tl;dr

• Hash length extension to forge an impossible winning board.
• Need to perform a PCO in game.

tl;dr

• This challenge revolves around a hidden power_tower_mod function.
• To obtain the flag, we implement the function ourselves, apply Hensel lifting, collide a CMAC, decrypt an RSA ciphertext and finally solve a subset sum problem.

tl;dr

• Using the rotate chains method to exploit ruby class pollution to leak Legacy cookie via SQLI.
• Using a 1-Gadget ruby deserialization vector to get RCE in a clever way.
• Using a bunch of other clever tactics for exploitation.

tl;dr

• Mixed mode assembly (a feature of .NET binaries), involving both C# as well as C++ code in the same executable
• Code flow jumps between both C#/C++ frequently to make analysis harder
• SEH mechanism triggered in C++ code, which uses SEH trampoline to make debugging harder
• SEH triggered once again in C#, which is handled by C++
• VM bytecode is decrypted loaded by C#
• VM checks input in 4 ways: CRC32 hash (2 byte pairs), RC4 encryption, rolling XOR and byte by byte checks

tl;dr

• Whisper model converts audio to text
• text is passed through subprocess and not sanitized
• difficult to generate a command injection through manual voice
• Need to invert the Neural network that will generate the audio file we need
• Implement Gradient descent based inversion to find input for target output.
• Generate the audio file and send, get flag!

tl;dr

• ECDSA signing server with biased nonce
• Exploitation by modelling a EHNP instance and using z3 Solver for breaking Mersenne Twister

tl;dr

• memcpy in CPY goes out-of-bounds of VM stack.
• Abuse memcpy to copy the register struct to stack and modify the values using stack operations and register operations.
• Copy values back to the register struct, modifying the VM stack bp and sp registers.
• This migrates the VM stack to wherever you want, gaining arbitrary read and write.
• Leak environ pointer to get stack leak.
• Migrate VM stack to main function’s stack to overwrite return address with ROP chain or one-gadget.

tl;dr

• Reverse to find unique function not containing bad stack canary
• Libc leak using format string vulnerability in printf
• ROP chain to get shell

tl;dr

• Chrome extension debugging and exploitation
• Leaking flag byte by byte using css injection