Posts by Category

Binary Exploitation

Pwnable.kr - asm

This challenge is asking for x64 shellcode to read the flag file, it's using some `seccomp rules` to limit us to only...

2 minute read

Pwnable.kr - uaf

If you don't know enough about these topics or need a refresher, see the references at the end. This challenge is abo...

4 minute read

Pwnable.kr - cmd2

This challenge has more restrictions, the biggest one is filtering forward slash `/`, this will prevent us from execu...

1 minute read

Pwnable.kr - cmd1

The next two challenges (cmd1 and cmd2) are about bypassing input filters to execute a command. First it changes the ...

1 minute read

Pwnable.kr - lotto

The game asks for 6 bytes and compares them with 6 random bytes in the range [1-45], if the number of matches is 6 we...

1 minute read

Pwnable.kr - blackjack

In this challenge we have a simple blackjack game source code and we have to find a bug in it that will make us milli...

1 minute read

Pwnable.kr - coin1

In this challenge we are not given any binary or source code, it's just a netcat connection: $ nc pwnable.kr 9007...

3 minute read

Pwnable.kr - shellshock

The challenge represents the very well known vulnerability `CVE-2014-6271` also known as `shellshock`. I won't go int...

less than 1 minute read

Pwnable.kr - mistake

This challenge requires some observation. first it opens `/home/mistake/password` then it reads from it (supposedly) ...

1 minute read

Pwnable.kr - leg

This is a simple arm challenge. It compares the input key with the sum of 3 functions, we are also given the assembly...

2 minute read

Pwnable.kr - input

The challenges tests your ability to feed input to different sources. Stage 1 (command line args): argc (num of argum...

3 minute read

Pwnable.kr - random

This challenge focuses on pseudo-random number generators, the randomness of the generated numbers depends on the `se...

less than 1 minute read

Pwnable.kr - passcode

This challenge was a bit frustrating at first so let's go easy. First there is a call to `welcome()` which takes 100 ...

5 minute read

Pwnable.kr - flag

This challenge is just a simple reverse engineering task, from the challenge description we can guess that the binary...

less than 1 minute read

Pwnable.kr - bof

This is a classic buffer overflow challenge, the code reads user input and stores it in a 32 bytes array using `gets(...

1 minute read

Pwnable.kr - collision

This challenge takes a 20 bytes passcode as input then checks it against some hashcode, if it's the same we get the f...

1 minute read

Pwnable.kr - fd

This challenge takes one command line argument, converts the argument to an integer and subtracts 0x1234 from it. Th...

1 minute read

Phoenix - Final One

If you take a quick look at the code you can spot the format string bug in **logit** function, let's trace back to fi...

4 minute read

Phoenix - Final Zero

This level has a classic stack buffer overflow through **gets** function, so we inject our shellcode in the buffer th...

4 minute read

Phoenix - Net Two

This level gets 64 random bytes and stores them in **quad** then it loops over **quad** 8 bytes at a time and adds th...

1 minute read

Phoenix - Net One

This code generates 4 random bytes integer and sends to to the receiver as raw bytes. The goal here is to convert the...

1 minute read

Phoenix - Net Zero

The goal of this level is to read a random number from a server (localhost in this case) and send it back in little e...

1 minute read

Phoenix - Heap Three

This level is by far the hardest one and I learned a lot from it, I really encourage you to read through the referenc...

9 minute read

Phoenix - Heap Two

The is a classic use-after-free (**UAF**) exploit, if we enter **"auth AAAA"** the code allocates memory and stores i...

3 minute read

Phoenix - Heap One

This code uses **strcpy** without size checking just like the previous level, but there is not function pointer here ...

2 minute read

Phoenix - Heap Zero

To learn more about heap exploitation, see the references at the end. We will work with the **32bit** binaries for th...

1 minute read

Phoenix - Format Four

The idea of this level is the same as the previous one but instead of overwriting a variable we overwrite the **GOT**...

3 minute read

Phoenix - Format Three

This level has the same issue as the previous one so we will solve the 32bit version. The goal of this level is to wr...

4 minute read

Phoenix - Format Two

The goal of this level is to use the format string vulnerability to write to a memory address **changeme**...

2 minute read

Phoenix - Format One

This level is the same as the last one except that we need set **changeme** to a specific value **0x45764f6c** instea...

less than 1 minute read

Phoenix - Format Zero

To learn about format string vulnerability see the references at the end. This code uses **sprintf** function to writ...

2 minute read

Phoenix - Stack Six

This level exploits the 1‑byte buffer overflow, to learn more about it read the references at the end. This code read...

5 minute read

Phoenix - Stack Five

Here we don't have any function to jump to but we have a buffer large enough to fit a shellcode. The idea is to put o...

2 minute read

Phoenix - Stack Four

The goal of this level is to overwrite the return address of **start_level** function to return to **complete_level**...

1 minute read

Phoenix - Stack Three

The goal of this challenge if to overwrite the value of **fp** which is a function pointer to point to **complete_le...

1 minute read

Phoenix - Stack Two

This level is identical to the previous one except that we need to put the exploit in **ExploitEducation** environmen...

less than 1 minute read

Phoenix - Stack One

This code uses **strcpy** function which is dangerous because the source size could be more than destination size. Th...

1 minute read

Phoenix - Stack Zero

The code uses **gets** function which can take input more than buffer length, hence the exploit :) This level only as...

less than 1 minute read

Back to top ↑

Malware Analysis

Back to top ↑

CTF Writeups

Back to top ↑

Tutorials

Back to top ↑