f12 familiar few figure file find fine first flag folks for format four francisco from full function get github global glued going guessme hack had happen has have header: hello helpful here here: hey hint holiday how huge hurdles hybrid iagox86 image inc include included including initialized inside inspect instantly instructions instrument int intellectual interested interesting ironically is: ish jmp joke just keep kept key know last launching laziness learning least like loaded loadit loadit1/2/3 loca locally logical look loosely luckily maintained make mandrake manipulating many means memory might mod mode more most mostly mov much nasm needs netwars never nft not obvious off offset one onwards org other out overflow password photo polyglot pop portion preload pretty primer probably program property provided push rand random reality reallyprettymundane refreshing replace repository requires return reverse right ron ruby run runs san sandbox scratch script seconds see several shell shellcode show shurdles shurdles1/2/3 sleep small solution solutions solve solved some something source speak start state static steal string stub style super sure taking teaching technically tell terminate that the themselves then thepasswordis thepasswordis: there these they think third this tidbit time times tool tools top top: track troll turns turtle tutorial type under unfortunately unsigned use used user uses values variable version view void wanted was ways well what when where which will windows wine wine: with work write writeup writeups writeups: wrote xor xoring ycd; year you yourself |
| Tags | Hack Tool |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.