index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>ret2school</title>
    <link>https://ret2school.github.io/</link>
    <description>Recent content on ret2school</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Mon, 24 Jul 2023 00:00:00 +0000</lastBuildDate><atom:link href="https://ret2school.github.io/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>[ImaginaryCTF 2023 - pwn] mailman</title>
      <link>https://ret2school.github.io/post/mailman/</link>
      <pubDate>Mon, 24 Jul 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/mailman/</guid>
      <description>mailman  mailman (423 pts) - 31 solves by Eth007
Description
I&amp;rsquo;m sure that my post office is 100% secure! It uses some of the latest software, unlike some of the other post offices out there&amp;hellip; Flag is in ./flag.txt.
Attachments https://imaginaryctf.org/r/PIxtO#vuln https://imaginaryctf.org/r/c9Mk8#libc.so.6
nc mailman.chal.imaginaryctf.org 1337
 mailman is a heap challenge I did for the ImaginaryCTF 2023 event. It was a basic heap challenge involving tcache poisoning, safe-linking and seccomp bypass.</description>
    </item>
    
    <item>
      <title>[ImaginaryCTF 2023 - pwn] window-of-opportunity</title>
      <link>https://ret2school.github.io/post/iwindow/</link>
      <pubDate>Mon, 24 Jul 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/iwindow/</guid>
      <description>window-of-opportunity  window-of-opportunity (490 pts) - 11 solves by Eth007
Description: Sometimes, there is a glimmer of hope, a spark of inspiration, a window of opportunity.
Attachments https://imaginaryctf.org/r/izYM0#opportunity_dist.zip
nc window-of-opportunity.chal.imaginaryctf.org 1337
 window-of-opportunity is a kernel exploitation challenge I did for the ImaginaryCTF 2023. We are given an arbitrary read primitive (and a stack buffer overflow but I didn&amp;rsquo;t use it), and the goal is basically to read the /flag.txt file.</description>
    </item>
    
    <item>
      <title>[ImaginaryCTF 2023 - reverse] Sheepish</title>
      <link>https://ret2school.github.io/post/sheepish/</link>
      <pubDate>Mon, 24 Jul 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/sheepish/</guid>
      <description>ImaginaryCTF 2023 - Write-Up for the challenge Sheepish (Reverse) TL;DR: Obfuscated Python code using lambda-calculus.
Description: Mary had a flagchecker, its fleece was white as snow.
Introduction We are given a Python script, consisting in a single line of ~26k characters, with lots of lambda-functions. The full script is available here , see the beginning and the end of the file below.
print((((lambda _____________:((lambda ___:_____________(lambda _______:___(___)(_______)))(lambda ___:_____________(lambda _______:___(___)(_______)))))(lambda _____________:lambda ___________:lambda ______:(lambda ____:(lambda _:_(lambda __________:lambda _____:__________))(____))(___________)(lambda _:(lambda __________:lambda _____:__________))(lambda _:(lambda __________:lambda _____:__________(_____)(lambda __________:lambda _____:_____))((lambda __________:lambda _____:(lambda __________:lambda _____:__________(_____)(lambda __________:lambda _____:_____))((lambda __________:lambda _____:(lambda __________:__________(lambda _:(lambda __________:lambda _____:_____))(lambda __________:lambda _____:__________)) [.</description>
    </item>
    
    <item>
      <title>[ESAIP CTF 2023 - crypto] All crypto challenges</title>
      <link>https://ret2school.github.io/post/esaip_crypto/</link>
      <pubDate>Fri, 02 Jun 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/esaip_crypto/</guid>
      <description>This article contains write-ups for all cryptography challenges from ESAIP CTF 2023. All challenge files, prompts and solves are available here.
The event was nice and I had a great time competing with my friends. However, I&amp;rsquo;d like to quickly rant before diving into the write-ups.
&amp;lt;rant&amp;gt;
 I can&amp;rsquo;t believe this has to be said but before giving source code, please make sure that it works. Added bonus: publish the Dockerfiles you use so players don&amp;rsquo;t have to waste time debugging.</description>
    </item>
    
    <item>
      <title>[JustCTF - crypto] Vaulted</title>
      <link>https://ret2school.github.io/post/vaulted/</link>
      <pubDate>Fri, 02 Jun 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/vaulted/</guid>
      <description>Vaulted  This secure multisignature application will keep our flag safe. Mind holding on to one of the backup keys?
nc vaulted.nc.jctf.pro 1337
Author: Tjaden Hess from Trail of Bits
 Vaulted was an easy crypto challenge from JustCTF 2023. To be fair it wasn&amp;rsquo;t really a crypto challenge, you&amp;rsquo;d instantly know how to solve the challenge if you had a bit of crypto knowledge (especially on elliptic curves and how points can be represented) but if you didn&amp;rsquo;t a bit of source code reading would make the solution obvious.</description>
    </item>
    
