Posts by Category
Binary Exploitation
Pwnable.kr - asm
This challenge is asking for x64 shellcode to read the flag file, it's using some `seccomp rules` to limit us to only...
Pwnable.kr - uaf
If you don't know enough about these topics or need a refresher, see the references at the end. This challenge is abo...
Pwnable.kr - cmd2
This challenge has more restrictions, the biggest one is filtering forward slash `/`, this will prevent us from execu...
Pwnable.kr - cmd1
The next two challenges (cmd1 and cmd2) are about bypassing input filters to execute a command. First it changes the ...
Pwnable.kr - lotto
The game asks for 6 bytes and compares them with 6 random bytes in the range [1-45], if the number of matches is 6 we...
Pwnable.kr - blackjack
In this challenge we have a simple blackjack game source code and we have to find a bug in it that will make us milli...
Pwnable.kr - coin1
In this challenge we are not given any binary or source code, it's just a netcat connection: $ nc pwnable.kr 9007...
Pwnable.kr - shellshock
The challenge represents the very well known vulnerability `CVE-2014-6271` also known as `shellshock`. I won't go int...
Pwnable.kr - mistake
This challenge requires some observation. first it opens `/home/mistake/password` then it reads from it (supposedly) ...
Pwnable.kr - leg
This is a simple arm challenge. It compares the input key with the sum of 3 functions, we are also given the assembly...
Pwnable.kr - input
The challenges tests your ability to feed input to different sources. Stage 1 (command line args): argc (num of argum...
Pwnable.kr - random
This challenge focuses on pseudo-random number generators, the randomness of the generated numbers depends on the `se...
Pwnable.kr - passcode
This challenge was a bit frustrating at first so let's go easy. First there is a call to `welcome()` which takes 100 ...
Pwnable.kr - flag
This challenge is just a simple reverse engineering task, from the challenge description we can guess that the binary...
Pwnable.kr - bof
This is a classic buffer overflow challenge, the code reads user input and stores it in a 32 bytes array using `gets(...
Pwnable.kr - collision
This challenge takes a 20 bytes passcode as input then checks it against some hashcode, if it's the same we get the f...
Pwnable.kr - fd
This challenge takes one command line argument, converts the argument to an integer and subtracts 0x1234 from it. Th...
Phoenix - Final One
If you take a quick look at the code you can spot the format string bug in **logit** function, let's trace back to fi...
Phoenix - Final Zero
This level has a classic stack buffer overflow through **gets** function, so we inject our shellcode in the buffer th...
Phoenix - Net Two
This level gets 64 random bytes and stores them in **quad** then it loops over **quad** 8 bytes at a time and adds th...
Phoenix - Net One
This code generates 4 random bytes integer and sends to to the receiver as raw bytes. The goal here is to convert the...
Phoenix - Net Zero
The goal of this level is to read a random number from a server (localhost in this case) and send it back in little e...
Phoenix - Heap Three
This level is by far the hardest one and I learned a lot from it, I really encourage you to read through the referenc...
Phoenix - Heap Two
The is a classic use-after-free (**UAF**) exploit, if we enter **"auth AAAA"** the code allocates memory and stores i...
Phoenix - Heap One
This code uses **strcpy** without size checking just like the previous level, but there is not function pointer here ...
Phoenix - Heap Zero
To learn more about heap exploitation, see the references at the end. We will work with the **32bit** binaries for th...
Phoenix - Format Four
The idea of this level is the same as the previous one but instead of overwriting a variable we overwrite the **GOT**...
Phoenix - Format Three
This level has the same issue as the previous one so we will solve the 32bit version. The goal of this level is to wr...
Phoenix - Format Two
The goal of this level is to use the format string vulnerability to write to a memory address **changeme**...
Phoenix - Format One
This level is the same as the last one except that we need set **changeme** to a specific value **0x45764f6c** instea...
Phoenix - Format Zero
To learn about format string vulnerability see the references at the end. This code uses **sprintf** function to writ...
Phoenix - Stack Six
This level exploits the 1‑byte buffer overflow, to learn more about it read the references at the end. This code read...
Phoenix - Stack Five
Here we don't have any function to jump to but we have a buffer large enough to fit a shellcode. The idea is to put o...
Phoenix - Stack Four
The goal of this level is to overwrite the return address of **start_level** function to return to **complete_level**...
Phoenix - Stack Three
The goal of this challenge if to overwrite the value of **fp** which is a function pointer to point to **complete_le...
Phoenix - Stack Two
This level is identical to the previous one except that we need to put the exploit in **ExploitEducation** environmen...
Phoenix - Stack One
This code uses **strcpy** function which is dangerous because the source size could be more than destination size. Th...
Phoenix - Stack Zero
The code uses **gets** function which can take input more than buffer length, hence the exploit :) This level only as...
Malware Analysis
Deep Analysis of GCleaner
GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been used to deploy other malicious...
Deep Analysis of QBot Banking Trojan
Qbot is a modular information stealer also known as Qakbot. It has been active for years since 2007. It has...
Deep Analysis of Anubis Banking Malware
Anubis is a well known android banking malware. Although it hasn't been around for long, it had...
Deep Analysis of SmokeLoader
SmokeLoader is a well known bot that is been around since 2011. It's mainly used to drop other malware families...
Deep Analysis of Ryuk Ransomware
Ryuk has been know to be a part of a bigger "Triple Threat" attack that involves Emotet and TrickBot. The first stage...
Deep Analysis of RogueRobin Trojan (DarkHydrus APT)
The first stage of this malware is an excel document with a `macro`, it asks to click `Enable Content` to run the mac...
Deep Analysis of Phobos Ransomware
First I loaded the binary into pestudio We can see some interesting imports with different functionalities like: file...
Deep Analysis of KSLØT Keylogger (Turla APT)
First I used **DIE** to see what type of binary we have, It seems that it's a 64 bit DLL. Next I loaded the dll into ...
CTF Writeups
MemLabs - Lab6
Note: This challenge is composed of 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}...
MemLabs - Lab5
This challenge is composed of 2 flags but do you really think so? Maybe a little flag is hiding somewhere. Note: Ther...
MemLabs - Lab4
My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file ...
MemLabs - Lab3
A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information f...
MemLabs - Lab2
One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very po...
MemLabs - Lab1
MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security r...
UTCTF 2020 - IR
This challenge takes one command line argument, converts the argument to an integer and subtracts 0x1234 from it. Th...
Tutorials
Dotnet String Decryptor
Welcome back! This is a short blog about reverse engineering dotnet malware. When working with dotnet malware samples...
Writing x64dbg plugins
In the previous post we talked about writing x64dbg scripts, now let's dive deeper and write our own plugin to do the...
Writing x64dbg scripts
x64dbg is an open-source x64/x32 debugger for windows, it has dozens of features that make the life of reverse engine...
YARA for config extraction
YARA is a tool aimed at helping malware researchers to identify and classify malware samples. It's considered...
Qiling For Malware Analysis: Part 2
In the first part we talked about the basics of Qiling, you can find it here, Now it's time for some real...
Qiling For Malware Analysis: Part 1
Qiling is an advanced binary emulation framework written in python and based on Unicorn...