Introductionbabyfile is a file stream exploitation I did during the SECCON CTF 2022 Quals event. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution – I have not seen before – based on _IO_obstack_jumps! The related files can be found here. If you’re not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this one and...
Introductionzigzag is a zig heap challenge I did during the corCTF 2022 event. It was pretty exotic given we have to pwn a heap like challenge written in zig. It is not using the C allocator but instead it uses the GeneralPurposeAllocator, which makes the challenge even more interesting. Find the tasks here.
TL; DR
Understanding zig GeneralPurposeAllocator internals
Hiijack the BucketHeader of a given bucket to get a write what were / read what where primitive.
Leak stack + ROP on the fi...
Introductioncshell2 is a heap challenge I did during the corCTF 2022 event. It was pretty classic so I will not describe a lot.If you begin with heap challenges, I advice you to read previous heap writeup.
TL; DR
Fill tcache.
Heap overflow in edit on the bio field which allows to leak the address of the unsortedbin.
Leak heap and defeat safe-linking to get an arbitrary write through tcache poisoning.
Hiijack GOT entry of free to system.
Call free("/bin/sh").
PROFIT
Reverse Engineer...
Introduction
I just learned how to use malloc and free… am I doing this right?
catastrophe is a heap challenge I did during the diceCTF 2022. I did have a lot of issues with the libc and the dynamic linker, thus I did a first time the challenge with the libc that was in /lib/libc.so.6, then I figured out thanks to my teammate supersnail that I was using the wrong libc. Then I did it again with the right libc but the dynamic linker was (again) wrong and I lost a loot of time on it. So well, t...