CTF Writeups

pwn

Challenge NameCTF NameKeywordsSummary
generic-rop-challengeImaginaryCTF 2023aarch64, ARM64, ROP, ret2csuret2csu on aarch64 architecture
bofwwCakeCTF 2023bof, cppBuffer overflow into arbitrary address write via std::string operator=
Memorial CabbageCakeCTF 2023insecure libc functionmkdtemp return value lives in the stack instead of heap which allow us to overwrite it
Glacier RatingGlacierCTF 2023heap, cpp, tcache poisoning, double free, fastbin dupDouble free into tcache poisoning
Hack The Binary 1PwC CTF: Hack A Day 2023 - Securing AIoobArray OOB read
Hack The Binary 2PwC CTF: Hack A Day 2023 - Securing AIformat string, ROPFormat string to defeat ASLR, ROP to get RCE
ezv8 revengebi0sCTF 2024pwn, browser, V8, type confusion, V8 sandbox, wasmCVE-2020-6418 on V8 version 12.2.0 (970c2bf28ddb93dc17d22d83bd5cef3c85c5f6c5, 2023-12-27); shellcode execution via wasm instance object
osu-v8osu!gaming CTF 2024pwn, browser, V8, V8 garbage collection, UAF, V8 sandbox, wasmCVE-2022-1310 on V8 version 12.2.0 (8cf17a14a78cc1276eb42e1b4bb699f705675530, 2024-01-04); UAF on RegExp().lastIndex; shellcode execution via wasm instance object
mixtpeailbcb01lers CTF 2024custom VM, oobcustom VM with instructions to swap instruction handlers and registers without bound checking, using swap registers to leak libc address and swap instruction handlers to spawn a shell

web

Challenge NameCTF NameKeywordsSummary
PHP Code Review 1PwC CTF: Hack A Day 2023 - Securing AIphpLeveraging Google search box to capture the flag
PHP Code Review 2PwC CTF: Hack A Day 2023 - Securing AIphpTriggerring error to reach catch block
WarmupWargames.MY CTF 2023php, RCE, LFILFI to RCE via PHP PEARCMD
StatusWargames.MY CTF 2023php, k8s, nginx, off-by-slashRetrieve nginx config file from k8s configmaps
SecretWargames.MY CTF 2023k8s, HashiCorp VaultRead secret from HashiCorp vault using the vault CLI and using nginx off-by-slash