32C3 CTF – Misc 300 – Gurke

This challenge is about python pickle. The remote script fetches the flag as below: class Flag(object): def __init__(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("172.17.0.1", 1234)) self.flag = s.recv(1024).strip() s.close() flag = Flag() Once the Flag class is instantiated, seccomp is used to restrict many of syscalls eg. socket calls used in…

32C3 CTF – Pwn 200 – Teufel

The binary allocates memory using mmap as below: mmap(NULL, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0x7ffff7ff3000 And then 4096 bytes is given R+W permission: mprotect(0x7ffff7ff4000, 4096, PROT_READ|PROT_WRITE) = 0mprotect(mmap_addres+4096, 4096, PROT_READ|PROT_WRITE) = 0 Then stack pointer is set to address as mmap_address+8192. The function at 0x004004E6, allocates a stack as…

32C3 CTF – Misc 300 – Gurke

This challenge is about python pickle. The remote script fetches the flag as below: class Flag(object): def __init__(self): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("172.17.0.1", 1234)) self.flag = s.recv(1024).strip() s.close() flag = Flag() Once the Flag class is instantiated, seccomp is used to restrict many of syscalls eg. socket calls used in…

32C3 CTF – Pwn 200 – Teufel

The binary allocates memory using mmap as below: mmap(NULL, 12288, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0x7ffff7ff3000 And then 4096 bytes is given R+W permission: mprotect(0x7ffff7ff4000, 4096, PROT_READ|PROT_WRITE) = 0mprotect(mmap_addres+4096, 4096, PROT_READ|PROT_WRITE) = 0 Then stack pointer is set to address as mmap_address+8192. The function at 0x004004E6, allocates a stack as…