Highlighted writeups

CRSid
CTF

CRSid

64-bit binary. Heap exploitation. Safe-linking. Out-of-bounds write. Tcache poisoning. Exit handlers
Noisy CRC
CTF

Noisy CRC

SekaiCTF 2023. CRC. Chinese Remainder Theorem. Brute force
Kernel searcher
CTF

Kernel searcher

ECSC 2023. Third day. Isogeny. Finding curve parameters. Discrete logarithm
BatchCraft Potions
CTF

BatchCraft Potions

GraphQL batching attack. OTP and rate limit bypass. JWT. CSP. DOM Clobbering. XSS
Blessed
CTF

Blessed

BLS12-381. BLS signatures. Rogue key attack. Zero-knowledge proof. EC-LCG. LLL lattice reduction
baby-talk
CTF

baby-talk

DiceCTF 2024 Quals. 64-bit binary. Heap exploitation. Null-byte poison. Overlapping chunks. Tcache poisoning
More

Recent CTF

ReRop
CTF

ReRop

Return-Oriented Programming. sys_ptrace
Bashic Calculator
CTF

Bashic Calculator

Bash arithmetics escape
NeoVault
CTF

NeoVault

API. MongoDB. NoSQLi. IDOR
PDFy
CTF

PDFy

CVE. Server-Side Request Forgery. PDF generation
Refreshments
CTF

Refreshments

HTB StackSmash CTF. 64-bit binary. Heap exploitation. Off-by-one. Overlapping chunks. Fast Bin attack. Use After Free
More CTF

Recent HTB

Dog
HTB

Dog

Hack The Box. Linux. Easy machine. This machine hosts a CMS that exposes a Git repository. Once we dump the repository, we can find a username and a database password that can be reused to log in as administrator of the CMS. Here, we can install a new module to execute a PHP web shell and get a reverse shell on the machine. Although there are hashed passwords on the database, the same password can be reused for a system user. Finally, we are allowed to run bee as root using sudo, which will let us escalate privileges by running arbitrary PHP code
Titanic
HTB

Titanic

Hack The Box. Linux. Easy machine. This machine has a Local File Read vulnerability where we can read sensitive files. There is a Gitea instance with some repositories and a Docker configuration that shows how Gitea files are shared in a volume mount. So, we can find hashed passwords on the Gitea SQLite database and crack them. With this, we gain access via SSH reusing credentials. After that, we find a script running as root using a vulnerable version of ImageMagick where we can perform a library hijacking to get arbitrary code execution, as root
Alert
HTB

Alert

Hack The Box. Linux. Easy machine. This machine allows to render Markdown files and share them with a unique link. The Markdown viewer is vulnerable to XSS, and we can send a link to the administrator to perform CSRF and read a confidential webpage. Besides, we find a Local File Read vulnerability, and we can find an .htpasswd file with a hashed password to access another subdomain. Instead, we can crack the hash and reuse the password for SSH. At this point, there is a local PHP server running as root, and we are able to manage PHP scripts, so we can simply execute PHP code as root
Bizness
HTB

Bizness

Hack The Box. Linux. Easy machine. This machine has a vulnerable version of Apache OFBiz that can be exploited to get RCE using an authentication bypass and Java deserialization payload. Once on the machine, we can inspect the database and search for the password hash of the administrator user. Once the hash is cracked, we can reuse the password and gain access as root
RegistryTwo
HTB

RegistryTwo

Hack The Box. Linux. Insane machine. This machine exposes a web application that allows to create custom domains with HTML code. Moreover, there is a Docker registry exposed where we can download Docker image blobs after getting a suitable JWT token. The web application is running a WAR file with Tomcat, we can decompile it and see that it queries a RMI server. Since Tomcat is behind an nginx reverse proxy, we can access some sensitive Tomcat servlets to modify our session and set manager permissions on the web application. We need this to modify the RMI configuration using a mass assignment vulnerability and point the RMI server to us. After that, we can exploit an insecure deserialization vulnerability in Java to get RCE in a container. Then, we can interact with the legitimate RMI server using port forwarding. This server allows us to read arbitrary files with a directory traversal attack. We can find a plaintext password for user developer, which is reused in SSH. Then, root is executing a JAR file to analyze files of the hosting website by sending them to a ClamAV server. The problem here is that the JAR calls functions from the RMI register, which is restarted periodically. Therefore, we can craft a malicious RMI registry and exploit win a race condition to take the port, so that root queries our malicious registry and talks to our fake ClamAV server. The result is that all files at /root will be quarantined inside a readable directory, which leads to the privilege escalation
More HTB

Recent IMC

IMC

IMC 2021, Problem 1

Let be a real matrix such that .
  1. Prove that there is a unique real matrix that satisfies the equation
  2. Express in terms of .
IMC

IMC 2020, Problem 5

Find all twice continuously differentiable functions satisfying for all .
IMC

IMC 2020, Problem 2

Let and be real matrices such that where is the identity matrix. Prove that
IMC

IMC 2020, Problem 1

Let be a positive integer. Compute the number of words (finite sequences of letters) that satisfy the following three properties:
  1. consists of letters, all of them are from the alphabet .
  2. contains an even number of letters .
  3. contains an even number of letters .
(For example, for , there are 6 such words: , , , , and )
More IMC