#pwn

it's not too hard, but it contains lemon lore

https://syst3mfailure.github.io/ret2dl_resolve

that's a pretty good post about 64 bit ret2dlresolve

i didn't know that pwntools had one either, but i think doing it manually can help you understand it better

don't quote me on this, but i think there are certain cases depending where bss loads that makes 64 bit ret2dl (from a purely blind perspective) not possible as well 🤔

Yeah that's the one I have bookmarked for the next ctf study time 😄

you should keep the pwntools implementation in mind, it permitted me to pwn the chall without even knowing what ret2dl does

pwntools has so many amazing stuff in docs 😔

imagine not being kmh

kmh just puts his entire exploit in a python2 -c 'print(...)'

and I'm concerned for his well-being

python2

LOL what!?

well hey at least kmh doesn't use windows 8

ahem

😂

LMAO someone deleted my GIF

There is no Dockerfile for nightmare, is it on purpose ?

there will be soon™️. In the meantime, the hash is provided

by any change would the admins mind zipping the challenges for next time? for baby-rop theirs a bunch of files and its a pain to install all of them. Please??

use wget

or curl

there are only 5 files

Will there be any browser pwn?

challenges will be released +6 and +12 hours in

no guarantees on the particular category/topic

as soon as we find the solve script we lost

‘We’?

the solve script i lost

Yeah.

who can I pm for baby rop?

you can open a ticket

For baby rop, what is the path to the flag file? I can read arbitrary files but it doesnt seem to be /flag.txt

try flag.txt in the current directory 🙂

saves you a byte too

maybe

Mhm still not working. It's weird I use the provided ld and libc in local

I think there might be a connection timeout issue, the port closes after a few seconds

most networked services time out after 20s

Alright my exploit was very non optimized after minimizing the network communication it worked. Thanks!

🥳

I have been having similar issues for baby rop, I tried reducing my payload and its still not landing. Is there someone I can dm?

#create-ticket

Is it normal that there is no IP provided for the containment server?

I believe it is the same as breach

breach doesn't have a server either...

it is not. it got (probably accidentally) omitted from the challenge config file. Waiting for other other orgs or harry to give the okay to share it though, just in case it was purposeful.

this is being fixed

any hints on misc/sober-bishop

for data-eater, is it possible to provide a libc ?

On server, aslr is on ?

almost certainly

Does pwn/containment server use the same server as rev/containment server ?

pwn/containment and rev/breach are the same program

the flag for pwn/containment is on remote

for interview ?

did u guys release 1984? 🤔

due to er

technical difficulties

it is now named memory hole

and will appear Very Soon™️

ok

memory hole is here

have fun!

Idk if this face is intended, but i don't think it's appropriate post here.

literally 1984

oh bruh gg.

Okay

Generic question: what do you guys do when libc has no symbols and no symbols signature (for eu-unstrip/pwninit)?

I was thinking of compiling the libc with debug symbols myself... but it looks like a pain

anyone to talk about data-eater?

#create-ticket

2. Do not ask for help from competing teams.
3. Do not discuss solutions or solve methods with competing teams.

can i talk to the author about the intended solution? already solved it

oh then make a ticket

🙂

kk

thanks

does whoever solved memory hole want to talk abt his/her solution

🤔

!bean @upper hollow

✅ Aqcurate#7348 (156372767166562305) was beaned. Reason: No reason given.

lmfaooo

well.

if anyone has a good solution to heap cage.

do tell.

why ?

like you guyes r asking for solutions

yeah

why ?

I would like solutions

I have been cheating

Begging for solutions

bro

thats cheating

you cheat

ok and

and we cant cheat

why ?

its not good

you guyes r cheating and we guyes cant cheat

unfair

^ unfair advantage

will u guys release a kernel to complete a fullchain?

you see kvm in gcp was being stupid

🙃

why the do i get a cannot resolve host name error using the net cat server on interview challange?

when will organizers solve containment

never

pwn is #cringe

soon ™️

did you know that containment can be solved with a tcp 0day

https://tenor.com/view/princess-yawn-yawn-princess-sleepy-gif-13136066

Maybe that’s what we are trying;)

did anyone solve interview? I have a question.

ask it in a ticket not to other contestants

oh

#create-ticket

mb

np

5 ctf minutes I promise

(well my team mate)

🙏

Anyone know good android apps for doing pwn challenges on the go

cursed

ssh client

i think it's been 5 ctf minutes

no

for sure not

I think we are coming up on minute 3

so does 1 ctf minute = 1 earth hour?

