-
Cyber Apocalypse 2021: Backdoor
2021-04-25
Note: I did not solve this challenge until after the CTF had officially ended. File shows that bd, is a stripped binary which can make reversing a bit harder. $ file bd bd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1da3a1d77c7109ce6444919f4a15e7e6c63d02fa, stripped Nothing relevant shows up in strings though it’s interesting to note the size of the binary. Once opened in Ghidra, an interesting section can be seen in the program tree.…
-
Cyber Apocalypse 2021: Passphrase
2021-04-25
Passphrase is a ELF 64 bit executable. It is dynamically linked and is not stripped for debug symbols. $ file passphrase passphrase: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=60f6b6064d2e34a2b6a24dda9feb943b0b8c360f, not stripped Strings doens’t reveal a whole lot of info. The binary prompts for a “secret passphrase”. If it is correct, it asks that a message, presumably the flag, be taken to the chief.…
-
Cyber Apocalypse 2021: Authenticator
2021-04-25
Authenticator is a ELF 64 bit executable. It is dynamically linked and is not stripped for debug symbols $ file authenticator authenticator: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=66286657ca5a06147189b419238b2971b11c72db, not stripped Strings shows a lot of standard stuff and a few things that are likely directly related to this challenge. There are a couple of what seem to be dialog lines, mention of a flag and a rather strange sequence of, }a:Vh|}a:g}8j=}89gV<p<}:dV8<Vg9}V<9V<:j|{:.…
-
UIUCTF Kernel_Memory_Leak
2020-07-20
Kernel_Memory_Leak The kernel is leaking memory to the user! That's probably not good, right? One of the syscalls can be convinced to leak the kernel stack. Find the leak and you'll receive a flag. Keep leaking kernel secrets until you see the }. (Hint: finding the leak is half the battle, getting it to leak the entire flag requires some outside the box thinking) Author: ravi Disclaimer I was unable to solve this challenge until after the CTF had officially ended.…
-
UIUCTF Whats_A_Syscall
2020-07-20
Whats_A_Syscall? Challenge Description Syscall 14 is known as "SANDBOX_SPECIAL"... I wonder if that would be useful here. You'll be stuck in a never ending loop of binexec until you perform syscall 14. To learn about syscalls and how they work in pwnyOS, check out the documentation! System Calls in pwnyOS: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf Author: ravi Solution We start out with a welcome screen and are told that we are in a sandbox.…
-
UIUCTF Time_To_Start
2020-07-20
Time_To_Start Challenge Description Welcome to pwnyOS!! pwnyOS is a custom x86 operating system that supports link-time kASLR, multitasking and kernel threads, execution of genuine ELF files, a realtime high resolution graphics engine, and a custom hierarchical file system. This OS was written from the ground up with its use as a challenge for UIUCTF 2020 in mind. All source code in the OS is 100% custom handwritten C and assembly- there are no libraries used, and none of its code can be found anywhere online.…