    <item>
      <title>[ESAIP CTF 2023 - reverse] Dothell Revenge</title>
      <link>https://ret2school.github.io/post/dothell_revenge/</link>
      <pubDate>Sat, 27 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/dothell_revenge/</guid>
      <description>Dothell Revenge  Solves: 3
It seems that you now need a password to get some stars&amp;hellip; But you don&amp;rsquo;t have any. Time for some hacking!
Author: Oogle
 Dothell Revenge was a hard reverse-engineering challenge from ESAIP CTF 2023. It was a modified version of Dothell, a challenge from the 2022 edition that had 0 solves. I didn&amp;rsquo;t participate IRL last year, but I did this year, and even beat two of the best reversers I know to the first blood.</description>
    </item>
    
    <item>
      <title>[Grey Cat CTF Quals 2023 - reverse] crackme1</title>
      <link>https://ret2school.github.io/post/crackme1_greycat/</link>
      <pubDate>Wed, 24 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/crackme1_greycat/</guid>
      <description>TL;DR: A challenge with obfuscated JavaScript, with some WebGL shaders to reverse.
Description: When the correct key is entered, you will see a nice image.
When we open the webpage, we can first inspect the HTML code.
&amp;lt;body&amp;gt; &amp;lt;canvas id=&amp;#34;c&amp;#34;&amp;gt;&amp;lt;/canvas&amp;gt; &amp;lt;div class=&amp;#34;input-container&amp;#34;&amp;gt; &amp;lt;input id=&amp;#34;textInput&amp;#34; type=&amp;#34;text&amp;#34; placeholder=&amp;#34;Enter Key&amp;#34;&amp;gt; &amp;lt;button id=&amp;#34;submitButton&amp;#34; class=&amp;#34;submit-button&amp;#34;&amp;gt;Submit&amp;lt;/button&amp;gt; &amp;lt;/div&amp;gt; &amp;lt;p id=&amp;#34;flag&amp;#34;&amp;gt;&amp;lt;/p&amp;gt; &amp;lt;script src=&amp;#34;https://webgl2fundamentals.org/webgl/resources/webgl-utils.js&amp;#34;&amp;gt;&amp;lt;/script&amp;gt; &amp;lt;script src=&amp;#34;https://webgl2fundamentals.org/webgl/resources/m4.js&amp;#34;&amp;gt;&amp;lt;/script&amp;gt; &amp;lt;script src=&amp;#34;/app.js&amp;#34;&amp;gt;&amp;lt;/script&amp;gt; &amp;lt;/body&amp;gt; We can first see that there is an empty &amp;lt;p&amp;gt; tag with id flag, which will probably be used to display the flag when the correct key is entered.</description>
    </item>
    
    <item>
      <title>[pwnme 2023 - crypto] Scream Like Viking</title>
      <link>https://ret2school.github.io/post/screamlikeviking/</link>
      <pubDate>Mon, 22 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/screamlikeviking/</guid>
      <description>Scream Like Viking  Our protagonist John is in a room, he hears some kind of noise, like something resonating. But he doesn&amp;rsquo;t understand it&amp;hellip; Perhaps he could play with his own echoes to guess what the meaning of this famous resonance could be&amp;hellip;
nc 51.68.95.78 32773
 Scream Like Viking&#34;
This article is a write-up for &amp;ldquo;Scream Like Viking&amp;rdquo;, a cryptography challenge from PwnMe 2023.
TL;DR  Get pairs of (C, N) where N is recovered by taking GCD of multiple M^e - C Håstad&amp;rsquo;s broadcast attack (CRT + e-th root) on the pairs of (C, N)  Code review The following source code is given:</description>
    </item>
    
    <item>
      <title>[Grey Cat CTF Quals 2023 - pwn] Write me a Book</title>
      <link>https://ret2school.github.io/post/writemeabook/</link>
      <pubDate>Sun, 21 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/writemeabook/</guid>
      <description>Write me a book  Write me a Book 349
Give back to the library! Share your thoughts and experiences!
The flag can be found in /flag
Elma
nc 34.124.157.94 12346
 Write me a book is a heap challenge I did during the Grey Cat The Flag 2023 Qualifiers. You can find the tasks and the exploit here.
TL;DR To manage to read the flag we have to:
 create overlapping chunks due to an oob write vulnerability in rewrite_books tcache poisoning thanks to the overlapping chunks Overwrite the first entry of @books to then be able to rewrite 4 entries of @books by setting a large size.</description>
    </item>
    
    <item>
      <title>[pwnme 2023 - pwn] PwnMeIfYouKern</title>
      <link>https://ret2school.github.io/post/pwn_me_if_you_kern/</link>
      <pubDate>Tue, 09 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/pwn_me_if_you_kern/</guid>
      <description>PwnMeIfYouKern was a linux kernel exploitation challenge from pwnme 2023.
There were no SMAP or SMEP, but KASLR was activated.
user@PwnMeIfYouKern:~$ cat /proc/cpuinfo | grep sm.p user@PwnMeIfYouKern:~$ cat /proc/cmdline console=ttyS0 loglevel=3 oops=panic panic=1 kaslr user@PwnMeIfYouKern:~$ cat /proc/sys/vm/mmap_min_addr 4096 TL;DR  we manipulate elements from a linked list each element contains a buffer, his size, and a pointer to the next element of the list there is a buffer overflow, we can change the size of the buffer to leak data, and overwrite the pointer to the next element to get an arbitrary read/write break kaslr by leaking a pipe_buffer structure overwrite modprobe_path enjoy  Reverse engineering Here is the write function :</description>
    </item>
    