1 ctf minute = however long it takes 🙂

just like challs are delayed 1 ctf minute 🙂

🤡

that sounds painful

doing pwn challs on a phone

I guess you could try ssh-ing into a remote box that has the challs on them?

that would probably be your best bet

Hello, it seems that the binary of memory hole in remote is different from the binary given locally

#create-ticket

O: hi sonicninja

loved uiuctf

ty @lofty ether

❤️

anyone working on nightmare? cant give hints but id love to hear some of the ideas going on so far

in dms

of course lol

the memory hole situation is complicated

give us some time

what's the path to the flag in baby rop

flag.txt

flag.txt

wtf

? were you expecting supersecretstrangename.txt? 🤡

flag.txt

coming up on minute 4 now, you guys are running out of time 😨

nvm, I am going to solve it, it's okay now

cool ok

I think you'd be better off buying a mini laptop

im back on my Samsung™ DeX, ideal for CTFs

What's that?

plug Samsung phone into a monitor, it has a desktop environment

not directly

but like that's the gist

Oh cool

btw, for the record, I am def using a kali vm lmao

and NOT using a Samsung DeX

someone took only 4.5 ctf minutes on containment

🤡

It takes my code 3.5 ctf minutes per run

interview opportunity is the first pwn challenge i've done using a python

x3 A totally valid and not cheesy solution :3 🧀

dm?

Ye 🙂

i declare this as "gallileo's law of security ctfs"

My code takes a mere 1 ctf minute to run! (read: 30 minutes)

haha

good news: we have a working exploit since like 12 hours ago
bad new: It only works locally for some reason

ono

Why is pwn/containment asking about Flag: ? I can't see it in the dockerfile. What is the input to the challange?

Shouldn't we be able to upload .bin file for it to run or something?

open a ticket if you're still having issues

will road-to-failure drop an hint?

i have solved chutes-and-ladders locally

But the remote environment is too slow and the time limit is not enough

open a ticket and we can help

i have open it

Just finished (locally) babyrop, but my solution is waaaaay too complex (and slow)... i only leak some stuff b4 the server closes the connection 😦 * sad *

I'll try baby-rop last time and go back to sleep /spend more than 24h with dicegangCTF ..;( I'm impressed with good infrastructure 😄

thank ya organizers

pwn/containment is the same as rev/breach, you don't get to upload a bin (that would be too easy ;p) you have to pwn the program that already exists for the vm

y, figured

Since dicectf is over

I guess I can talk about the solutions to monkey hole

in 9 minutes

oh

shit

ok

not yet

lmao chop

literally throwing

I'm still recovering from my robotics all nighter and competition yesterday 😩

tell them about the solution to the version of monkeyhole you published

:^)

Lol, everyone quietly hoping last minute hints revealed

the difference between the three versions

is negligible

anyone that can solve monkey hole can solve monkey hole but typer easily

:msfrog:

operation-typer.cc moment

bad for dg rep tbh

typer in a ctf in 2022

In exactly 7 minutes I dm ireland questions lets goo

there are so many bypasses for heap cage rn

i hope someone has a cool one

that he/she used

@sharp warren remember to set your dms to friends only in 5 min

i'm wonder the exp of mojo

oh thx

mojo

noooo fine support ticket in 5 min

we speed two whole day on this challenge XD

nightmare is a nightmare

will there be any writeups (esp from authors :))

I know pepsipu has one written

don't think he will publish it

I think he is giving a prize to whoever solves it first after the CTF ends

he is??

:/

Is it a virtual cookie??

announcement soon!

anybody have a writeup for memory hole?

it is a "really cool custom physical prize" :))

@earnest temple

nows your time to shine

I was thinking abt overwriting the bytecode generated by the interpreter

but didn't get anywhere with that idea

i didn't have much time so i found a way to read files

#cheese

but it didn't work

because the flag has a random name

👀 How's that

let f64view = new Float64Array(1);
let u8view = new Uint8Array(f64view.buffer);

let a = [13.37];

try {
    Realm.eval(0, '/etc/passwd', {type: 'classic'});
} catch (e) {
    console.log(e);
}

a.setLength(1000);

s = []

for (let i = 0; i < 200; i++) {
    f64view[0] = a[i];
    s.push(String.fromCharCode(...u8view));
}

console.log(s.join(''))

@earnest temple lol

told you you should have checked the other builtins

well w/e it was unexploitable anyway

but i didn't think i was going to solve it the intended way in ~3 hours so 😆

pardon.

I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS I hate JS

Writeup for baby-rop? I was able to get arbitrary read & write, so libc leak from GOT; then I tried to get control by using __free_hook but for some reason it didn't hook, maybe it was deprecated in this libc version. Another idea was to get a stack leak to overwrite return address and build a ROP, but I wasn't able to get a stack leak

ok so

this is what you get for using d8

intended solution

yeah

I'm sure we all do

yea __free_hook was deprecated in libc 2.34

next year we'll have another heap cage challenge

or in another ctf

so i'm not gonna say one of the cool solutions here

but the lame solution

is just to overwrite the Code pointer in the function struct

which is contained within the cage

I learned it too late

ANd then just use inline numbers in the jit'd code to get rce

Could I get some stack leak from something?

huh?

jit rop

would've rw-(no exec) prevent that?

oh

No

idk enough abt how JS functions in v8 works lol

Baby rop you didn't need to do a free hook, just find the stack and write your own rop

since we put an instruction like ADD rsp, 0x190434852

snce v8 sometimes uses rsp as a scratch register

and 0x190434852 will be in the actual generated code

well. about memory hole. I'm not sure whether my solution is unintended

what was yours?

but I didn't use the typer bug

There was no typer bug, that was included in the patch file by mistake

ohh

There was supposed to be just an OOB function

so jump to a stack pivot?

Yeah I thought about that, but I wasn't able to find the stack; maybe I had to read from some start address with a big length?

I used webassembly and shellcode it

Array.setLength was included

Oh

LMFAO

but the flag says ROP?

ok so two ways to sice

ah

That's fine

how did you bypass The Cage?

is dstaeater return to dlresolve?

😄 I'm going to write a blog about

cool

it is a full cage bypass

nope

👀

data-eater is in the author writeups linked in #announcements

I'll grab my scripts and post them

I got arbitrary read/write outside the cage

excited to see

what's the intended solution btw

modifying the register file of a suspended async fn

or just relative overwrite the code pointer

so you got PC control and then ROP?

The generator method is arb read/write outside of hte cage

the relative overwrite is pc

yeah

ohhh. interesting.

I leaked the stack through environ

so overwrite the code pointer to a stack pivot?

or just jit rop

it's painful

but possible to do even without writing an assembler

i just used defuse.ca

what's jit rop?

It's where you do

<instruction>
jmp +8

and the jmp gets you to the nexti nlined float

or whatever

lol

within the jit'd code

Is that really ROP

no, not at all

but they cal lit that

and i wanted a homage to peek oh

it's SJOP

(short jump OP)

that sounds much more toxic tho

does this assume you can write to an RWX page?

No

SInce

if we have

Are you going to write a writeup for the generator method? excited to see

i might yeah

I used a similar technique in a Firefox pwn, writeup here https://ctftime.org/writeup/29961

ty!

yeah clubbies chall was cool

What's best way to patch binaries?

Wait idk if they even used that, https://ret2.life/posts/corCTF-2021/

hex editor

Pwninit?

HAHAHA THIS IS GENIUS

i dunno, it was the most baby possible firefox

I got an issue with babyrop with libc version

I liked pwninit's old template

sandbox one day when i have a few days to put aside and read the code

now they don't use ld preload and just patch the binary

Yeah lol

https://gist.github.com/ReDucTor/0814d5e5d0508eec49316b1ce1bc9171 my scripts (baby-rop, interview, data-eater)

oh hey look that's my writeup

Nice 😄

OMG an intended solution for data-eater

i love u

❤️

see scripts above, use the environ variable to get the stack

Thank you

was there unintended solutions?

yeah most people had some pretty interesting looking rop stuff

i got a pretty convoluted one lol

turned the main function into a rop chain

leaked the libc version using scanf

scanf -> printf -> scanf to get the base address

then one gadget for shell lol

This is one way to do it

the way using the relative overwrite

and then jit rop

I guess my recent research impaired my mind. I didn't even realize stack is a thing in userspace.. I composed a quick magical ROP chain near _IO_file_jumps 🥲

^ for baby-rop

how do you know the offset between scanf and printf?

guess, probably

dicegtf

but that implies 12 bit bruteforce no?

