No thumbnails for you

12 Nov 2022
Tags: bugfix kernel tracing

When faced with some systems issue, tracing syscalls usually elucidates us on possible causes. But what if the syscall result itself is elusive? This was the case with evince-thumbnailer on a Debian system, which was failing to create any thumbnail files: openat(AT_FDCWD, "/tmp/o...

CTF Writeup - 0CTF 2022 - vintage - part1+2

19 Sep 2022
Tags: ctf emulation reversing tracing

Introduction: For these 2 tasks, we are given a binary targeting a console system that uses an 8-bit processor, although it also supports 16-bit addressing. Despite this lesser known target, we can still apply general approaches to understand its internals...

CTF Writeup - PlaidCTF 2022 - coregasm

13 Apr 2022
Tags: ctf reversing file formats

Introduction: We are given an executable and a core dump generated near the end of its execution. If we run the executable run multiple times, we see that it prints out 4 different flags, so we need to figure out the random bytes that were used to build the flags of the given core dump...

Empty Handshakes

13 Nov 2021
Tags: bugfix networking protocols

When attempting to make a https request from a Qt app, a terse error was returned: Which seemed odd, given that curl had no issue doing the same request, without the user specifying any additional certificates. So, what was different? Analysis: With strace -f -k, we don’t find the message text verbatim, but we can search for the last instance of “handshake”, then look up for application specific functions: 1984033 write(5, "\1\0\0\0\0\0\0\0", 8) = 8 [...

TCP By Disk

12 Oct 2021
Tags: networking relays

Ever wanted TCP, but instead of directly connecting a client to a server with sockets, you process requests and responses by writing and reading files? What do you mean “no”? Let me give you one contrived use case. Suppose you are connecting to a Windows host via RDP...

CTF Writeup - TSG CTF 2021 - 2 Reversing Tasks

03 Oct 2021
Tags: ctf reversing bruteforce dynamic instrumentation symbolic execution

Beginner’s Rev 2021: Don’t spend too much on reading the code. Once you get an idea of the behavior, I recommend you to try some dynamic analysis with various tools...

Decompression Meddlings

29 Sep 2021
Tags: compression file formats bruteforce constraint solving

Lack of familiarity with a binary format leads us to handle them with conservative expectations. Today, let’s subvert two of these expectations with varying degrees of usefulness, each explored in a dedicated part...

CTF Writeup - InCTF 2021 - Miz

15 Aug 2021
Tags: ctf reversing tracing visualization

Introduction: We are given a stripped rust binary. Functions in rust seem to feature convoluted stack setups that don’t play well with Ghidra’s decompiler...

Filename Hook

22 Jul 2021
Tags: filesystems linkers dynamic instrumentation

To workaround a filesystem feature, I decided to try dynamic preloading, bumping into a bunch of libc corners… Analysis: In this case, a git repository was failing to checkout: fatal: unable to checkout working tree warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry with 'git restore --source=HEAD :/' If we run with strace -e file: mkdir("foo...

Side-Channel Statistical Analysis

31 Jan 2021
Tags: ctf protocol analysis visualization

Without a good intuition of what packet fields to consider, finding side-channel data in packet captures becomes a bit harder. While wireshark provides some statistics views to summarize conversations, we may desire to look into other packet details as well...

CTF Writeup - TastelessCTF 2020 - 7/12

06 Oct 2020
Tags: ctf steganography file formats

Introduction: We want to extract our flag from multiple 7zip files, which happen to only contain junk files. When dealing with binary formats, Kaitai Struct provides a mapping from bytes to data structures...

CTF Writeup - CyBRICS 2020 - Hide and Seek

30 Jul 2020
Tags: ctf reversing cryptography tracing

Introduction: An executable with a few interesting twists. I’ve combined static analysis in ghidra with dynamic analysis in pwndbg to explore an anti-debugging check and self-modifying code hidden in addresses not assigned to a segment...

CTF Writeup - UIUCTF 2020 - Redd's Art

23 Jul 2020
Tags: ctf reversing bruteforce tracing

Introduction: This solution relies on pwndbg to execute relevant functions, while circumventing invalid operations. Although it was possible to solve this task by adapting the decompiled functions, I wanted to investigate an approach that relied less on reimplementing the executable’s code...

CTF Writeup - UIUCTF 2020 - RFCland

20 Jul 2020
Tags: ctf forensics file formats protocol analysis

Introduction: CTF challenges in the forensics category usually deal with several kinds of data representations, from file formats to memory dumps. On this writeup, the goal was to extract the flag from a network capture in the pcap format...

CTF Writeup - rgbCTF 2020 - Advanced Reversing Mechanics 2

15 Jul 2020
Tags: ctf reversing constraint solving

Introduction: CTF challenges in the reversing category can contain complex algorithms that can make it hard to figure out the input (i.e...

Deceitful Zip

29 Sep 2019
Tags: compression cryptography file formats lookup magic visualization

What appeared to be a regular zip file could not be successfully extracted. Each extracted file would be empty or contain junk bytes...

Shell By Mail

28 Aug 2019
Tags: mail protocols virtualization

What if the only way to interact with a remote server would be via SMTP? Here’s an attempt at implementing such a system. Keep in mind this is intended as a proof of concept, not for serious usage...

Almost UTF-16

15 Jun 2019
Tags: bugfix build tools text encoding file formats

A text file containing some song lyrics ended up having an encoding issue. Analysis: Mime type detection was failing: file -ib lyrics...

Database Tunneling

14 Jun 2019
Tags: bugfix networking relays

In order to run a database client locally, a SSH tunnel was made to a remote host. However, the connection from localhost to the database service was refused, while hosts on the same remote subnet were able to connect...