    <item>
      <title>[pwnme 2023 - pwn] chip8</title>
      <link>https://ret2school.github.io/post/chip8/</link>
      <pubDate>Mon, 08 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/chip8/</guid>
      <description>chip8  Solves: 24 Easy
I just found a repo of a chip-8 emulator, it may be vulnerable but I didn&amp;rsquo;t had enough time to report the vulnerability with a working PoC. You must find a way to get the flag in memory on the remote service !
Author: Express#8049
Remote service at : nc 51.254.39.184 1337
 chip8 is a emulator-pwn challenge I did during the pwnme CTF . You can find the related files here.</description>
    </item>
    
    <item>
      <title>[pwnme 2023 - pwn] Heap-hop</title>
      <link>https://ret2school.github.io/post/heaphop/</link>
      <pubDate>Sun, 07 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/heaphop/</guid>
      <description>Heap-Hop  Solves: 31 Medium
Heap exploitation is cool, and the best is when no free is used. &amp;gt;Try to pwn the challenge and get the flag remotely.
Note:
 You must spawn an instance to solve this challenge. You can connect to it with netcat: nc IP PORT  Author: Express#8049
Remote service at : nc 51.254.39.184 1336
 Heap-hop is a heap exploitation challenge I did during the pwnme CTF.</description>
    </item>
    
    <item>
      <title>[pwnme 2023 - pwn] vip</title>
      <link>https://ret2school.github.io/post/vip/</link>
      <pubDate>Sun, 07 May 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/vip/</guid>
      <description>VIP at libc  Sooo I heard that if you were VIP, you could access some specific features! Maybe one of those features can be used to get inside their system?
INFO : This challenge need to spawn an instance, you can connect to it with netcat: nc IP PORT
Author: Zerotistic#0001
Remote service at : nc 51.254.39.184 1335
 VIP at libc is a basic stack based buffer overflow challenge.</description>
    </item>
    
    <item>
      <title>[UTCTF 2023 - reverse] Welcome</title>
      <link>https://ret2school.github.io/post/welcome/</link>
      <pubDate>Tue, 10 Jan 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/welcome/</guid>
      <description>UTCTF 2023: Welcome  Welcome
1000
Note: while this challenge is nominally RE, there is some crypto-level/crypto-style math involved too.
Welcome to UTCTF! I made a special last minute program just for you to display a wonderful welcome message (+ flag!) I may have accidentally (okay&amp;hellip; purposely) made a small bug in my math &amp;gt; that makes this unsolvable(TM). Can you figure it out and fix it for me please?</description>
    </item>
    
    <item>
      <title>[SECCON CTF 2022 Quals - pwn] babyfile</title>
      <link>https://ret2school.github.io/post/babyfile/</link>
      <pubDate>Fri, 19 Aug 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/babyfile/</guid>
      <description>Introduction babyfile is a file stream exploitation I did during the SECCON CTF 2022 Quals event. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution &amp;ndash; I have not seen before &amp;ndash; based on _IO_obstack_jumps! The related files can be found here. If you&amp;rsquo;re not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this one and this other one.</description>
    </item>
    
    <item>
      <title>[corCTF 2022 - pwn] zigzag</title>
      <link>https://ret2school.github.io/post/zigzag/</link>
      <pubDate>Mon, 08 Aug 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/zigzag/</guid>
      <description>Introduction zigzag is a zig heap challenge I did during the corCTF 2022 event. It was pretty exotic given we have to pwn a heap like challenge written in zig. It is not using the C allocator but instead it uses the GeneralPurposeAllocator, which makes the challenge even more interesting. Find the tasks here.
TL; DR  Understanding zig GeneralPurposeAllocator internals Hiijack the BucketHeader of a given bucket to get a write what were / read what where primitive.</description>
    </item>
    
    <item>
      <title>[corCTF 2022 - pwn] cshell2</title>
      <link>https://ret2school.github.io/post/cshell2/</link>
      <pubDate>Sun, 07 Aug 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/cshell2/</guid>
      <description>Introduction cshell2 is a heap challenge I did during the corCTF 2022 event. It was pretty classic so I will not describe a lot. If you begin with heap challenges, I advice you to read previous heap writeup.
TL; DR  Fill tcache. Heap overflow in edit on the bio field which allows to leak the address of the unsortedbin. Leak heap and defeat safe-linking to get an arbitrary write through tcache poisoning.</description>
    </item>
    
    <item>
      <title>[diceCTF 2022 - pwn] catastrophe</title>
      <link>https://ret2school.github.io/post/catastrophe/</link>
      <pubDate>Thu, 28 Jul 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/catastrophe/</guid>
      <description>Introduction  I just learned how to use malloc and free&amp;hellip; am I doing this right?
 catastrophe is a heap challenge I did during the diceCTF 2022. I did have a lot of issues with the libc and the dynamic linker, thus I did a first time the challenge with the libc that was in /lib/libc.so.6, then I figured out thanks to my teammate supersnail that I was using the wrong libc.</description>
    </item>
    
