Blazin’ Etudes – Hack A Sat 3 Quals (2022) – Writeup

(If you just want the solution, and not the story, skip down to “Emulating MLIL on z3”)

Introduction

This year was Samurai’s third time playing Hack A Sat’s (HAS) quals round. The first time we played, we qualified for finals. Year 2, we didn’t qualify. So this year we were hoping to qualify again. I personally wasn’t super involved in the first year, and only a bit involved last year (I don’t think the weekends lined up super great for me), but I was interested to take a shot at it this year and hopefully qualify!

Blazin’ Etudes was the third of a series of microblaze reversing challenges, released on the last day of the competition (Sunday). In order to properly appreciate it, we should briefly look at the preceding challenges.

Continue reading “Blazin’ Etudes – Hack A Sat 3 Quals (2022) – Writeup”

Reversing and exploiting a program running in an undocumented VM

DEF CON CTF 2021 Quals baby-a-fallen-lap-ray writeup

disassembled shellcode

Outline:

Introduction

This weekend, Samurai played the DEF CON CTF Qualifier event. We had a great time playing; much thanks to the organizers for putting on a great event! Many thanks to my teammates, it was awesome playing with you all!

One of the challenges this weekend was called baby-a-fallen-lap-ray. It was categorized as a pwn challenge, and it made a comment about being ‘the return of the parallel machine (or is it?)’.

Continue reading “Reversing and exploiting a program running in an undocumented VM”

CSAW CTF Finals 2018 – Wic Wac Woe 1 writeup

Introduction

I had the opportunity to compete in the CSAW CTF Finals 2018 for a second year in a row, with the UMBC Cyber Dawgs. It was a lot of fun, despite our somewhat lackluster finish in 10th place. I learned a lot. For instance, in this challenge, I learned how to exploit a Use-After-Free vulnerability (in WebAssembly no doubt!).

Challenge

WASM is the future of the web! JS devs will be writting c++, what could go wrong?.

This debugger might help kinda shrug emoji

Written by itszn, Ret2 Systems

http://pwn.chal.csaw.io:1000

HINT: You can get source via /test.wasm.map and /test.cpp

Continue reading “CSAW CTF Finals 2018 – Wic Wac Woe 1 writeup”

CSAW CTF Finals 2017 – KWS 1 Writeup

Introduction

I recently had the opportunity to compete in the CSAW CTF Finals with the UMBC Cyber Dawgs. It was an amazing competition; the organizers were awesome and did a great job. We placed 7th in North America, by the way :)

If you’ve never heard of CSAW before, it’s a huge student-run security conference/competition. We played in the CTF, or capture-the-flag competition. I would consider one of the best undergraduate-level CTF competitions. CSAW CTF is a jeopardy style competition in which you have a board of challenges, and you get points for solving them. You solve the challenge by hacking at it until it gives you a flag of the form flag{th1s_i5_a_f1@g}, which you enter into the scoreboard to receive points. Team with the most points wins.

I’ll be publishing a couple writeups about how we solved some of the challenges; this is the first one.

Challenge

We developed a much better alternative to AWS. Our high-performance kernel
driver gives us unparalleled speed of execution. And we're super-secure!

http://web.chal.csaw.io:6001/

NOTE: Login with your CTFd credentials.

NOTE: This might take a minute to start up the first time you login. Please be
patient!

NOTE: There may be ways to poke at other teams' boxes. Don't do that, it is not
part of the challenge.

NOTE: If you have issues with your instance, try logging out of the KWS
interface, and logging back in.

NOTE: Sorry for all of the notes :P

Author: itszn, Ret2 Systems

Solution

We begin by visiting the provided URL and we’re greeted with a dashboard. We have 1 KWS "instance" (lol), and we have the ability to store new JSON objects by name. So we have a key-value store of some sort.

We do some inspection of traffic (I use the Firefox DevTools), and we can see some requests to the API, and we see some requests to http://some.ip.ip.ip/action. We notice they are all POST requests, and they have a JSON payload of the form

Continue reading “CSAW CTF Finals 2017 – KWS 1 Writeup”