This is too brief to be called write-up. But I’m tired …

Introduction

I’ve participated in DEF CON CTF Qualifier 2018 as a member of a certain team, ignominious 40th place. But somehow I solved 3 tasks:

  • ELF Crumble
  • babypwn1805
  • elastic cloud compute (memory) corruption

I write down my impressions.

ELF Crumble

This is a task to combine and execute 8 binary fragments correctly. I wrote damn brute-force solver for this, 脳が死んでいるので.

babypwn1805

A blind pwn task. I accidentally found offset -0x38 to the GOT entry of read. Then I wrote the probabilistic solver.

elastic cloud compute (memory) corruption

A VM escape task.

We were given qemu-system-x86_64 binary with vulnerable PCI device named ooo. Notable functions are as follows:

function description
sub_6E61F4 correspond to ooo_mmio_write
sub_6E613C correspond to ooo_mmio_read
sub_6E64A5 invokes system("cat ./flag")

What matters is use-after-free vulnerability in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//----- (00000000006E61F4) ----------------------------------------------------
void __fastcall sub_6E61F4(__int64 opaque, __int64 addr, __int64 value, unsigned int size)
{
unsigned int cmd; // eax
...
*(_QWORD *)&n[4] = value;
cmd = ((unsigned int)addr & 0xF00000) >> 20;
switch ( cmd )
{
case 1u:
free(qword_1317940[((unsigned int)addr & 0xF0000) >> 16]);
break;
case 2u:
v12 = ((unsigned int)addr & 0xF0000) >> 16;
v8 = addr;
memcpy((char *)qword_1317940[v12] + (signed __int16)addr, &n[4], size);
break;
case 0u:
idx = ((unsigned int)addr & 0xF0000) >> 16;
if ( idx == 15 )
{
for ( i = 0; i <= 14; ++i )
qword_1317940[i] = malloc(8LL * *(_QWORD *)&n[4]);
}
else
{
qword_1317940[idx] = malloc(8LL * *(_QWORD *)&n[4]);
}
break;
}
}

With the clue of the chunk offset on 0x1317940, now we can overwrite malloc@GOT to sub_6E64A5 by fastbin attack, in particular using devmem.

I stayed up all night for this. I was tired but it was fun. I used these past write-ups as a reference when solving this task:

Thanks authors!

Final Words

Other tasks I had wanted to solve are:

  • flagsifier
  • TechSupport
  • smcauth

This year DEFCON’s organizer has changed from LegitBS to OOO (Order of the-Overflow). OOO seems to have the purpose of connecting academic research and CTF. I support this philosophy, but this competition was not perfect. My impressions are summarized as follows:

Pros Cons
Meritocratic rev/pwn. Brand-new topics i.e. blockchain, neural network, reversing of Rust binary. Many guessing tasks. Some incredible, old-fashioned tasks. In particular, sbva and ghettohackers: Throwback are quite bad.

Anyway, I’m looking forward to that next year.