tl;dr

• Analysis of eBPF assembly
• Simple optimization

tl;dr

• Binary obfuscation with hidden anti-debug checks
• Linear Cryptanalysis (AES with linearly dependent SBOX)

tl;dr

• Custom hook to syscall 0x31337 using eBPF
• Check on the argument passed to syscall to verify correct/incorrect key

tl;dr

• DOM Clobbering to Redirect to another page
• Increasing Content using SQL Injection giving the same column multiple times
• Connection-Pool XS-Leaks to measure the time for the page to load
• Leak the flag character by character using the above techniques

tl;dr

• The VM takes a custom binary as input
• Binary contains function table, code and bss sections
• Code can overlap with bss and be modified at runtime
• The JIT compiler assumes that a function is safe since it ran many times
• Functions modified right before JIT bypass security checks

tl;dr

• The patch adds a vulnerable virtio device
• The device accesses pointers without bound check
• Abuse OOB pointer access to setup arb r/w primitive
• Craft open,read,write ropchain on heap
• Overwrite virtqueue handler with stack pivoting gadget

Full solution of Batman Investigation II - Gotham Underground Corruption from bi0sctf 2024

tl;dr

• Challenge 2 of Batman Investigation series
• Memory Forensics - WinDBG Dump Debugging - Malware Analysis - Blockchain Forensics - Password Retrieval - MAC Artefact Analysis

tl;dr

• native.c:
  • Reverse engineering matrix operations performed.
• tallocator.c:
  • Exploiting an arbitrary free to corrupt heap metadata.
  • Reverse shellcode to execute an ORW.

tl;dr

• Sanitizing request causes null byte overflow which corrupts type
• Processing corrupted request doesn’t remove it from incoming_queue
• Reaping corrupted request still leaves it in incoming_queue causing UAF
• Setup crosscache to abuse UAF
• UAF provides free primitive through double reset

tl;dr

• Fuzzing to find the /internal endpoint
• Chaining CVE-2023–24329 and the SSRF in the /okay endpoint to access the internal docker registry host.
• Downloading image blobs using the docker registry API.
• Using CVE-2024-21488 to get RCE on the vec service.
• As the templates directory of the core service is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service.
• Hence we can read the flag from the core service.