TBTL CTF 2024 Challenge Writeups 4x Web 5x Pwn
Вставка
- Опубліковано 8 чер 2024
- 00:00 Intro
00:34 web/butterfly
02:30 web/talk-to-you
03:20 web/rnd-for-data-science
08:00 web/mexico-city-tour
13:15 pwn/enough-with-the-averages
16:32 pwn/a-day-at-the-races
21:08 pwn/diamonds-and-rust
23:38 pwn/heap-peek-and-poke
36:15 pwn/squeezing-tightly-on-arm
39:37 Outro - Наука та технологія
My guy you have some of the best writeups. Every CTF I wait for your vid to drop
Ha thanks! Glad you like them!
Awesome 😁
For enough-with-the-averages I tried solving it with passing 'a' as the invalid input but thought it's impossible to calculate this way, but then my friend solved it with 'a' so...
very cool to learn that a plus sign counts as invalid input but also flushes the buffer :)
Quality stuff, keep it up!
Nice writeup!! I had tcache poisoning in mind but 23:38 I solved it by overwriting a vtable ptr in bss. Got arb read by overwriting the ptr at 0xf0 after the string, but arb write was limited to bss and heap in my case didn't wanted to do it heap way cause I didn't have a proper pwndbg setup lol.
15:30 why use + for bypassing the scanf()? How that's work? Do you have any useful docs about that?
Hey @TodiDiang! We just need a character that doesn't match "%d" (integer), so that scanf doesn't change the underlying memory address (&score[i]). But we also want it to "eat" the character from the input buffer, and scanf "eats" the '+' symbol (I'd guess because '+1' would be valid input). If you use an 'a' or something, I believe the 'a' stays on the input buffer, and so all the scanf's quickly fail in succession because each one eats nothing, fails, then goes to the next round which also fails and eats nothing.
My understanding could be off, I don't have any resources on the topic, just what I've seen from playing.
@@SloppyJoePirates "But we also want it to "eat" the character from the input buffer", yeah that is what I spent a lot of time on haha, I was doing a with 'a' for a long time and was then trying to calculate each value on the stack based on the values that came after it, which was mathematically correct but infeasible because of floating point imprecision in practice, then I used '-' instead of ''a' and it worked like magic.
when u continue the series about pwn?
Hey @r3plican, I won't be continuing CTF Cookbook. But the next Security Topics video series will contain some pwn videos!
Format String Vulnerability in pwn,can you teach?
I'd recommend checking out pwn.college, they have some videos and a set of challenges to practice with!