In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies.Continue reading Exploiting a misused C++ shared pointer on Windows 10
Insomni’hack finals – InsomniDroid Level 1 Writeup
The challenge was delivered as a zip file (InsomniDroid.zip). The first challenge was perhaps to download it (with its 602.5 MiB). The zip file contains a single file: mmcblk0.dd. A file command gives some information:Continue reading Insomni’hack finals – InsomniDroid Level 1 Writeup
Insomni’hack finals – Hollywood network writeup
You probably saw on many ‘hackers movies’ weird IP address such a 3220.127.116.113. On this challenge, you had to connect on a fake IBM mainframe running on this strange IP stack. After the Z/OS banner, you had to get a shell with “L IMS3270”. No guessing here, it’s simply one of the three suggestions. On the READY prompt, you had a bunch of crappy commands extracted from the Swordfish movie. Only FLAG, IFCONFIG worked. FLAG expects an IP address as parameter. Since this mainframe runs on a non-standard IP stack, you can’t simply enter your IPv4 address. So you have to get a look at the IFCONFIG output:Continue reading Insomni’hack finals – Hollywood network writeup
Insomni’hack finals – SH1TTY writeup
This challenge wasn’t solved during the CTF, but StratumAuhuur was pretty close!
The source, binary and exploit for this challenge can be found on our github here.
Insomni’hack finals – Jurassic Sparc writeup
This task wasn’t solved during the CTF. People must hate sparc!
Find the binary, sources and exploit here!Continue reading Insomni’hack finals – Jurassic Sparc writeup
Insomni’hack finals – smtpwn writeup
This challenge was solved by several teams during the contest, however it seems that most teams didn’t have the intended solution, so here it is 😉
The source, binary and exploit for this challenge can be found on our github here!
smtpwn was a very simple local SMTP service. Basically you write a message to its
stdin, and it’ll write a file to
/tmp/ with the following content: