Full chain - Google CTF 2021
· β˜• 10 min read
Full chain Do you have what it takes to pwn all the layers? Intro Hi, last weekend I participated in Google CTF 2021 with my team vh++. To quote from my last year’s writeup: Although I didn’t solve the challenge in time for the points,

Pwnable01 scull - Whitehat Grandprix 06
· β˜• 4 min read
Pwnable01 Intro Hi guys, this is the writeup for the challenge Pwnable01 from Whitehat Grandprix 06 Final You may want to checkout the exploit code and challenge’s source Challenge #pwn01: You can ssh into our server as a low-privilege user.

Google CTF 2020 teleport: Chromium sandbox escape
· β˜• 13 min read
Teleport Please write a full-chain exploit for Chrome. The flag is at /home/user/flag. Maybe there’s some way to tele<port> it out of there? 1. Story Hi, last week I participated in Google CTF 2020 with my team pwnPHOfun

PlaidCTF2020 PlaidStore mojo chromium
· β˜• 6 min read
PlaidStore Story Hi, everyone, this is the writeup for the challenge 500pts “mojo” of PlaidCTF 2020. As usual, I got the flag after the CTF has ended :< Well, currently I am not in any active teams, so I decided to pick a hard challenge and do it on my own.

pwning your kernelz: macOS 0day LPE
· β˜• 6 min read
pwning your kernelz Background Hi everyone, This is the writeup for the challenge pwning your kernelz, created by Linus Henze(@LinusHenze), I came across this challenge when Linus tweeted a status update for the CTF. Of course, I didn’t solve this challenge during the time of the CTF.

kpets FacebookCTF 2019 QR
· β˜• 4 min read
kpets welcome to Kernel Pets Simulator! We wrote a pet store application that was too slow, so we made a kernel module for it instead. Author: pippinthedog Hi everyone, this is the writeup for the Facebook CTF 2019 Qualification Round kpets challenge

· β˜• 6 min read
IPwnKit Come and take a bite of the Apple! We have reserved you a very special place at the WWPC (World Wide Pwning Conference). Email to RSVP and we will reply with your invite.

AceBear Security Contest House-of-loop
· β˜• 7 min read
House-of-loop Hi everyone, this is the writeup for the challenge House-of-loop in the AceBear Security Contest 2019 You may want to checkout the exploit code Description We are given a stripped ELF x64 binary which can be interacted with, our task is to get remote code execution(RCE).

TetCTF babySandbox
· β˜• 3 min read
Baby Sandbox This is a challenge of TetCTF, which is hosted from Jan 1st to Jan 7th by MeePwn Team of Vietnam You may want to checkout the exploit code Challenge description We are given 2 binary, one is sandbox and the other one is program.

· β˜• 3 min read
KSMASH - Kernel Stack Smashing Background This is a Linux Kernel Module(LKM) exploitation challenge by host in Round 3 MatesCTF 2018-2019 I solved this challenge overtime :< But It seems that no team solved this so I still sent the exploit to the challenge author for testing and also wrote this writeup.

35C3 CTF Pillow
· β˜• 5 min read
Pillow Background This is the writeup for the challenge Pillow, created by Samuel Groß(@saelo) of Project Zero, of 35C3 CTF annually organized by @EatSleepPwnRpt happening at the end of year 2018. I didn’t solve this challenge during the CTF, when revisiting this challenge after checkout @LinusHenze repo, I have a big learning oppuntunity to checkout XNU exploitation, which was completely new to me.

RITSEC18 Gimme sum fud
· β˜• 1 min read
The binary loads the flag.txt to the memory and asks us to provide input. Interesting things is that it loads to the same memory segment with the input. Debugging locally, I found it at the offset 752 from the first input bytes.

RITSEC18 Yet another HR Management Framework
· β˜• 2 min read
By judging the program’s interface, we know that it was a heap challenge. Spent quite a lot of time reversing it, I figured it out that it malloc a few bytes for the person struct on the heap, then the name will be malloc with the size entered and that address will be put in the person struct.