In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies.
Continue reading Exploiting a misused C++ shared pointer on Windows 10Category: Insomni’hack
rbaced – a CTF introduction to grsecurity’s RBAC
Description
rbaced was a pwnable challenge at last week-end’s Insomni’hack Teaser, split in 2 parts: rbaced1 and rbaced2.
TL;DR: grsecurity/PaX can prevent introducing executable memory in a process or execute untrusted binaries, and make your life miserable.
Continue reading rbaced – a CTF introduction to grsecurity’s RBACInsomni’hack 2016 teaser results
Last weekend saw the year’s CTF competitions begin with our very own Insomni’hack teaser. Given some of the recent absurdities (http://weputachipinit.tumblr.com/) we decided to go with the Internet of Things as our theme this year.
Continue reading Insomni’hack 2016 teaser resultsInsomni’hack finals – InsomniDroid Level 1 Writeup
The challenge was delivered as a zip file (InsomniDroid.zip). The first challenge was perhaps to download it (with its 602.5 MiB). The zip file contains a single file: mmcblk0.dd. A file command gives some information:
Continue reading Insomni’hack finals – InsomniDroid Level 1 WriteupInsomni’hack finals – Hollywood network writeup
You probably saw on many ‘hackers movies’ weird IP address such a 312.5.125.833. On this challenge, you had to connect on a fake IBM mainframe running on this strange IP stack. After the Z/OS banner, you had to get a shell with “L IMS3270”. No guessing here, it’s simply one of the three suggestions. On the READY prompt, you had a bunch of crappy commands extracted from the Swordfish movie. Only FLAG, IFCONFIG worked. FLAG expects an IP address as parameter. Since this mainframe runs on a non-standard IP stack, you can’t simply enter your IPv4 address. So you have to get a look at the IFCONFIG output:
Continue reading Insomni’hack finals – Hollywood network writeupInsomni’hack finals – SH1TTY writeup
This challenge wasn’t solved during the CTF, but StratumAuhuur was pretty close!
The source, binary and exploit for this challenge can be found on our github here.
Insomni’hack finals – Jurassic Sparc writeup
This task wasn’t solved during the CTF. People must hate sparc!
Find the binary, sources and exploit here!
Continue reading Insomni’hack finals – Jurassic Sparc writeupInsomni’hack finals – smtpwn writeup
This challenge was solved by several teams during the contest, however it seems that most teams didn’t have the intended solution, so here it is 😉
The source, binary and exploit for this challenge can be found on our github here!
smtpwn was a very simple local SMTP service. Basically you write a message to its stdin, and it’ll write a file to /tmp/ with the following content:
Insomni’hack finals – CTF results
Here is the final scoreboard for Insomni’hack 2015!
Congratz to Dragon Sector for winning again this year!
Insomni’hack : teaser
Insomni’hack 2015 will take place the 19&20th March 2015 at Palexpo.
The teaser registration is now open!
You can go to https://teaser.insomnihack.ch/ and register your team!
Please follow the official web site for more details : http://insomnihack.ch
HFGL 🙂