tl;dr

• Leak csrf token bypassing document.domain
• visiting /profile/ will not change the nonce
• Leak nonce using dangling markup in firefox
• Add XSS payload using the csrf to get the flag

tl;dr

• Dynamically resolved hashed API
• Tls_call_back based anti-debug check
• AntiDebugFlag check implemented using ProcessInformationClass
• AES_CBC decryption of image to find flag

tl;dr

• SSTI in the valentine card
• bypass filter by setting ejs delimiter option
• RCE :yay:

tl;dr

• Create a sqlite3 extension with rce payload.
• Abuse werkzeug tempfile to upload the extension to server.
• load that extension using load_extension(‘/proc/self/fd/fd_no’);

tl;dr

• LOAD and S_TYPE opcodes lead to OOB when addr > DRAM_BASE+DRAM_SIZE
• Get libc and stack pointers and offset to obtain RIP offset and base
• Write ropchain on stack using libc gadgets
• Perform ORW on flag file

tl;dr

• Implemented two SEH and two VEH Exception Handlers
• Two stage malware challenge with process injection technique
• CPP binary where logic is wrapped in classes and their member functions

tl;dr

• read output using ValueError
• sys.modules to print all the app modules
• go through the module classes and find the test case functions and re-write them to always return true

tl;dr

• craft a payload with a random nonce
• use hash-collider to collide the nonce we gave earlier

tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• This challenge is a JIT VM
• The VM logic implements modular equations