Skip to content

johnathanhuutri/CTFWriteup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

143 Commits
2019
2019
 
 
2020/SVATTT2020
2020/SVATTT2020
 
 
2021/WannaGame-2021
2021/WannaGame-2021
 
 
2022
2022
 
 
2023
2023
 
 
machine/Vulnhub
machine/Vulnhub
 
 
online
online
 
 
README.md
README.md
 
 

Repository files navigation

Categories

Cmd Injection

CTF Name Challenge Other bug
KMACTF III - 2023 Welcome to KCSC

Shellcode

CTF Name Challenge Other bug
ImaginaryCTF 2022 bellcode
KMACTF 2022 Duet Buffer Overflow
pwn.tn orw

Integer Overflow

CTF Name Challenge Other bug/technique
KMACTF III - 2023 Password Manager Buffer Overflow
HCMUS CTF - 2022 calert Integer Overflow Ret2libc
zer0pts CTF - 2022 Modern Rome
zer0pts CTF - 2022 accountant ret2libc
KCSC - Entrance exam get OVER InT

Buffer Overflow

CTF Name Challenge Other bug/technique
ĂĄngstromCTF 2023 widget Ret2Win
TetCTF 2023 pwn01 Ret2Libc
SVATTT 2022 Service0x2 [Revenge] Ret2Libc
SVATTT 2022 Mmap Note
SVATTT 2022 Convert Ret2Libc
pwnable.vn file_storage Ret2Libc Out Of Bound
Google CTF 2022 FixedASLR Out-of-bound Crypto - LFSR algorithm
WhiteHat Play 11 pwn07-Silence
KMACTF 2022 Two Shot Format String Ret2libc
Pragyan CTF 2022 Comeback
Pragyan CTF 2022 Poly-Flow
MOCSCTF 2022 calc Out-of-bound
KCSC - Entrance exam Make Me Crash
KCSC - Entrance exam ret2win
KCSC - Entrance exam bof1
pwnable.tw Spirited Away
pwnable.tw Kidding Shellcode
pwnable.tw Start Shellcode
pwn.tn f_two Format String Integer Overflow

Uninitialized Variable

CTF Name Challenge Other bug/technique
pwnable.tw apple store (Didn't make writeup)
GDGAlgiers CTF 2022 XOR Ret2Libc

Format String

CTF Name Challenge Other bug/technique
KMACTF III - 2023 Welcome to KCSC V2 Buffer Overflow
ĂĄngstromCTF 2023 slack ROPchain
ĂĄngstromCTF 2023 noleek one_gadget
WannaGame 2022 base64-convert
ImaginaryCTF 2022 rope
ImaginaryCTF 2022 Format String Foolery
ImaginaryCTF 2022 Format String Fun
vsCTF 2022 Private Bank
WhiteHat Play 11 pwn06-Ez_fmt
HCMUS CTF 2022 WWW
KCSC CTF 2022 pwnMe Ret2libc
Pragyan CTF 2022 TBBT
Pragyan CTF 2022 Portal
WannaGame 2021 Letwarnup
KCSC - Entrance exam Chall
pwn.tn f_one

ROP

CTF Name Challenge Other bug/technique
DiceCTF 2022 baby-rop Use After Free

Sig-ROP

CTF Name Challenge Other bug/technique
KCSC CTF 2022 start Buffer Overflow
KCSC CTF 2022 feedback Buffer Overflow Integer Overflow

Blind-ROP

CTF Name Challenge Other bug/technique
DefCamp CTF 21-22 Online blindsight Buffer Overflow

Off-by-one

CTF Name Challenge Other bug/technique
WannaGame 2021 Feedback
ISITDTU 2019 tokenizer

Out-of-bound

CTF Name Challenge Other bug/technique
KMACTF III - 2023 Tiny Webserver
WannaGame 2022 warmup
KCSC - Entrance exam ArrayUnderFl0w

ret2dlresolve

CTF Name Challenge Other bug/technique
KCSC CTF 2022 readOnly Buffer Overflow
TSJ CTF 2022 bacteria Buffer Overflow
DiceCTF 2022 dataeater Format String

Attack hook

CTF Name Challenge Other bug/technique
SVATTT 2019 three_o_three
pwnable.tw 3x17

Heap Overflow

CTF Name Challenge Other bug/technique
WannaGame 2022 baby_calc Integer Overflow
KCSC CTF 2022 babyheap Use After Free Heap Overflow
MOCSCTF 2022 C@ge

