Home

Awesome

Tips

Useful tips by OTA CTF members. PRs welcome!

Assembly

Binary Exploitation Technique

IDA

Debugging

GDB

Redressing a Stripped Libc

Shell-fu

(python3 -c "print('AAAApayload')"; cat -) | nc pwn.me.org 5555
cd /root
bash: cd: /root: Permission denied
sudo !!

Crypto

Quipquip : Online tool that will help you solve almost all subsituition cipher

Decode.fr : It contains ton of old school cipher

CyberChef : Try magic mode, it's real MAGIC!

kt.gy tools : Fast online tool to decode your string

Jail Challenges

Python Jails

Gynvael Python Jail tips

Useful functions

Interesting Behaviour

Bash Jails

Reading files

_hooks

In libc, there are *_hook function pointers that are called that are writeable:

$ less ./db/local-acd0f91e833f06b2a822be84579f70edf4e80050.symbols | grep _hook
__free_hook 001b18b0
argp_program_version_hook 001b3794
_dl_open_hook 001b35d4
__malloc_hook 001b0768
__realloc_hook 001b0764
__malloc_initialize_hook 001b18b4
__after_morecore_hook 001b18ac
__memalign_hook 001b0760

By default, these pointers are NULL. These function pointers are only called IF they are not NULL:

void
__libc_free(void* mem)
{
  mstate ar_ptr;
  mchunkptr p;                          /* chunk corresponding to mem */

  void (*hook) (void *, const void *)
    = force_reg (__free_hook);
  if (__builtin_expect (hook != NULL, 0)) {
    (*hook)(mem, RETURN_ADDRESS (0));
    return;
  }

If you can overwrite one of these pointers, you can control RIP the next time the associated libc function is called! Useful if FULL RELRO is enabled/the GOT is read-only and we have a write-what-where!

Protips

Null Termination

Do NOT read past first null byte

Do read past first null byte

Does copy the terminating nullbyte from src to dst

Hacking channel/stream/podcast/blog :

Stories