t0y-b0x - bi0sCTF 2024 the.m3chanic Sans 2024-03-03 RE, Crypto tl;dr Binary obfuscation with hidden anti-debug checks Linear Cryptanalysis (AES with linearly dependent SBOX) Read More bi0sCTF Anti-debug AES
beehive - bi0sCTF 2024 the.m3chanic 2024-03-02 RE tl;dr Custom hook to syscall 0x31337 using eBPF Check on the argument passed to syscall to verify correct/incorrect key Read More bi0sCTF eBPF
കുട്ടി Notes - bi0sCTF 2024 Lu513n 2024-02-29 Web tl;dr DOM Clobbering to Redirect to another page Increasing Content using SQL Injection giving the same column multiple times Connection-Pool XS-Leaks to measure the time for the page to load Leak the flag character by character using the above techniques Read More bi0sCTF DOM Clobbering XS-Leaks
kowaiiVm - bi0sCTF 2024 k1R4 2024-02-28 Pwn tl;dr The VM takes a custom binary as input Binary contains function table, code and bss sections Code can overlap with bss and be modified at runtime The JIT compiler assumes that a function is safe since it ran many times Functions modified right before JIT bypass security checks Read More bi0sCTF Exploitation VM JIT
virtio-note - bi0sCTF 2024 k1R4 2024-02-28 Pwn tl;dr The patch adds a vulnerable virtio device The device accesses pointers without bound check Abuse OOB pointer access to setup arb r/w primitive Craft open,read,write ropchain on heap Overwrite virtqueue handler with stack pivoting gadget Read More bi0sCTF Exploitation QEMU VM-Escape
palindromatic - bi0sCTF 2024 k1R4 2024-02-26 Pwn tl;dr Sanitizing request causes null byte overflow which corrupts type Processing corrupted request doesn’t remove it from incoming_queue Reaping corrupted request still leaves it in incoming_queue causing UAF Setup crosscache to abuse UAF UAF provides free primitive through double reset Read More bi0sCTF Exploitation Heap Kernel
Variety Notes - bi0sCTF 2024 Luc1f3r,Lu513n 2024-02-26 Web tl;dr Capturing the flag id through redos attack in /search endpoint XSS in /uuid/noteid/raw and HTML injection in /uuid/noteid CSP frame-src bypass through server side redirect Read More bi0sCTF ReDos CSP bypass
BlueLock - bi0sCTF22 AmunRha 2023-02-10 Reversing / Windows tl;dr Implemented two SEH and two VEH Exception Handlers Two stage malware challenge with process injection technique CPP binary where logic is wrapped in classes and their member functions Read More bi0sCTF Windows Reversing ExceptionHandling
kawaii_vm - bi0sCTF 2022 k1R4 2023-01-25 Pwn tl;dr Giving custom array size of NaN, passes checks while allowing OOB r/w Use OOB r/w to get libc, stack (environ) addresses Craft fake chunk on array and overwrite fastbin fd Reset machine to allocate register context on fake chunk Overwrite VM sp with real stack Push ropchain onto stack and halt VM to execute ropchain Read More bi0sCTF Exploitation VM
k32 - bi0sCTF 2022 k1R4 2023-01-23 Pwn tl;dr Giving size > 48 causes heap OOB r/w of 16 bytes Use OOB r/w get leaks and overwrite objects for rip control Read More bi0sCTF Exploitation Heap Kernel