Heap - Tcache attack

CTF Name Challenge Other bug/technique
vsCTF 2022 EzOrange Out-of-bound
vsCTF 2022 ForNBack Use After Free
WhiteHat Play 11 pwn08-Ruby Integer Overflow tcache_perthread_struct attack
Pragyan CTF 2022 Database Heap Overflow
MOCSCTF 2022 orange House of Orange
WannaGame 2021 note Use After Free
ISITDTU 2019 iz_heap_lv1
DefCamp CTF 21-22 Online cache Use After Free Double Free

Heap - House of Force

CTF Name Challenge Other bug/technique
KCSC CTF 2022 5ecretN0te Heap Overflow
Wolverine Security Conference/CTF Us3_th3_F0rc3 Heap Overflow

Heap - House of Roman

CTF Name Challenge Other bug/technique
pwnable.tw Secret Garden Use After Free Double Free

Heap - House of Botcacke

CTF Name Challenge Other bug/technique
FooBar CTF 2022 Death-note Use After Free Tcache Attack

Heap - House of Husk

CTF Name Challenge Other bug/technique
ImaginaryCTF 2022 minecraft Use After Free Format String

Heap - House of Muney

CTF Name Challenge Other bug/technique

Exploitation of FILE

CTF Name Challenge Other bug/technique
pwnable.tw seethefile Buffer Overflow

Kernel Exploit

CTF Name Challenge Other bug/technique
CakeCTF 2022 welkerme Shellcode
DownUnderCTF - 2022 just-in-kernel Shellcode

Other

CTF Name Challenge Other bug/technique
BKCTF 2023 babyservice
LITCTF 2022 IntArray
KCSC CTF 2022 guess2pwn
KCSC - Entrance exam guessMe Specific Seed Rand
pwnable.tw calc

CTF events

2023

KMACTF III (Vietnamese)

Name File Type Bug Technique Note
[PWN x WEB] Welcome to KCSC C (64 bit) Cmd Injection
[PWN x WEB] Welcome to KCSC V2 C (64 bit) Format String
[PWN] Password Manager C (64 bit) Integer Overflow ret2libc
[PWN] Tiny Webserver C (64 bit) Out-of-bound Because this is one shot exploit, we cannot create shell. Instead, we need to find a way to RCE!

BKCTF 2023

Name File Type Bug Technique Note
[PWN] babyservice C (64 bit) Buffer Overflow ret2libc

KCSC CTF 2023

Name File Type Bug Technique Note
[PWN] ret2libc C (64 bit) Buffer Overflow Ret2Libc
[PWN] racecar C (64 bit) Buffer Overflow Ret2Win
[PWN] pwncry C (64 bit) Buffer Overflow ROPchain

ĂĄngstromCTF 2023

Name File Type Bug Technique Note
[PWN] widget C (64 bit) Buffer Overflow Format String Ret2Win Format String is just a rabbit hole
[PWN] slack C (64 bit) Format String ROPchain Make i a negative number and we have unlimited Format String
[PWN] noleek C (64 bit) Format String one_gadget Tried to change fd of FILE from 3 (/dev/null) into 1 but failed, then use %*c to change saved rip into one_gadget

TetCTF 2023

Name Type File Type Bug Technique
pwn01 pwn C (64 bit) Buffer Overflow Ret2Libc

2022

ISITDTU Final 2022

Name Type File Type Technique
EzMisc pwn C (64 bit) Integer Overflow idiv
EzPwn pwn C (64 bit) Out-of-bound

WannaGame 2022

Name Type File Type Technique
warmup pwn C (64 bit) Out-of-bound
baby_calc pwn C (64 bit) Integer Overflow Heap Overflow
base64-convert pwn Java + C (64 bit) Format String

SVATTT 2022

Name File Type Bug Technique Note
Service0x2 [Revenge] c (64 bit) Buffer Overflow
Mmap Note - Unintended c (64 bit) Buffer Overflow Updated intended solution. For unintended solution, take advantage of munmap to remove read only section and attack exit hook to get shell
Convert c (64 bit) Buffer Overflow

GDGAlgiers CTF 2022

Name File Type Bug Technique Note
XOR c (64 bit) Uninitialized Variable Ret2Libc

DownUnderCTF - 2022

Name File Type Bug Technique Note
just-in-kernel kernel First post about kernel exploit, should read this after you read welkerme of CakeCTF 2022

SVATTT WarmUp - 2022

Name File Type Bug Technique Note
DOGE [Forensics]
Simple Forensics [Forensics]

CakeCTF 2022

Name File Type Bug Technique Note
welkerme kernel Basic stuff for kernel exploit. Please read the file README.md to have a first approach of it!