    <item>
      <title>[HackTheBox Cyber Apocalypse 2022 - pwn] Once and for all</title>
      <link>https://ret2school.github.io/post/onceandforall/</link>
      <pubDate>Thu, 19 May 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/onceandforall/</guid>
      <description>Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin. Find the tasks and the final exploit here and here.
Reverse engineering All the snippets of pseudo-code are issued by IDA freeware:
int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+18h] [rbp-8h] BYREF  int i; // [rsp+1Ch] [rbp-4h]  for ( i = 0; i &amp;lt;= 49; ++i ) { puts(s); printf(&amp;amp;unk_1310); __isoc99_scanf(&amp;amp;unk_13C8, &amp;amp;v4); puts(s); switch ( v4 ) { case 1: small_alloc(s); break; case 2: fix(s); break; case 3: examine(s); break; case 4: savebig(s); break; case 5: exit(0); default: puts(&amp;#34;[-] Invalid choice!</description>
    </item>
    
    <item>
      <title>[DCTF 2022 - pwn] phonebook</title>
      <link>https://ret2school.github.io/post/phonebook/</link>
      <pubDate>Sun, 17 Apr 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/phonebook/</guid>
      <description>Intro phonebook is a basic heap challenge I did during the dctf event. It&amp;rsquo;s basically just a heap overflow wich allows us to overflow a function pointer with for example the address of system.
The bug $ ./phonebook Choose an option: [1-5] 1. Store someone&#39;s information 2. Edit information 3. Call someone 4. Unfriend someone 5. Add the hidden_note &amp;gt; We can create an entity and then initialize: a name, a numero and a function pointer.</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022 - web] La galette à tout prix</title>
      <link>https://ret2school.github.io/post/galette/</link>
      <pubDate>Tue, 05 Apr 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/galette/</guid>
      <description>We are given a JWT. It contains a field kid which is the name of the file containing the key to sign the JWT :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IiciLCJ3YWxsZXQiOltdLCJraWQiOiIuL3NlY3JldC5rZXkifQ.sPF55gkdqUQqAfkeBFtQRWOZgh_4S2jaIEJz2FcUsp8 header : {&amp;quot;typ&amp;quot;:&amp;quot;JWT&amp;quot;,&amp;quot;alg&amp;quot;:&amp;quot;HS256&amp;quot;} payload : {&amp;quot;username&amp;quot;:&amp;quot;&#39;&amp;quot;,&amp;quot;wallet&amp;quot;:[],&amp;quot;kid&amp;quot;:&amp;quot;./secret.key&amp;quot;} If we edit kid with a file that we already know the content (such as /dev/null) we can sign any JWT.
import jwt FILENAME = &amp;quot;/dev/null&amp;quot; key = open(FILENAME).read(32) jwt.encode({&amp;quot;username&amp;quot;:&amp;quot;Monsieur Rennes Whisky&amp;quot;,&amp;quot;wallet&amp;quot;:[f&amp;quot;2 union {sql}&amp;quot;],&amp;quot;kid&amp;quot;:FILENAME}, key=key, algorithm=&amp;quot;HS256&amp;quot;) # it provides us a valid JWT :) We then discover that there is an SQL injection with wallet.</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022 - web] Les crèmes de Mamie Loic</title>
      <link>https://ret2school.github.io/post/cremes_mamie/</link>
      <pubDate>Tue, 05 Apr 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/cremes_mamie/</guid>
      <description>Les crèmes de Mamie Loic (1/2) The first challenge was an IDOR.
We have to get the basket of the user mamie, so we can just change /api/getbasket?name=YOUR_USER to /api/getbasket?name=mamie and get the flag : https://les-cremes-de-madame-loic.ctf.bzh:21000/api/getbasket?name=mamie
La recette secrete est composee de : - Lait - Un maximum de BZHCTF{m4m13_n4_p4s_4ppr1s_d3_c3s_3err3urs!!} - Caramel Il faudra aussi penser a mettre des images pour les produits et a gerer la migration de base de donnees, l&#39;implémentation a commencé ici : /mamiesecret Pour se faire, n&#39;oublie pas d&#39;utiliser les identifiants suivants : - mamiemanager / sxEpnMggi8LtD1y198Iy Les crèmes de Mamie Loic (2/2) We now have the credentials for the user mamiemanager and the knowledge of the endpoint /mamiesecret.</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022 - prog] PYCTHON</title>
      <link>https://ret2school.github.io/post/pycthon/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/pycthon/</guid>
      <description>Description: Nous n&#39;arrivons pas à retrouver l&#39;information cachée à partir de ce fichier... Auteur: T0fix Format : BZHCTF{}  The provided file is a .pyc which contains compiled pseudo-code for a program written in Python.
You just have to use the uncompyle6 package with the following command: uncompyle6 -o .pycthon.cpython-38.pyc
We obtain then, the source python code:
def hoflag(): tab = [ &amp;#39;U&amp;#39;, &amp;#39;n&amp;#39;, &amp;#39;c&amp;#39;, &amp;#39;0&amp;#39;, &amp;#39;m&amp;#39;, &amp;#39;p&amp;#39;, &amp;#39;y&amp;#39;, &amp;#39;l&amp;#39;, &amp;#39;3&amp;#39;, &amp;#39;d&amp;#39;, &amp;#39;_&amp;#39;, &amp;#39;P&amp;#39;, &amp;#39;y&amp;#39;, &amp;#39;t&amp;#39;, &amp;#39;h&amp;#39;, &amp;#39;0&amp;#39;, &amp;#39;n&amp;#39;, &amp;#39;_&amp;#39;, &amp;#39;f&amp;#39;, &amp;#39;1&amp;#39;, &amp;#39;l&amp;#39;, &amp;#39;E&amp;#39;] flag = &amp;#39;&amp;#39;.</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022 - pwn] Faible Ty Reseau</title>
      <link>https://ret2school.github.io/post/ftm/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/ftm/</guid>
      <description>Faible Ty Réseau is a basic heap-like challenge, it allows us to create a configuration, edit it, call a function pointer on it and finally to free it:
int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+4h] [rbp-Ch] BYREF  unsigned __int64 v5; // [rsp+8h] [rbp-8h]  v5 = __readfsqword(0x28u); while ( 1 ) { puts(aVousN); printf(a1ModifierLesPa, argv); fflush(stdout); v4 = 0; argv = &amp;amp;v4; __isoc99_scanf(&amp;amp;unk_21F3, &amp;amp;v4); switch ( v4 ) { case 0: printf(&amp;#34;wtf ?</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022 - reverse] L&#39;appli secrète du breizhCTF</title>
      <link>https://ret2school.github.io/post/app-secrete-du-breizhctf/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/app-secrete-du-breizhctf/</guid>
      <description>Value: 131 Description: En arrivant à Rennes au BreizhCTF, vous avez trouvé un téléphone par terre et avez décidé de le garder avec vous. Vous vous rendez compte que sur ce téléphone, il y a une appli &#39;SuperSecretApp&#39;. Malheureusement, pour accéder à son contenu, vous devez avoir la bonne combinaison du username et du password. Vous avez donc décidé de reverse l&#39;application pour trouvez cela! Auteur: Worty Format : BZHCTF{username-password}  The file provided is an .</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022- Forensic] La livraison de pizza</title>
      <link>https://ret2school.github.io/post/livraison-de-pizza/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/livraison-de-pizza/</guid>
      <description>Value: 50 Description: Un nouvel employé travaille tranquillement à son bureau, quand quelqu&#39;un se présente devant pour &#39;Livraison de galettes saucisses&#39;. Il est nouveau, mais il se dit qu&#39;en Bretagne, après tout, cela doit arriver. Il est donc venu dans votre bureau vous demandez si vous aviez commandé, mais votre réponse est non. Il revient tout paniqué en vous disant que son anvitirus a enregistré un traffic USB inhabituel. L&#39;anvitirus de votre entreprise est configuré pour prendre des dumps réseaux de tout le traffic, même le traffic USB !</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022- misc] My homework... NO !</title>
      <link>https://ret2school.github.io/post/my-homework...-no-/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/my-homework...-no-/</guid>
      <description>Description: Je dois rendre mon tp ce soir mais j&#39;ai supprimé le dossier où se trouvaient mes bianires. Par chance il tourne encore, pouvez-vous m&#39;aider à le récupérer ? Login/Password : gaston:gaston ssh challenges.ctf.bzh:24001 Auteur: LaChenilleBarbue Format : BZHCTF{sha512sum(binaire)}  Let&amp;rsquo;s start by connecting to the server with the credentials we have been given and list the processes that are running:
&amp;gt; ssh challenges.ctf.bzh -p 24001 -l gaston gaston@challenges.ctf.bzh&#39;s password: gaston@726bc5597730:~$ ps -aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.</description>
    </item>
    
