Attacking a binary with seccomp/libc leak/ROP open+read+write - DiceCTF 2023 - pwn/bop

preview_player
Показать описание
CTF Challenge Writeup
Buffer overflow into ROP to leak libc using gets/printf. Then stay within secomp and use open/read/write to print flag

00:00 Intro
00:17 Copy libc from docker container
00:56 Program Review
01:20 Ghidra Review
01:50 SECCOMP
02:21 checksec
02:50 Solution Discussion
05:03 Solution Script
  1. SloppyJoePirates CTF Writeups
  2. ctf
  3. ctf writeup
Рекомендации по теме
Attacking a binary 0:13:23

Attacking a binary with seccomp/libc leak/ROP open+read+write - DiceCTF 2023 - pwn/bop

Seccomp Filters and 0:18:55

Seccomp Filters and Shellcode - Pumpking [HackTheBoo CTF 2022]

Seccomp nanosleep pwn 0:17:48

Seccomp nanosleep pwn binary exploitation | DekraCTF 2020 WeirdChall

Python Pwntools Hacking: 0:44:49

Python Pwntools Hacking: ret2libc GOT & PLT

BOF + ROP 0:21:09

BOF + ROP + libc leak + system('/bin/sh') - Cyber Apocalypse 2023 - pwn/pandora

Blacksmith [easy]: HackTheBox 0:29:24

Blacksmith [easy]: HackTheBox Pwn Challenge (seccomp protections)

Buffer Overflow Explained 0:13:04

Buffer Overflow Explained | P22 | ROP Chains | CTF Walkthrough

Pike - misc 0:06:36

Pike - misc - DiceCTF 2023 Writeup (rpyc cve)

Efficient Syscall Emulation 0:30:22

Efficient Syscall Emulation on Linux | Open Source Summit Europe 2020

OpenBSD 7.0 security 0:17:03

OpenBSD 7.0 security techniques and mitigations! 🐡

CS499/579 Winter 2023 0:48:25

CS499/579 Winter 2023 Cyber Attacks and Defense Lecture 14 -- Final CTF

pwn.college - Kernel 0:19:04

pwn.college - Kernel Security - Escaping Seccomp (for real!)

pwnable.tw #4: Solving 1:32:47

pwnable.tw #4: Solving 3x17

Nightmare [easy]: HackTheBox 1:13:48

Nightmare [easy]: HackTheBox Pwn Challenge (PIE/Lib-C leak + format string write exploit)

W3_1 - ASLR 0:30:28

W3_1 - ASLR (part 1)

Making stack executable 0:25:47

Making stack executable with malicious mprotect call - pwn110 - PWN101 | TryHackMe

A New HOPE 0:37:31

A New HOPE (2022): Novel Exploitation Tactics in Linux Userspace One Byte OOB Write to ROP Chain

pwn.college - Return 0:08:54

pwn.college - Return Oriented Programming - Introduction

recursive-csp - web 0:07:19

recursive-csp - web - DiceCTF 2023 Challenge Writeup (CSP nonce bruteforce)

Shooting Star [easy]: 0:56:03

Shooting Star [easy]: HackTheBox Pwn Challenge (ret2libc)

W6L2 Bypass Canary 0:35:20

W6L2 Bypass Canary

Cool Kernel Features: 0:28:49

Cool Kernel Features: BPF and seccomp

pwn.college - Return 0:25:47

pwn.college - Return Oriented Programming - Techniques

The Golden Ticket- 0:53:45

The Golden Ticket- Docker and High Security Microservices - Black Belt Track

Комментарии
Автор

DiceCTF was my 2nd CTF ever and I solved .... 0 challenges 😅. I spent a lot of time trying to figure out what to do for bop, but I never imagined it was this involved. How do you even learn this stuff?

imakappa
Автор

I have a newbie question that you might answer (maybe by saying why it doesn't work :D): Couldn't you just call the libc open read and puts functions once you leak the libc base address with rop.call("open", ...) and so on without messing with further rop gadgets?

nopenope