reality check

You’re being interrogated in the enemy’s headquarters. Fake it and get out of there alive, without telling them anything! Category: pwn Solver: t0b1, Pandoron Flag: HTB{m0ms_sp4gh3tt1_1s_f4k3!} Writeup The first thing we do is running the checksec tool to get any clues where this challenge might be heading. It outputs the following. [*] '/home/user/htb-unictf-2020/finals/pwn/reality_check/reality_check' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) We extract the following information:...

March 24, 2021 · 5 min · t0b1, Pandoron

kindergarten

When you set the rules, everything is under control! Or not? Category: Pwn Solver: Pandoron, t0bi First let’s run checksec kindergarten. [*] '/home/user/htb-unictf-2020/kindergarten/kindergarten' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments This is good! No stack canary, no position independent code. This must be easy, right? main function undefined8 main(void) { size_t sVar1; setup(); sec(); sVar1 = strlen(&kids_must_follow); write(1,&kids_must_follow,sVar1); read(0,ans,0x60); kinder(); sVar1 = strlen("Have a nice day!...

3 min · Pandoron, t0b1

mirror

You found an ol' dirty mirror inside an abandoned house. This magic mirror reflects your most hidden desires! Use it to reveal the things you want the most in life! Don’t say too much though.. Category: Pwn Solver: t0b1 Writeup We start by using the checksec tool, to check what security measures are enabled on the binary. $ checksec mirror [*] '/home/user/htb-unictf-2020/mirror/mirror' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled We see that no canary is found, which means that we will most likely have to exploit a stack based buffer overflow to overwrite some values on the stack....

7 min · t0b1