    <item>
      <title>[Breizh CTF 2022- reverse] Baby</title>
      <link>https://ret2school.github.io/post/baby/</link>
      <pubDate>Fri, 04 Mar 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/baby/</guid>
      <description>Value: 50 Description: Le reverse c&#39;est quand même vachement compliqué... ou pas ? Auteur: Worty Format : BZHCTF{}  Like all the CTF challenges named &amp;ldquo;Baby&amp;rdquo;, this challenge was very simple.
You just had to open the source code in radare2 to see the flag in clear:
&amp;gt; r2 baby [0x00001070]&amp;gt; aaa [Cannot find function at 0x00001070 sym. and entry0 (aa) [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis.</description>
    </item>
    
    <item>
      <title>[Hitcon 2021 - web] Vulpixelize</title>
      <link>https://ret2school.github.io/post/vulpixelize/</link>
      <pubDate>Sun, 02 Jan 2022 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/vulpixelize/</guid>
      <description>HITCON 2021 - Vulpixelize (232 points) My solution for this challenge is maybe unintended and not very technical, but it works :)
 We can send a URL that the bot will visit.
It then takes a screenshot of the page, blurs it and returns us the result :
@app.route(&amp;#39;/submit&amp;#39;, methods=[&amp;#39;GET&amp;#39;]) def submit(): path = &amp;#39;static/images/%s.png&amp;#39; % uuid.uuid4().hex url = request.args.get(&amp;#39;url&amp;#39;) if url: # secrity check if not url.startswith(&amp;#39;http://&amp;#39;) and not url.</description>
    </item>
    
