Right before the end of 2020 I completed the Holiday Hack Challenge 2020. Though it’s obviously not the first type this conference took place, it was the first time I participated. Below is my write-up of the primary objectives along with a selection of side-challenges. Objectives: Uncover Santa’s Gift List Investigate S3 Bucket Point-of-Sale Password Recovery Operate the Santavator Open HID Lock Splunk Challenge Solve the Sleigh’s CAN-D-BUS Broken Tag Generator ARP Shenanigans Defeat Fingerprint Sensor Naughty/Nice List with Blockchain Investigation (part 1, part 2) Challenges:
Whilst working on angr_ctf in order to properly dive into Angr, there was one exercise which required the use of a symbolic filesystem with SimFile backed by symbolic memory. This particular challenge requires a particular input to be present in the input file and as such act as the password. The filename can be quickly looked up in the binary; the contents however will be made symbolic so we can solve for that.
This year I participated in the Brixel CTF winter edition along with another player from the Darknet Diaries Discord community. Despite some stability issues on the server side this CTF had some fun puzzles although some more challenging puzzles would be appreciated for a future installment. Below is my write up of a few of them – I ended up solving a few more but I didn’t keep any notes on them.
It was while watching Bryan Cantrill’s presentation “The Soul of a New Machine”1 that my interest for RISC-V was piqued. I vaguely remember looking at RISC-V a while ago but at the time hardware wasn’t readily available unless you had an FPGA to run it on. Nowadays there’s ample choice of both 32-bit and 64-bit hardware to buy. No RISC, no fun First off, a very brief introduction to RISC-V and the different extensions which are available.
As part of the this course the first assignment is to create a working exploit against NetSetMan 4.7.1 using a buffer overflow vulnerability. If you wish to follow along, the installer can be found on Exploit-DB. Additionally I’m using a Windows XP SP3 (EN) VM making this a no-ASLR, 32-bit setup. Fuzzing Since the assignment doesn’t state where or how to trigger the overflow we have to fuzz it first, and as it doesn’t expose any network ports this reduces the attack surface to either importing profiles or freeform text input.