Reverse Engineering

Dead or Alive

16 December 2024·Updated: 18 December 2024·3283 words·16 mins

Dead or Alive was a hard Pwn challenge which composed of UAF bug inside a heap note type application. Bug was very similar to the Prison Break challenge, but without a Copy operation. Glibc present was pretty new (2.35) which means no hooks were available. I resorted to executing code by utilizing exit_funcs overwrite.

Prison Break

16 December 2024·Updated: 18 December 2024·1645 words·8 mins

Prison Break was a classic vanilla heap note Pwn challenge with UAF bug. I had to leak libc addresses off the heap to acquire __free_hook address which could then be overwritten to system.

Reconstruction

16 December 2024·Updated: 18 December 2024·496 words·3 mins

Reconstruction was very easy Pwn challenge, which contained a custom RWX region and arbitrary shellcode execution. This shellcode was allowed to only have certain bytes and the main purpose was to essentially set certain registers to exact values.

Recruitment

16 December 2024·Updated: 18 December 2024·667 words·4 mins

Recruitment was an easy Pwn challenge which included leaking from uninitialized variable and overflowing on the stack. As for RCE there was only 6 bytes of overflow on the return address, which essentially meant I had to resort to one gadget ROP.

Auth-or-out

15 August 2022·Updated: 16 December 2024·1416 words·7 mins

In this post we will have a look at Hack the Box pwn challenge called Auth-or-out which was all about custom heap allocator and it’s exploitation.