    <item>
      <title>[TRACS 2021 - RE] Coffre</title>
      <link>https://ret2school.github.io/post/safe/</link>
      <pubDate>Sun, 05 Dec 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/safe/</guid>
      <description>Intro  Epreuve 12-3 – Coffre En tant que stagiaire vous avez accès aux locaux de la NSB. Vous allez collecter des informations dans les locaux. Un coffre est présent dans les locaux en salle rideau. Il appartient à Richard Cresus de la Tune. Essayez d’ouvrir ce coffre. Quel est l’IBAN contenu dans le coffre ? Format de la réponse : IBAN sans séparateur.
 Basically, we have to crack open an electronic safe.</description>
    </item>
    
    <item>
      <title>[CyberSecurityRumble 2021 - RE / Forensics] The Compromise</title>
      <link>https://ret2school.github.io/post/compromise/</link>
      <pubDate>Mon, 29 Nov 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/compromise/</guid>
      <description>The Compromise (300 pts)  The SOC team of the BrighSoul QPL (Quantum Physic Labs) is continuously monitoring HTTP proxy and DNS outbound traffic and has identified suspicious DNS traffic to the server authoritative (NS) for the domain thedarkestside.org.
Upon investigation, they presume that an internal windows workstation with has been compromised with a Colbalt Strike beacon running as the executable named ntupdate.exe. The workstation belongs to the R&amp;amp;D team and they are suspicions that files containing critical Intellectual Property information have been exfiltrated.</description>
    </item>
    
    <item>
      <title>[CyberSecurityRumble 2021 - RE / Game Hacking] CSRunner</title>
      <link>https://ret2school.github.io/post/csrunner/</link>
      <pubDate>Mon, 29 Nov 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/csrunner/</guid>
      <description>Collect green stuff, avoid red guys. Easy as pie, right? Not even your speedhacks will help you here! You might have to take a closer look and inspect it carefully. Have fun &amp;amp; good luck!
 This challenge is a game, according to its description. Since I gave up on the challenge I was trying to do (NOdeBANKing), I went to help other teammates blocked on this challenge.
This game was using Unity3D as engine, where game logic is usually written in C# or other language that compiles to MSIL.</description>
    </item>
    
    <item>
      <title>[Hack.lu 2021 - pwn] Cloudinspect</title>
      <link>https://ret2school.github.io/post/cloudinspect/</link>
      <pubDate>Sun, 07 Nov 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/cloudinspect/</guid>
      <description>CloudInspect CloundInpect was a hypervisor exploitation challenge I did for the Hack.lu event. I didn&amp;rsquo;t succeed to flag it within the 48 hours :(. But anyway I hope this write up will be interesting to read! The related files can be found right here
 After Whiterock released it&amp;rsquo;s trading bot cloud with special Stonks Sockets another hedge fund, Castel, comes with some competition. The special feature here is called &amp;ldquo;cloudinspect&amp;rdquo;.</description>
    </item>
    
    <item>
      <title>[ASIS CTF QUALS 2021 - pwn] abbr &amp; justpwnit</title>
      <link>https://ret2school.github.io/post/pwnasis/</link>
      <pubDate>Sun, 24 Oct 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/pwnasis/</guid>
      <description>Hello folks ! Here is a write up for the two first pwn challenges of the ASIS CTF. You can find the related files here.
justpwnit justpwnit was a warmup pwn challenge. That&amp;rsquo;s only a basic stack overflow. The binary is statically linked and here is the checksec&amp;rsquo;s output:
[*] &#39;/home/nasm/justpwnit&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Morever the source code is provided as it is the case for all the pwn tasks !</description>
    </item>
    
    <item>
      <title>[DownUnderCTF 2021 - pwn] DUCTFnote</title>
      <link>https://ret2school.github.io/post/ductf_note/</link>
      <pubDate>Thu, 30 Sep 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/ductf_note/</guid>
      <description>DownUnderCTF - DUCTFnote (471 points) DUCTFnote was a heap exploitation challenge.
The main difficulty was that we could only have one active note at a time, so if we create a new note, the old one is no longer accessible.
Source code analysis I spotted one bug in the source code which leads to another bug :
135 void edit_note(datanote_t * note) { 136 if(!note) { 137 printf(&amp;#34;No Note.\n&amp;#34;); 138 return; 139 } 140 141 signed char idx = 0; 142 while(idx &amp;lt;= note-&amp;gt;size) { // note-&amp;gt;size can takes values from 0 to 127 (0x7f) 143 *(&amp;amp;(note-&amp;gt;data)+idx) = fgetc(stdin); 144 if (*(&amp;amp;(note-&amp;gt;data)+idx) == &amp;#39;\n&amp;#39;) {*(&amp;amp;(note-&amp;gt;data)+idx) = &amp;#39;\0&amp;#39;; break;} 145 idx++; 146 } 147 } In the function edit_note the condition of the while is incorrect and the loop is executed once too often : while(idx &amp;lt;= note-&amp;gt;size) should have been while(idx &amp;lt; note-&amp;gt;size).</description>
    </item>
    