0CTF/TCTF 2022

Name File Type Bug Technique Note
BabyHeap 2022 c (64 bit) Heap Overflow Attack tls_dtor_list, set null for guard and setup fake dtor_list in tls_dtor_list

KMACTF III - 2022

Name File Type Bug Technique Note
Secret Machine c (64 bit)
Game of KMA c (64 bit) Out-of-bound

LITCTF 2022

Name File Type Bug Technique Note
IntArray c (64 bit)

ImaginaryCTF 2022

Name File Type Bug Technique Note
Format String Foolery c (64 bit) Format String Change link_map->l_addr to another value so when _dl_fini is execute, it will take address of .fini_array + link_map->l_addr and execute that address
Format String Fun c (64 bit) Format String Change link_map->l_addr to another value so when _dl_fini is execute, it will take address of .fini_array + link_map->l_addr and execute that address
bellcode c (64 bit) Shellcode
golf c (64 bit) Format String Use %*<k>$c to write the 32-bit address on stack to an address we want
rope c (64 bit) Shellcode Overwrite _IO_file_jumps + ?? to make puts execute system
pywrite python3 Read libc address from a @got and modify a @got to system
minecraft c (64 bit) Use After Free Format String House of Husk

vsCTF 2022

Name File Type Bug Technique Note
Private Bank c (64 bit)
ForNBack c (64 bit) Use After Free Tcache Attack
Private Bank c (64 bit) Out-of-bound Tcache Attack

Google CTF 2022

Name File Type Bug Technique Note
FixedASLR c (64 bit) Buffer Overflow Out Of Bound ROPchain ASLR is created by rand(12) whose algorithm is LFSR. Hence, recover seed (canary) with 6 leaked result of rand(12) by using z3, a framework of python

WhiteHat Play 11

Name File Type Bug Technique Note
pwn06-Ez_fmt c (64 bit) Format String %n and %p (or %s) can be used at the same time just in case %n in clear form and %p (or %s) can be in short form. Ex: %c%c%n%3$p
pwn07-Silence c (64 bit) Buffer Overflow Due to the close of stdout and stderr, we can send data via stdin so we will use getdents syscall to get file name and print the flag through stdin;
Or we can dup2() to reopen stdout and stderr, and get shell;
Or just get the shell as normal but without anything to be printed. And when we get the shell, type exec 1>&0 and everything from stdout will be redirected to stdin. Hence, we get a normal shell.
pwn08-Ruby c (64 bit) Integer Overflow Attacking tcache_perthread_struct by freeing fake chunk which has size of 0x10000 and this size is inside tcache_perthread_struct

KMACTF 2022

Name File Type Bug Technique Note
Duet c (64 bit) Buffer Overflow Shellcode Shellcode (32 bit) can be executed on 64 bit binary and argument when execute int 0x80 will be eax, ebx, ecx, edx...
Two Shot c (64 bit) Buffer Overflow Format String Ret2libc

HCMUS CTF 2022

Quals

Name File Type Bug Technique Note
PrintMe
Timehash - rev c (64 bit) Patch file
WWW c (64 bit) Format String Overwrite GOT

Final

Name File Type Bug Technique Note
calert c (64 bit) Integer Overflow Buffer Overflow Ret2libc We can change original canary if we know its address which is not in range of libc nor ld

KCSC CTF 2022

Name File Type Bug Technique Note
readOnly c (64 bit) Buffer Overflow Ret2dlresolve
start c (64 bit) Buffer Overflow SROP
feedback c (64 bit) Integer Overflow Buffer Overflow SROP
guess2pwn c++ (64 bit) First byte from urandom may be null
pwnMe c (64 bit) Format String Ret2libc
babyheap c (64 bit) Use After Free Heap Overflow
5ecretN0te c (64 bit) Heap Overflow House of Force

