House of leamon🍋

这是2017年CUIT校赛的压轴题，(我)第一次遇到的overwrite global_max_fast的手法，~(≧▽≦)/~

vulnerability
unexpected
expected

$ pwn500 file pwn500 
pwn500: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6901fcf15a1121a560954c0d395e54bbc16d698b, stripped
➜  pwn500 checksec pwn500 
[*] '/home/xing/CTF/2017/2017_CUIT/pwn/House of Lemon/workspace/pwn500/pwn500'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

$ pwn500 file pwn500

pwn500: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6901fcf15a1121a560954c0d395e54bbc16d698b, stripped

➜ pwn500 checksec pwn500

[*] '/home/xing/CTF/2017/2017_CUIT/pwn/House of Lemon/workspace/pwn500/pwn500'

Arch: amd64-64-little

RELRO: Full RELRO

Stack: Canary found

NX: NX enabled

PIE: PIE enabled

Continue reading →

LCTF2017 2ez4u

vulnerability
method1
method2
method3
method4

之前一直听说的很经典的一个题目，最近才补了它。
做这道题目确实需要比较深的heap分配的功底,尤其是对大的chunk，large chunk，unsorted bin chunk。

具体来看看这个题目，这个题目利用到了一个新的方式应当称之为Larger bin dup，但也同样有非预期解法。

Continue reading →

CISCN 2019 Pwn

It have been really a long time since the last time I updated my blog. I have been fall into disuse for a year and reduced to a cheerleader completely /(ㄒoㄒ)/~~.
So I should keep my blog updated and now here I am, as a newbie to open my writeup for ciscn-2019.

your-pwn
daily
double
baby_pwn
virtual
bms

Continue reading →

SuCTF2018 Pwn Writeup

lock2
note
heap
noend
heapprint

最近毕业的事情很多，wp耽误了很长时间。
Heapprint 与 Noend 是收获很大的两个题目，感谢Ne0师傅

Continue reading →

HITB-GSEC-XCTF 2018 Pwn-Writeup

babypwn
once
d
gundam
Mutepig

Last week , HITB-GSEC-XCTF.
We solved four PWN problems and work out another MutiPig after the game.
Now I'll make a record and summary.

Continue reading →

2018强网杯QWB Writeup

silent
silent2
raisepig
gamebox
opm
note

Keep writing in English, sorry for it's title contains chinese :-D,beause I can't find appropriate words to describe this three chinese characters.

Excellent capture the flag game by examiners.
I accomplished six pwn problems fortunately.
Now I‘ll make a short record and summary.

Continue reading →

N1CTF 2018

vote
beeper
null

N1ctf 2018 was an outstanding capture the flag game.
Under the guidance of upperclassmen, I win three PWN easy probrems with half a heart.Keep learning…… Orz….

Continue reading →

Pwnable.tw secretgarden

Reverse
Exploit

Use after free vulnerability
在做出本题目之后，在Pwnable.tw上看其他师傅的wp，简直把heap玩出了花，原本一个不算复杂的Fastbin attack，竟然能够写到main_arena，IO_stdout，stack，realloc_hook中，各种姿势，让我受益匪浅，真是人外有人，天外有天。于是，特意总结了一下所有wp的基本姿势，总结在Blog中。

Continue reading →

Pwnable.tw secret_of_my_heart

➜  workspace file secret_of_my_heart
secret_of_my_heart: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=123aede7094ecfa8f50b3b34f3b9c754835d4e25, stripped
➜  workspace checksec secret_of_my_heart
[*] '/Users/apple/Binary/CTF/Shooting/pwnable.tw/secret_of_my_heart/workspace/secret_of_my_heart'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled

➜ workspace file secret_of_my_heart

secret_of_my_heart: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=123aede7094ecfa8f50b3b34f3b9c754835d4e25, stripped

➜ workspace checksec secret_of_my_heart

[*] '/Users/apple/Binary/CTF/Shooting/pwnable.tw/secret_of_my_heart/workspace/secret_of_my_heart'

Arch: amd64-64-little

RELRO: Full RELRO

Stack: Canary found

NX: NX enabled

PIE: PIE enabled

FORTIFY: Enabled

Off-by-Null
利用方式:
Poison null byte + House of spirit

Continue reading →

Pwnable.tw Babystack-Deathnote-Alivenote

babystack
Deathnote
Alivenote

Continue reading →

Ret2Forever

Make familiar, unfamiliar; Make unfamiliar familiar

Post Category → Pwn

House of leamon🍋

LCTF2017 2ez4u

CISCN 2019 Pwn

SuCTF2018 Pwn Writeup

HITB-GSEC-XCTF 2018 Pwn-Writeup

2018强网杯QWB Writeup

N1CTF 2018

Pwnable.tw secretgarden

Pwnable.tw secret_of_my_heart

Pwnable.tw Babystack-Deathnote-Alivenote