pwn debuggable-1 babyrop 考察知识点： 比赛时的临时笔记 静态分析 漏洞点分析 利用思路 卡住的地方 blargh 考察知识点： 比赛时的临时笔记 【全栈ctfer计划中，会持续复现学习与更新该文章】 pwn debuggable-1 babyrop 考察知识点： 比赛时的临时笔记 功能是获取输入后并输出。 静态分析 main() gets() 自定义的gets()实现，读取最多700字节到a1指向的缓冲区（main中的s），若读取成功（v2 > 0），手动将缓冲区最后一个字符（v2-1 位置）设为 0（字符串终止符）。 gadgets() 无后门函数 输出函数 这里调用print()实际上是去libc中寻找puts() 漏洞点分析 自定义的gets()中，读取700字节到s[32]，显然容易造成溢出。 利用思路 显然是常规的ret2libc类型。 卡住的地方 cyclic寻找溢出偏移量： offset = ...

pwn i-love-birds pwn i-love-birds

赛事信息 战队排名情况 题目附件 Miscellaneous Selfie Memory G-Bee-S Big Phone Musical Encounter Maze Cup The Cardmaster web Press Me If U Can (1)XSS Lab 考察点：xss单标签绕过多标签、//绕过协议解析、jsfuck编码绕过关键词和特殊字符过滤 赛后尝试 xss1 xss2 xss3 赛后学习-solved by dr.kasbr xss3 xss4 (1)Blog 考察点：ssrf漏洞的fuzz思路、0.0.0.0覆盖原主机名backend实现bypass 赛后尝试 web初探 fuzz blogid 赛后学习-solved by dr.kasbr ssrf fuzz 深入研究 分析源码思考漏洞利用 Casin0ps Game Boy Game Boy Advance Plotwist Cryptogr ...

赛事信息 题目附件 web My First CTF 考察点：rot1加密识别 赛后学习 My Second CTF 赛后学习 My Third CTF Fuzzies 考察点：逐级fuzz的技巧、api常规设计常识 比赛过程记录 初步分析 目录fuzz尝试 api-admin api-fuzzies 赛后学习 api-users fuzz user-id fuzz user-features (flag1)fuzz user-existence (flag2)fuzz admin_passwd 进一步探索管理后台 (flag3)fuzz message-id (flag4)fuzz fuzzy-id (flag5)fuzz 总结 Miscellaneous SSSH 考察点： 比赛过程记录 赛后学习 Malware Verification Clarification 考察点： 比赛过程记录 赛后学习 Binary E ...

Sherlock Scenario Q&A Sherlock Scenario A major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your ...

Sherlock Scenario Q&A 1 2 3 4 5 6 7 8 Sherlock Scenario In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We’ll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this ar ...

描述 Introduction 堆是什么 以不同方式存在的内存类型 堆和栈之间的区别 生命周期 讨论堆之前的其他替代方案 mmap() 更智能的方案-动态内存分配器的出现 注意 heap做了什么 heap是如何运行的 追踪数据段的设置过程 实验-追踪heap初始化 实验-追踪malloc()分配动态内存空间前后的内存映射情况 实验-追踪malloc()分配大量内存时的情况 注意 heap的风险 如何检测风险 heap优化与安全性之间的矛盾 导致heap滥用的原因 风险-内存泄露(Leak) 风险-内存资源耗尽 风险-释放后使用 实验-Use After Free堆块复用_Intput 风险-内存信息泄露(Disclosure) Memory Leak和Memory Disclosure的区别 实验-Use After Free堆块复用_Output 终极风险-heap元数据损坏 House系列的heap利用-概述 重叠内存分配 ...

描述 Introduction 描述 The glibc heap consists of many components distinct parts that balance performance and security. Beyond tcache exists a memory management system consisting of many interrelated bins and components. This module explores these components and interactions between them. By applying advanced heap exploits that “shape” the internal state of the heap, exploitation primitives can be created. Heap exploits are complex and ephemeral, frequently changing with libc v ...