During the weekend I played 0CTF 2017 Quals - we finished 15th and therefore sadly didn't qualify. The CTF it self was pretty fun since the tasks had always a non-standard factor in them that forced you to explore new areas of a seemingly well known domain. In the end I solved 4 tasks myself (EasiestPrintf, char, complicated xss and UploadCenter) and put down write-ups for them during breaks I took at the CTF.

*** EasiestPrintf (pwn)
http://blog.dragonsector.pl/2017/03/0ctf-2017-easiestprintf-pwn-150.html
You've got printf(buf) followed by an exit(0), an unknown stack location and non-writable .got - this was was mostly about finding a way to get EIP control (and there were multiple ways to do it).

*** char (shellcoding)
http://blog.dragonsector.pl/2017/03/0ctf-2017-char-shellcoding-132.html
ASCII ROP, i.e. only character codes from the 33-126 range were allowed.

*** Complicated XSS (web)
http://blog.dragonsector.pl/2017/03/0ctf-2017-complicated-xss-web-177.html
XSS on a subdomain, mini-JS sandbox and file upload.

*** UploadCenter (pwn)
http://blog.dragonsector.pl/2017/03/0ctf-2017-uploadcenter-pwn-523.html
A controlled mismatch of size passed to mmap and munmap.

I've added my exploits to the write-ups as well.

That's it.

Add a comment:

Nick:
URL (optional):
Math captcha: 2 ∗ 6 + 2 =