Dragon CTF Teaser 2019 - rms

No re-entry allowed.

It’s been so long since I posted something to this blog! Let’s start again with a nice challenge from this weekend’s Dragon CTF Teaser. This web/pwn challenge is named “rms”. It showcases what can happen when you use non-reentrant library functions in a multithreaded application. A “rms-fixed” version was also released a while later to fix an unintended solution.

Exploiting the Math.expm1 typing bug in V8

Minus zero behaves like zero, right?

I love browser exploitation. Must be something about breaking what I consider to be one of the most complex pieces of software we run every day. At 35C3 CTF this year (I played with KJC + mhackeroni, we got first place!) there was a Chrome challenge about exploiting a bug in V8, Chrome’s JavaScript engine. The bug caused incorrect typing during static analysis, producing incorrect optimizations in just-in-time compiled code. It was really hard to trigger: I didn’t finish in time for the CTF, but I feel like many people would be interested in a full writeup. Shouts out to @_tsuro for finding the bug in the first place and for the amazing challenge, and to ESPR for the incredible CTF!

X-MAS CTF 2018 - A white rabbit in a snowstorm

Make your S-boxes not linear, kids.

This week, we spritzers played X-MAS CTF 2018. We enjoyed this week-long event, and took the chance to mix things up a bit (e.g., web guys playing pwn). While I’m mainly a pwner, recently I’ve been getting into crypto. I found “A white rabbit in a snowstorm” to be an interesting challenge. It’s probably trivial for the more experienced crypto guys out there, but I had never broken a (very) weakened DES, so I learnt a few things.

Pwn2Win 2018 - TPM 2.0

Writeup for challenge “TPM 2.0” of Pwn2Win CTF 2018.

At last year’s Pwn2Win, we (spritzers) were the only team to solve the SGX challenge. We played again this year, getting 6th place. There was another trusted computing challenge (pwn), on TPM 2.0 this time: we kept up the tradition and were the only team to solve it. So here’s a writeup, enjoy :)


© 2018. All rights reserved.

Powered by Hydejack v7.5.1