The first challenge I tried was pdfmaker. Surprisingly I spent way too much time on this simple starter challenge. I initially planned to use this challenge as a warm up but ended spending about 10 hours on it, mostly due to me overlooking simpler solutions that are …
According to the description, hxp provides us with a brainfuck (BF) execution service where we can send BF programs over netcat and execute them. To help, they provide us with a script that translated BF programs into a DOS, 16-bit COM executable.
Now as a reminder, DOS COM executables are …
read moreAMD recently announced the new Secure Encrypted Virtualization (SEV) extension that intends to protect virtual machines against compromised hypervisors/Virtual Machine Monitors (VMMs). An intended use-case of SEV is to protect a VM against a malicious cloud provider. All memory contents are encrypted and the cloud provider cannot recover any …
read moreAt a high level, Control-Flow Integrity (CFI) restricts the control-flow of an application to valid execution traces. CFI enforces this property by monitoring the program at runtime and comparing its state to a set of precomputed valid states. If an invalid state is detected, an alert is raised, usually terminating …
read moreThe last three weeks I've been traveling through China, Hong Kong, and Macau on an interesting security tour thanks to this year's AsiaCCS being held in Xi'an, China. AsiaCCS was right after Oakland, so I flew directly from San Francisco to Xi'an China and then continued to visit friends at …
read moreThis year's Oakland (the IEEE Symposium on Security and Privacy, formerly held in Oakland, California) has been a wild ride. Just a little more than a week before Oakland I've been in the bay area at the Usenix Security PC meeting at Google in Mountain View, talking to many folks …
read moreDue to other commitments I only had little time to play during this CTF and when I arrived on Saturday (the 2nd day of the competition) our b01lers were already hacking away and we were hovering somewhere around 100.
For quite a while I looked trough some of the others …
read moreFor this challenge we were given a corrupted git repository. We started by checking out the git repository (using git clone) and checking the consistency of the repository (using git fsck):
Checking object directories: 100% (256/256), done. error: sha1 mismatch 354ebf392533dce06174f9c8c093036c138935f3 error: 354ebf392533dce06174f9c8c093036c138935f3: object corrupt or missing error: sha1 …read more
We received a PNG file that got somehow corrupted in transit. Reading the PNG specification and looking at the first couple of bytes in the header we saw that an 0x0d byte was dropped. The file used 89 50 4e 47 0a 1a 0a as header instead of 89 50 …
read moreWe are told that there's a treasure waiting at treasure.ctf.0ops.sjtu.cn so we have to start digging!
Firing up dig: dig treasure.ctf.0ops.sjtu.cn -t ANY tells us that the target is a IPv6 address.
Let's do a traceroute to that address:
$ traceroute6 treasure.ctf …read more