Defcon 23 CTF Quals 2015 – Babycmd writeup

The babycmd challenge was an x64 ELF binary supporting 4 commands: ping, dig, host, and exit. In the case of ping, dig and host, it just calls the corresponding binary with a user-controlled argument.

This binary uses signal(2) 0xE (SIGALRM – Timer signal from alarm(2)) and alarm() in order to terminate the process after 45 seconds. This was a bit annoying while working on this binary, so I replaced the original argument 0x2d for alert() with a 0; as explained in the alarm(2) documentation, if the seconds argument is 0, no new alarm is scheduled.

Original code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0x2d
.text:0000000000001276                 call    _alarm

Patched code:

.text:0000000000001267                 mov     edi, 0Eh
.text:000000000000126C                 call    _signal
.text:0000000000001271                 mov     edi, 0
.text:0000000000001276                 call    _alarm

For all the supported commands, this program does some basic validation of the user-provided argument before calling the corresponding binary. This filter is a kind of blacklist which rejects user input if it contains characters like “&”, “;” and “|”, which may be abused to inject OS commands. You should note that this function also removes spaces (char 0x20) from the user input.


Continue reading

CSAW CTF 2012 Quals: Write-ups

CSAW CTF 2012 Quals is over. As always, thanks go to my teammate Archie.
In my opinion there were too many too-easy levels. Here you have the write ups for the challenges we managed to solve:


  • Trivia1 – 100 Points

What is the first step of owning a target?

Answer: recon

  • Trivia2 – 100 Points

What is the name of the Google’s dynamic malware analysis tool for Android applications?

Answer: bouncer

  • Trivia3 – 100 Points

What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

Answer: 0x2424

  • Trivia4 – 100 Points

Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?

Answer: Spencer Pratt

  • Trivia5 – 100 Points

What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?

Answer: SAGE
Continue reading

Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!

Let’s start with the Forensics 300 writeup.

The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.

Let’s start examining the file:

francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data

Continue reading