8 Apr 2019
I had a lot of fun and a hard time during this CTF, but the challenges are really awesome. I spent the whole time solving one challenge: Incident Response. In my opinion, this challenge closely resembles a real-life scenario and I’m glad that I’ve learned a lot out of it. So here goes the write up for it!
Incident Response - Misc 1000 1. Memory forensics - Identifying the malicious program In this challenge, we’re given a network capture and a memory dump of a Windows machine.
Read more
20 Jan 2019
Onewrite - Pwn from __future__ import print_function from pwn import * import os GDBSCRIPT = """ """ HOST = 'onewrite.teaser.insomnihack.ch' PORT = 1337 BIN = './onewrite' PROMPT = "> " STACK = "1" PIE = "2" ADDR = "address : " DATA = "data : " e = ELF(BIN) addrs = { 'poprax': 0x460ac, 'poprdxrsi': 0x484e9, 'poprdi': 0x84fa, 'syscall': 0x6e605, 'poprsp': 0x946a } if os.environ.has_key('remote'): r = remote(HOST, PORT) else: r = process(e.
Read more
1 Jan 2019
Web - IQTest2 (unsolved) Pwn - Easy webserver (unsolved) Pwn - Babysandbox Pwn - Babyheap Pwn - Babyfirst Web
IQTest2 After looking at the source code, there is a path that we can polute the $level variable to pass. It has to pass several condition check: if (isset($_COOKIE['saved']) && !empty($_COOKIE['saved']) && isset($_COOKIE['hash']) && !empty($_COOKIE['hash'])) { $saved = base64_decode($_COOKIE["saved"]); $seed = urldecode(substr($saved, 5 )); } if( md5($GLOBALS['secret'].
Read more
30 Dec 2018
This is my first time participating in C3 CTF. Although I wasn’t able to solve many challenges within the time of the CTF, I still find the challenges really awesome and exciting. I wanted to solve pwnable challenges with the hope to learn more about exploit development of real applications, but ended up solving 2 RE ones. Here is my writeup for them :)
RE - Corebot This challenge is a 32-bit Windows binary.
Read more
29 Jun 2018
It’s this time of the year again and I have the chance to play the CTF held by Hackerone. It has a lot of mobile hacking challenge, and at the same time, I wanted to dive into this. What a good time to learn!
Update 1: I totally forgot the fifth part of the flag in the first challenge while I was writing this. That’s what it’s like rushing a post :)
Read more
22 May 2018
GRIMM HAX Combined Challenge Welcome, Bobby (100pts) Accessing the website at http://www.haxcorp.grimm-co.com/, we are provided with a login page with username as password. The objective of this level is to login as admin. Seeing this as a warmup level, I immediately try the following classic SQL injection
And we are in. The flag is GRIMM-BOBBY-TABLES-WOULD-BE-PROUD.
Oh How the Tables have Turned (100pts) From the description of the challenge, I predicted that this is another SQL injection to find the flag in a different table in the database, especially when we are presented with a search functionality.
Read more
16 Dec 2017
This year, I’ve had the chance to participate in SANS Holiday Hacking Challenge. The first time I did it was last year. I didn’t think it was interesting with real pentesting stuffs until I read the writeups, so I decided to start early this year.
Terminal Challenges
Finding Great Book Pages
Things I’ve learned
Terminal Challenges WINTER WONDER LANDING Linux command hijacking Click on the terminal, we are presented with the object: to find elftalkd.
Read more
4 Dec 2017
Vietnamese version below
English The weekend before Thanksgiving, I had the chance to play at Lockdown v3, an incident response competition held at University of Buffalo by UBNetDef.
Overview This is a defense-only competition There are 6 people per team. Each team is given access to an infrastructure with basic components of an enterprise network: Windows and Linux client machines Web server(s) Active Directory/DNS server(s) FTP server Mail server Databases A router.
Read more
20 Sep 2017
pwn: pilot (75 pts.) English version here
Vietnamese Năm nay mình có cơ hội chơi CSAW CTF một cách thực sự, với hy vọng team đủ khỏe để vào final North America lần nữa. Qua một năm được các tiền bối thông não (quangltm và anh tuanit96), mình đã quẩy được vài bài khá cơ bản.
Đây là bài đầu tiên mình owned trong giờ thi. Bài này là một bài buffer overflow cơ bản.
Read more