tl;dr
- native.c:
- Reverse engineering matrix operations performed.
- tallocator.c:
- Exploiting an arbitrary free to corrupt heap metadata.
- Reverse shellcode to execute an ORW.
tl;dr
- Sanitizing request causes null byte overflow which corrupts type
- Processing corrupted request doesn’t remove it from
incoming_queue - Reaping corrupted request still leaves it in
incoming_queuecausing UAF - Setup crosscache to abuse UAF
- UAF provides free primitive through double reset
tl;dr
- Fuzzing to find the
/internalendpoint - Chaining CVE-2023–24329 and the SSRF in the
/okayendpoint to access the internal docker registry host. - Downloading image blobs using the docker registry API.
- Using CVE-2024-21488 to get RCE on the
vecservice. - As the templates directory of the
coreservice is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service. - Hence we can read the flag from the core service.
tl;dr
- Using brainf*ck to search for flag bytes within a huge tape
- 3 levels with varying constraints to leak flag
- Intended as a code golfing challenge
tl;dr
- Capturing the flag id through redos attack in /search endpoint
- XSS in /uuid/noteid/raw and HTML injection in /uuid/noteid
- CSP frame-src bypass through server side redirect
tl;dr
- Adding the last character to a tab causes null byte overflow
- Use said overflow to unset prev_inuse bit
- Coalesce upwards with fake chunk to perform unlink attack
- Unlink attack places .bss pointer in place of heap pointer
- Editing .bss allows for Arbitrary R/W
tl;dr
- Leak JWT token through Race Condition.
- Leak authorization token via an open redirect.
- Chaining XSS & CSRF in the oauth pipeline to leak the Admin’s oauth access token.
- RCE via CVE-2023-33733.
tl;dr
- Misconfiguration in JWT token validation
- SQL Injection through JWT token
- Insecure Deserialization in .NET leading to RCE using custom class StatusCheckHelper
tl;dr
- CTR bit-flipping attack along with CRC recomputation