    <item>
      <title>[FCSC 2021 - misc] Privesc Me (2) - &#34;ALED&#34; - Your randomness checker</title>
      <link>https://ret2school.github.io/post/privesc_two/</link>
      <pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/privesc_two/</guid>
      <description>Privesc Me (2) - &amp;ldquo;ALED&amp;rdquo; - Your randomness checker (misc - 194 pts)  Le dernier stagiaire de l&amp;rsquo;équipe nous a pondu un nouveau programme pour tester la robustesse des clés d&amp;rsquo;authentification que notre administrateur système utilise. Son outil est disponible dans le dossier stage1. Le chef a poussé un soupir d&amp;rsquo;agacement en voyant le code.
 I found this one pretty fun and I think it was my favorite along with &amp;ldquo;It&amp;rsquo;s mipsy router&amp;rdquo;.</description>
    </item>
    
    <item>
      <title>[FCSC 2021 - pwn] Blind Date</title>
      <link>https://ret2school.github.io/post/blindate/</link>
      <pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/blindate/</guid>
      <description>Blind Date (489 pts)  Une société souhaite créer un service en ligne protégeant les informations de ses clients. Pouvez-vous leur montrer qu&amp;rsquo;elle n&amp;rsquo;est pas sûre en lisant le fichier flag.txt sur leur serveur ? Les gérants de cette société n&amp;rsquo;ont pas souhaité vous donner ni le code source de leur solution, ni le binaire compilé, mais ils vous proposent uniquement un accès distant à leur service.
  nc challenges2.</description>
    </item>
    
    <item>
      <title>[FCSC 2021 - pwn] cheapie</title>
      <link>https://ret2school.github.io/post/cheapie/</link>
      <pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/cheapie/</guid>
      <description>Cheapie (pwn - 198 pts)  Êtes-vous familier avec le tas ?
 Yay a heap challenge !
Setup The given libc didn&amp;rsquo;t have any symbols and no loader was provided, so I ran pwninit to retrieve a libc with symbols and a loader. Which I didn&amp;rsquo;t realise until me writing this, is that pwninit gave me a different libc, that changed the final part of the exploit : getting a shell !</description>
    </item>
    
    <item>
      <title>[FCSC 2021 - pwn] Itsy Mipsy router</title>
      <link>https://ret2school.github.io/post/mipsy/</link>
      <pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/mipsy/</guid>
      <description>Itsy Mipsy Router (200 pts) Itsy Mipsy Router is a pwn challenge I did during the FCSC event. It&amp;rsquo;s not a very hard challenge but I found it very interesting because it was my first mips pwn challenge !
Setup So basically we got this:
 On vous demander d&amp;rsquo;auditer un routeur à l&amp;rsquo;interface entre Internet et un réseau interne d&amp;rsquo;une entreprise. Le client vous demande si il est possible de lire les fichiers stockés sur la machine filer qui sert de serveur de fichiers HTTP.</description>
    </item>
    
    <item>
      <title>[FCSC 2021 - pwn] reporter</title>
      <link>https://ret2school.github.io/post/reporter/</link>
      <pubDate>Mon, 03 May 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/reporter/</guid>
      <description>Reporter (pwn - 499 pts)  Vous arrivez dans une nouvelle entreprise qui utilise un navigateur conçu en interne. Pouvez-vous obtenir un shell sur la machine de la personne qui vérifie les liens qu&amp;rsquo;on lui envoie ? http://challenges2.france-cybersecurity-challenge.fr:4009/
 Testing the water As soon as I saw this description, I got hyped, &amp;ldquo;Cool a browser exploit !&amp;rdquo; I thought. &amp;ldquo;It&amp;rsquo;s the perfect occasion to learn more about WebKit and JavaScriptCore&amp;rdquo;&amp;hellip; What a fool.</description>
    </item>
    
    <item>
      <title>[HeroCTF v3 - RE] ARMada, JNI, Password Keeper, RustInPeace, WTF, fatBoy</title>
      <link>https://ret2school.github.io/post/heroctfv3/</link>
      <pubDate>Thu, 29 Apr 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/heroctfv3/</guid>
      <description>HeroCTF v3  The files can be found here
 Here is a Write-Up of some RE tasks solved by supersnail.
sELF control (75 pts)  I found a program to read the flag but it seems to be broken&amp;hellip; Could you help me patching patching two bytes to make it functional ?
Challenge : nc chall0.heroctf.fr 2048
Format : Hero{}
Author : SoEasY
 The binary given is an ELF File, but IDA detects it as &amp;ldquo;IA64&amp;rdquo; ELF.</description>
    </item>
    
