~ all posts ctf projects research
CTF Writeups
2024
2 posts
02-10
DiceCTF 2024 Quals -- boogie-woogie
boogie-woogie was a pwn challenge in DiceCTF 2024 Quals with a .data relative byte swap primitive. Exploitation takes advantage of weak heap ASLR and a heap corruption technique which can put a chunk into unsorted bins (and thus storing a libc pointer in the heap) during normal malloc/free of the scanf scratch buffer
01-13
Battelle @ Shmoocon 2024 -- Time Jump Planner
Time Jump Planner was a pwn challenge from the Battelle booth at Shmoocon 2024. It was a stack buffer overflow challenge with a shadow stack to prevent ROP. Exploitation uses "GOT Oriented Programming", a code-reuse technique which works by chaining together gadgets terminating in a call to a GOT entry.
2023
2 posts
12-28
Potluck CTF 2023 -- Cake of Paranoia
Cake of Paranoia was a multi-stage docker-inside-nspawn sandbox escape challenge at Potluck CTF 2023 The first stage (docker->nspawn) involves a leaked ssh key from a home directory mapped in both. The second stage (nspawn->vm) is escaped with an unintended solution -- systemd mounts procfs as read-only but with mount capabilities it can be remounted writably.
10-14
WreckCTF 2023
Blind format string oneshot
2022
2 posts
03-13
UTCTF 2022
I cleared pwn in UTCTF 2022 with the Texas A&M Cybersecurity club placing in 23rd :) There were three challenges -- an automatic exploit challenge, a stack bof+fmt string vuln, and unchecked write kernel driver.
01-07
Battelle Winter CTF 2022 -- Holy Grail of ROP
Holy Grail of ROP was an automatic exploitation challenge in the 2022 Battelle Winter CTF. It provided five randomly generated vulnerable binaries and players needed to solve each within a timeout to get the flag. I use the library angr to automatically detect how to trigger buffer overflows and a partial GOT overwrite to access a syscall gadget for leaking.