_isoc99_scanf and printf are pretty close

it was only a 4 bit bruteforce

oh i see

intended solution uses 0-bit brute force 🙂

learned something new

also the code formating for your writeup confused the hell out of me for a good minute

pretty cool solution

didnt see it scrolled right, so it looked like you just wrote "/bin/sh" and got a shell lol

let me drop my memory hole exploits here in case I forget to write a blog

the arb r/w is just as clean as before XD

oh interesting

i didntk now that basepointer exists

oh nonono

basepointer is the cage base pointer

I overwrite it to 0

Ah

And then length you make big

yes

isn't the heap cage length 2**31-1

or something

Or is it smaller than that

oh. this is the "backingstore on js heap" type of typedarray

ah

Oh, so you make the 'cage' base the real virtual memory base?

nonono. my arb r/w is still inside the cage

Oh

I'm confused

the escape part is "setGlobal"

h

import global

exactly

that's so cool

it is a raw pointer. just hijack it, you got arb r/w.

Heap cage is going to be hard for them to make properly secure.

they should just stop making vulns

Mozilla does it pretty well :^)

So many pointers and weird behaviours of objects both inside of and outside of the cage

they should just write better code 😄

Dare I say... rewrite it in Rust?

literally bc mozilla code is so convoluted no one wants to read it

haha

any part of v8 that hasn't had a vuln just means the code is too hard to read for researchers

You say this but I've seen the v8 snippets you sent

you see my messages in # pwn and then scurry away

what about that v8 reading session.

what happened to that.

What about the codeql reading session.

i've been trying to organise v8 reading for months.

can non-dicegang people join 👀

It's in cor but

yeah

if you ping fizzbuzz101 enough

definitel;y

@strange pecan

@strange pecan

this ID is so familiar. Does he write blogs about msg_msg exploit in Linux kernel?

👀

@strange pecan

let him in

https://www.willsroot.io/2022/01/cve-2022-0185.html Fizz "msg_msg" Buzz101

ah ha. willsroot!

I read his blog almost everyday

@strange pecan

VR book clubs when

mojo is hard

XXXXDDDD

for your data eater sol, how did you know the pointer you were writing into had the significance it did?

fizz please let the nice ucsb man in 🥺

oh my seems like msg_msg has gone famous 😳

Looking at it in a debugger at the stack trace

fizzbuzz is so cracked

fizzbuzz 🥺

I learnt the msg_msg attack from your blog post and used it in kctf 😉

I think another team used msg_msg as well, and we also used msg_msg 😂

me: drops fizzbuzz101 on floor
me: "please don't be cracked please don't be cracked"
fizzbuzz101:

damn fizzbuzz forgot to gaslight gatekeep girlboss

seconding this question

Maybe I should make a browser pwn server

is anyone interested

sign me up 🙃

I'm in

browser seems so fun, but reading chrome source is deranged 😔

as if kernel src is better

i'll take kernel src any day over v8

https://discord.gg/Qxg9B9uZRC

🤮

this is how you know someone has read lots of v8 source

chop0 is gonna 1984 the server like fizz

ono what is this

i cannot confirm or deny

is this chop's private browser training club 🤔

this is where i get trained

v8 circus monkey school

chop are you gonna bully saelo with all these bypasses

keep messing with chrome devs and they'll start enabling PCSCAN

can we have a repo for all pwn challs ?

challenge sources will be released after the bounties expire/are collected

and after we finish cleaning up ||[redacted]||

actually maybe we should just release everything except the bounties

@shell locust btw for containment why does it start executing your input as shellcode? I think we never figured that out lul. we just found that by "fuzzing"

it uses the start of rom as the scratch buffer for reading your input

which is normally ok since both parent and child are executing far from the start, but you can hit that section when parent and child try to return from main

https://github.com/hgarrereyn/dicectf2022-breach/blob/master/breach.asm#L2-L7

Ohhhh

I saw the jmp in main to main_parent and I thought it would just never return for some reason

lol

very cool challenges btw!

thanks ;p

if you're working on nightmare post ctf, lmk ur ideas!! id love to hear them

Wow thanks @static hound and @earnest temple

Look forward to your write ups on memory hole! I was thinking to use bring your own gadget

Didn’t have time to finish it

Nice! I am in too 🙂

So how did people do memory hole

I did it differently

🤡

check #writeups. there are some that people posted for memory-hole

Hm ok so I’m not releasing my sol

Oh shucks the write up by mem2019 also went bring your own gadget

Haha how did you do it? Any hints on your method?

