kylebot's Blog

Man's Search for Pwning

0%

Introduction

During this weekend, I casually played DiceCTF 2022 with my team Shellphish. And I solved two challenges: baby-rop and memory hole during the game.

It was the first time in a while that I played CTFs with OOO people: @Zardus and @adamd (internally, we call them OOOld people :) ). Initially, I didn’t plan to play the CTF because of my research work. But @adamd “bullied” me into it by saying “now get me the flag” when I casually posted some techniques that could help the team solve baby-rop. So, I solved it.

After solving baby-rop, I thought I was done with the CTF. But the next day, @adamd (yes, it was always him.) posted some info about memory hole in our discord channel, I got immediately hooked up by the challenge: what’s more exicting than bypassing the latest defence in V8? Besides, I haven’t done any V8 challenge in a few months, it’s a good time to pick it up again. So, I decided to have a look at it and finally solved it with a different approach from intended solution.

Read more »

Introduction

Last December (which is a month ago), I learnt that there was a Linux kernel CTF challenge, called IPS, unsolved during VULNCON 2021.
At that moment, I was struggling exploiting the first bug that we eventually used to pwn GKE for kCTF and I thought it would be great to solve a CTF challenge and regain some confidence in kernel exploitation.

However, I struggled a little bit again with the CTF challenge (because I was and still am dumb) and finally solved it with an unintended solution.
Even though my solution was much harder than the intended solution, it was the first blood for this challenge.

Read more »

Introduction

Last week, I played DEFCON quals with my team Shellphish. We managed to get to 10th place worldwide and qualified for DEFCON Final this year. Good job everyone! More importantly, this is the 16th year that Shellphish gets qualified for DEFCON Final consecutively in a row. What can I say? It’s just amazing.
During the CTF, I contributed to the solution of baby-a-fallen-lap-ray(or, parallel-af-yan). After we solved it, I started looking at mooosl, which is a heap challenge with musl[1] libc. When I started to look at the challenge seriously, there were only 6 hours left. At the end of the CTF, I almost got everything, just needed some time to finish it off.
In fact, after the CTF, it only took me 2.5 more hours to finally get the flag. So sad.
So, in this blog, I’m going to talk about how to solve the challenge and help myself remember how musl‘s mallocng allocator works.

Read more »

Introduction

Despite I’ve been insanely busy recently, I still decided to play WCTF for bit and managed to solve one challenge called machbooks.
As the name suggests, it is a Mach-O challenge. Mach-O is the binary format on macOS(like ELF on Linux). Mach-O challenges are rare in CTF community. So, it intereted me the moment I saw the challenge name (In fact, I didn’t plan to play the CTF at all, lol).
Because of the rarity of Mach-O challenges, some CTF-ready tools do not work on the binary format and not many people know how to deal with Mach-O binaries at all. Those may be the reasons why there was only one solve during the game.
Luckily, I was exposed to Mach-O by a challenge called applepie during 0CTF-2019. And that experience gave me an edge to finish the only solve to the challenge during the game.

Read more »

Introduction

I played 0CTF as a member of Shellphish last weekend. The CTF was pretty awesome and gave me a lot of excitement. I learned about v8 hacking by solving the Chromium RCE challenge and about PHP internals by wasting my time on Baby Bypass. Overall, I’m pretty satisfied with the experience in the CTF.
The only imperfection is that I didn’t manage to pull off One Line JS in time before the game ended. In fact, I solved it in 3 hours after the game ended.
One Line JS is a very interesting challenge about pwning a small real-world javascript engine. Although it is “small”, it still consists of more than 10 thousand lines of code, which is daunting for a 48h CTF. And I guess that’s the reason it only got 1 solve during the game.

Read more »

2020-07-01

Created my blog. Not perfect, but it is mine.