Hi, I’m Leon

Trinity Pre Test was a rev challenge I wrote for Minuteman CTF 2024, which is the first beginner oriented event for the UMass Cybersecurity Club

Super CPP Calculator is a pwn challenge from Deadsec ctf 2024 There’s one binary given, let’s examine the binary first: OK, looks promising for an easy pwn, let’s open the binary in Ghidra. Looking at the main function in Ghidra (cleaned up for clarity) There are a few things to note here, we can see that a Calculator class is used here, and it appears to be allocated on the stack, so let’s look at the class. ...

Magic Conch is a rev challange. Downloading and opening the binary file in Ghidra: We can find an entry point, I have renamed the main function to main. Here is the main function in Ghidra, edited for clarity: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 int main(void) { char buf [64]; uint outlen; int length; code *entry_point_function; void *shared_obj_ptr; int memfd; void *dec_data; void *input_data; input_data = (void *)gen1(&enc_bin_start,&length); if (input_data == NULL) { exit(1); } dec_data = (void *)gen2(input_data,length,&outlen); if (dec_data == NULL) { exit(1); } free(input_data); memfd = memfd_create("payload_file",0); if (memfd == 0) { exit(1); } write(memfd,dec_data,outlen); sprintf(buf,"/proc/self/fd/%d",(ulong)(uint)memfd); shared_obj_ptr = (void *)dlopen(buf,1); if (shared_obj_ptr == NULL) { free(input_data); exit(1); } entry_point_function = (code *)dlsym(shared_obj_ptr,"EntryPoint"); if (entry_point_function == NULL) { free(input_data); dlclose(shared_obj_ptr); exit(1); } (*entry_point_function)(); dlclose(shared_obj_ptr); close(memfd); free(dec_data); return 0; } Looking at the main function, we can see that it uses syscalls such as dlopen as well as dlsym. These functions are used to load dynamic libraries and get the address of a function. In addition, we also see a memfd_create function call. ...