valentine - hxpCTF 2022 sk4d 2023-03-15 Web tl;dr SSTI in the valentine card bypass filter by setting ejs delimiter option RCE :yay: Read More hxpCTF
sqlite_web - hxpCTF 2022 ma1f0y 2023-03-14 Web tl;dr Create a sqlite3 extension with rce payload. Abuse werkzeug tempfile to upload the extension to server. load that extension using load_extension(‘/proc/self/fd/fd_no’); Read More hxpCTF
cs2100 - HackTM CTF Quals 2023 k1R4 2023-02-23 Pwn tl;dr LOAD and S_TYPE opcodes lead to OOB when addr > DRAM_BASE+DRAM_SIZE Get libc and stack pointers and offset to obtain RIP offset and base Write ropchain on stack using libc gadgets Perform ORW on flag file Read More Exploitation VM
BlueLock - bi0sCTF22 AmunRha 2023-02-10 Reversing / Windows tl;dr Implemented two SEH and two VEH Exception Handlers Two stage malware challenge with process injection technique CPP binary where logic is wrapped in classes and their member functions Read More bi0sCTF Windows Reversing ExceptionHandling
scorescope - DiceCTF 2023 sk4d 2023-02-07 Web tl;dr read output using ValueError sys.modules to print all the app modules go through the module classes and find the test case functions and re-write them to always return true Read More DiceCTF2023
Recursive-csp - DiceCTF 2023 Lu513n 2023-02-07 Web tl;dr craft a payload with a random nonce use hash-collider to collide the nonce we gave earlier Read More DiceCTF2023
kawaii_vm - bi0sCTF 2022 k1R4 2023-01-25 Pwn tl;dr Giving custom array size of NaN, passes checks while allowing OOB r/w Use OOB r/w to get libc, stack (environ) addresses Craft fake chunk on array and overwrite fastbin fd Reset machine to allocate register context on fake chunk Overwrite VM sp with real stack Push ropchain onto stack and halt VM to execute ropchain Read More bi0sCTF Exploitation VM
Eerie_Jit - bi0sCTF 2022 Abhishek Barla Abhishek Bharadwaj 2023-01-25 RE tl;dr This challenge is a JIT VM The VM logic implements modular equations Read More VM bi0sCTF2022 JIT
DroidComp - bi0sCTF 2022 komi 2023-01-25 Misc tl;dr Exploit Android Webview Javascript Interface Communicate with a Service via AIDL Read More Android bi0sCTF-2022
Vuln-Drive 2 - bi0sCTF22 ma1f0y 2023-01-24 Web tl;dr SSRF using file_get_contents() and CRLF in ini_set() basic Header quirks to bypass waf sqli using column trick in SQLite to get the flag Read More SSRF CRLF SQLi bi0sCTF22