Allow me to keep it a secret

kylebot's uses imported_mutable_globals

Lol

That’s neat

Haha okay

hk you should make your sol into a ctf chall we definitely don't have pcaps

I guess hk used the operation Typer bug 👀

Haha

That wasn't actually in the challenge

Yeah I saw the update

someone mistakenly included it in the patch file, but it wasn't compiled in

Oh?

Although if it had been the typer bug, it wouldn't have been much harder. It was a very simple bug that could probably be turned into OOB with a few minutes work

Haha yeap. I was referring that to HK level

😂

Idk if there are new typer bypasses

very difficult ….

list of heap cage bypasses so far:

1. code pointer but that'll be fixed
2. generator register files
3. imported_mutable_globals
4. hk method
5. heap numbers

list of chops so far:
0. chop0

1. chop1
2. chop2

list of ic's so far:
0. iczero

1. icone
2. ictwo

Did you find it through trial and error? Or were you reading the relevant v8 code?

I understood the mechanism by reading the official doc

I discovered the escape by .... imagination?

I kind of just noticed that globals are fishy and tested by copy-pasting webassembly code and discovered it

😂

Thanks!

https://github.com/Green-Avocado/CTF/tree/main/dicectf2022/pwn/data-eater

unintended solution for data-eater

@runic osprey here is the writeup. maybe you are interested: https://blog.kylebot.net/2022/02/06/DiceCTF-2022-memory-hole/#more

Woohoo thanks!

Reversing wasm is indeed a nightmare, also attempted one recently 😂

Yes! After the challenge, I think I never touched wasm again.

@solemn ravine can i dm you ?

yeah sure

@solemn ravine your dm are not open 😂 ... but nvm. I ask here does scanf() first process the first format string and than it looks into mem and checks if there any other so while scanf() executes it can modify its own format arguments ? So first executes %4${}c which overwrites a part of itself ... than looks into its args and checks if there are any more and goes on executing ? (We write the b"%12$p%4c" there)... so it does not care how many args there on "call" time ?

oh wait i thought my dms were thats weird

says its allowed, but w/e

yeah scanf can modify the first arg as it goes

cause it processes it 1 character at a time

i didnt know that until this challenge actually, wasnt sure if this method was gonna work

but yeah, it doesnt look ahead

Ahh Okay 😂 ... thanks! learned something new.

anyone have a write up on pwn/interview-opportunity

check our official writeup collection in the announcement

is anyone trying nightmare atm?

pepsi will be sad if nobody says yes

been a hour no yes(es)

rip pepsi ig

Yes

And man does it live up to its name

someone did solve it

but the bounty is still available

🤨

it was within dice

there are a handful of people working on nightmare

i would mark max progress at 30%

looking forward to solve :O

oh no I’m racing lms, it’s over

30% smh been on this for like 3 days

Wait so how long will the challenge be up

What if no solve by then

I’ll just publish the writeup

it’ll be up until Sunday at 1

challenge will probably be up a bit longer

but not too much cuz money

Hmmm imagine 0 solves tho

On nightmare

i give up

xd

lmao

pepsi "someone test solve nightmare" pu

Just checking its solvable right?

it has a solve script right?

wait...

oh wait yeah i think so. chop was the one who "deleted it and couldn't find it again"

that was a different challenge

i feel like its definitely solvable

but yes there is a working solve

just a pain in the ass

from both the author and someone else

Just put everything into a github repository

so true

first person to run the solve script gets the bounty

Is it 2 diff methods or one just asking

here solve script:

print("dice{lol_you_thought}")

GASP thats insane

I've read a total of 0 of the solve scripts

a print statement?

impossible

but I will say that both solve scripts solve the challenge by printing the flag

so I guess you could say the method is the same

someone should make that a flag
That chall would have 0 solves because no one would submit that but it was the flag all along...

damn why didnt I think of just printing the flags during the comp. 🤡

Question:
mc.ax?

we bought it because it was an expired domain on the public suffix list

ohhh i c

actually there were several but this one is short for minecraft axe

yep, solve script runs just fine

pwn/containment write-up for those still interested
https://github.com/ReDucTor/dice-ctf-2022-breach-writeup/#exploiting-the-flag-input-for-remote-code-execution

@proper bone will you post the writeup for the sandbox challenge?

yeah when i have time maybe over the weekend

tldr of intended sol is
edit the .mojom file to use native_struct.mojom
and then patch in a pickled object
root cause is mojojs uses incorrect native struct type

Thanks!

nightmare's official writeup with a 350 line pwn script 😳

pone

Where can I find the attachments for nightmare challenge?

oh nvm, got it from ctfwebsite