Wolverine Security Conference/CTF

Name File Type Bug Technique Note
Us3_th3_F0rc3 c (64 bit) Heap Overflow House of Force

zer0pts CTF 2022

Name File Type Bug Technique Note
Modern Rome c++ (64 bit) Integer Overflow
accountant c (64 bit) Integer Overflow ret2libc If register (rax, rbx, rcx...) contain 0x10000000000000000 (9 bytes in total), the most significant byte will be remove (the 0x1 will be remove) and make register to null again

FooBar CTF 2022

Name Type File Type Bug Technique Note
Death-note pwn c (64 bit) Use After Free Tcache Attack House of Botcake Tcache forward pointer changed in libc 2.32 (source)

Pragyan CTF 2022

Name Type File Type Bug Technique Note
Poly-Flow pwn c (32 bit) Buffer Overflow
Portal pwn c (64 bit) Format String
Database pwn c (64 bit) Heap Overflow Tcache Attack
Comeback pwn c (32 bit) Buffer Overflow
TBBT pwn c (32 bit) Format String Overwrite GOT

TSJ CTF 2022

Name Type File Type Bug Technique Note
bacteria pwn c (64 bit) Buffer Overflow Ret2dlresolve r_offset can be any writable and controllable place, don't need to be @got

MOCSCTF 2022

Name Type File Type Bug Technique Note
C@ge pwn c++ (64 bit) Heap Overflow Tcache Attack Ret2libc Use libc environ() to leak stack address
calc pwn c (64 bit) Buffer Overflow Unchecked Index ret2win
orange pwn c (64 bit) Heap Overflow House of Orange Tcache Attack Unsorted Bin Attack Overwrite malloc hook with realloc and realloc hook with one gadget

KCSC - Entrance exam

Name Type File Type Technique
ArrayUnderFl0w pwn c Unchecked Index
guessMe pwn c Specific Seed Rand
Make Me Crash pwn c Buffer Overflow
Chall pwn c Format String
ret2win pwn c Buffer Overflow
get OVER InT pwn c Integer Overflow
bof1 pwn c Buffer Overflow

DiceCTF 2022

Name Type File Type Technique
baby-rop pwn c (64 bit) Heap Attack ROP chaining
dataeater pwn c (64 bit) ret2dlresolve Fake link_map

DefCamp CTF 21-22 Online

Name Type File Type Technique
cache pwn c (64 bit) Use After Free Double Free Tcache Attack Overwrite GOT
blindsight pwn c (64 bit) Blind ROP Buffer Overflow

2021

WannaGame 2021

Name Type File Type Technique
Letwarnup pwn c (64 bit) Format String Overwrite GOT
Feedback pwn c (64 bit) Least Significant Byte
note pwn c (64 bit) Heap Attack Unsorted Bin Attack

2020

2019

ISITDTU 2019

Name Type File Type Technique
tokenizer pwn cpp (64 bit) Least Significant Byte
iz_heap_lv1 pwn c (64 bit) Heap Attack Tcache attack

SVATTT 2019

Name File Type Bug Technique Note
three_o_three c (64 bit) Unlimited malloc size FILE structure attack Malloc with size larger than heap size make the chunk near libc ; Scanf flow: __uflow -> _IO_file_underflow -> read 1 byte until meet \n;
Or we can overwrite exit hook with one gadget. More information can be found here

Online

pwnable.vn

Name File Type Bug Technique Note
file_storage c (64 bit) Ret2Libc Out Of Bound

pwnable.tw

Name File Type Bug Technique Note
Start c (32 bit) Buffer Overflow ROPchain Shellcode
orw c (32 bit) Shellcode
calc c (32 bit) ROPchain
3x17 c (64 bit) ROPchain Attack by overwriting .fini_array
Re-alloc c (64 bit) Use After Free Overwrite GOT
Kidding c (32 bit) Buffer Overflow Shellcode SYS_SOCKET and SYS_CONNECT to make a reverse shell
seethefile c (32 bit) Buffer Overflow
Spirited Away c (32 bit) Buffer Overflow
Secret Garden c (64 bit) Use After Free Double Free

pwn.tn

Name Type File Type Technique
f_one pwn c (64 bit) Format String Overwrite GOT
f_two pwn c (32 bit) Buffer Overflow Integer Overflow Format String

CloudFoxable

Name File Type Bug Technique Note
It's a secret
It's another secret

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

8 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages