Blind road

In this task, we need to exploit a BOF bug in an application that doesn’t provide any way to leak information.

Exploitation plan (use ret2dl-resolve):

  1. extract linkmap address (from .got.plt + 0x8)
  2. make *(linkmap+0x1c8) = 0x0 (using read: 0x40052e, $rbp must be 0x601080)
  3. call read with “fake stack” parameter.
  4. write second-stage payload to the stack
  5. place appropriate arguments for system()
  6. forge Elf64_Rela and Elf64_Sym structs
  7. call dl-resolve with an appropriate offset to the forged Elf64_Rela struct
  8. get the shell

Exploit: blind_road-exploit

Beehive

We have an application written in c++ that implements interactive calendar functionality. The idea of this task is to use the automatic vector expansion when the available space is exhausted. Using this property it’s possible to trigger UAF due to incorrect pointers management.

Exploitation plan:

  1. get mem-leak using UAF
  2. find fake_chunk near __malloc_hook
  3. return this fake chunk using fastbin_dup
  4. rewrite __malloc_hook with gadget address
  5. get the flag

Full writeup: beehive-writeup

Hidden malware

After a quick look at the task files, it’s obvious that we need to restore the encrypted flag, that was sent to the C&C server. This goal can be achieved by reversing the extracted DLL. After some time, you will find that the used encryption algorithm is RC4. After that, you just need to find the key.

Solution plan:

  1. Investigate recorded traffic, and find the C&C communication session.
  2. After some investigation of the memory dump, you can find out that explorer.exe initiated a suspicious socket connection.
  3. Dump all DLLs that are loaded by explorer.exe.
  4. Find suspicious dll (“update_agent.dll”).
  5. Reverse this library, and determine the encryption algorithm and the key.

Full writeup: hidden-malware

Honeyback

Exploit: honeyback-exploit