    <item>
      <title>[Midnight Sun CTF 2021 - Crypto] frank</title>
      <link>https://ret2school.github.io/post/writeuprsa/</link>
      <pubDate>Sun, 11 Apr 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/writeuprsa/</guid>
      <description>Welcome folks,
This writeup is about the Midnight Sun CTF frank challenge on how to recover a full RSA private key, when half of it is erased. Thanks to this recent cryptohack write-up from which this challenge is (for me) inspired. Challenge therefore requires recovering the entire RSA key from this image:
Get the part of the private key visible: The first step of the challenge is to recover the visible part, to do this I quickly created a small OCR script with the pytesseract module in Python, to facilitate the recovery task.</description>
    </item>
    
    <item>
      <title>[Midnight Sun CTF 2021 - RE] Labyrevnt</title>
      <link>https://ret2school.github.io/post/wu_labyrevnt/</link>
      <pubDate>Sun, 11 Apr 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/wu_labyrevnt/</guid>
      <description>You can find the files here.
We used the proximity browser in IDA with the &amp;ldquo;Add node -&amp;gt; Find path&amp;rdquo; mini-trick to get the path between the main and walk_end function. Once all the function names in the path where dumped, in the same order as in IDA, inside functions.txt, we just have to tell angr to discard, avoid, every state wherein the callstack is different from the path linking main and walk_end.</description>
    </item>
    
    <item>
      <title>[Securinets CTF 2021 - RE] RUN! &amp; YAY!</title>
      <link>https://ret2school.github.io/post/rev_securinets/</link>
      <pubDate>Tue, 23 Mar 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/rev_securinets/</guid>
      <description>RUN! (930 pts) This challenge was a keygenme for Windows (64-bit PE), and like all keygenmes you had to understand the algorithm and write a keygen for it.
The algorithm was &amp;ldquo;simple&amp;rdquo;, you just had to deal with C++ overhead for std::string, and was basically:
 The programs take the username and computes the sum of each char of the username (with some SSE2 wizardry) This sum is then given as seed to srand() The user serial is split into 2-char blocks, and each block is decoded as hex string and the integer is added to an array The program then searches the highest value in the decoded serial array and allocated a int array with this size The array is filled with rand() values mod 13371337 A valid serial is a sequences of indexes into the random array whose sum is equals to 0xbcdb6 mod 1337  So, the tricky part was to generate this sequence of indexes.</description>
    </item>
    
    <item>
      <title>[DaVinciCTF 2021 - pwn] Quotebook</title>
      <link>https://ret2school.github.io/post/dvctf_quotebook/</link>
      <pubDate>Mon, 15 Mar 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/dvctf_quotebook/</guid>
      <description>Da Vinci CTF 2021 - Quotebook (499 pts) The subject of this task was:
 I created this amazing service to store all my famous quotes. Can you get the flag?
nc challs.dvc.tf 2222
 We are given the binary, the source code for it and the libc used on the server. We&amp;rsquo;ll need to find a vuln into the binary to get a shell and grab a flag from the server (typical pwn task).</description>
    </item>
    
    <item>
      <title>[BTSCTF 2021 - RE] BtS emulator</title>
      <link>https://ret2school.github.io/post/wu_emulator/</link>
      <pubDate>Fri, 12 Mar 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/wu_emulator/</guid>
      <description>The files can be found here.
 Hi, I&amp;rsquo;m r0da.
Last day I did a CTF called BTSCTF, and a challenge called BtS emulator. As I&amp;rsquo;m still working on VMP virtualization currently, I&amp;rsquo;m kind good with VM stuff.
First I noticed that the binary has all its symbols in it, so easier to reverse. Then I saw that the dispatcher routine seems pretty clean.
We found the opcode related to it :</description>
    </item>
    
    <item>
      <title>[AeroCTF 2021 - web] Localization is hard</title>
      <link>https://ret2school.github.io/post/localization_is_hard_wu/</link>
      <pubDate>Tue, 02 Mar 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/localization_is_hard_wu/</guid>
      <description>Localization is hard 0x00 To solve this challenge we had to exploit a SSTI on Thymeleaf and lead that into a Remote Code Execution
0x01 Discovering the vulnerability The challenge description talk about a Coffee who made for CTFers and in English and in Russian.
Btw , the challenge description tell us that the flag should be located at / on the file system, this maybe mean that we have to get an access to the machine to read the flag.</description>
    </item>
    
    <item>
      <title>[AeroCTF 2021 - RE] BashD00r</title>
      <link>https://ret2school.github.io/post/bashd00r/</link>
      <pubDate>Sun, 28 Feb 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/bashd00r/</guid>
      <description>Aero CTF 2021 - BashD00r (500 pts) This is the second challenge I was able to solve, and the hardest one. The task is below:
 There seems to be something wrong with our bash.
Can you see if anyone has entered the backdoor?
bash.7z
 So we are given a archive, which contains a &amp;ldquo;bash&amp;rdquo; binary. This binary was backdoored, so we need to find it to get the flag.</description>
    </item>
    
    <item>
      <title>[AeroCTF 2021 - RE] dummyper</title>
      <link>https://ret2school.github.io/post/dummyper/</link>
      <pubDate>Sun, 28 Feb 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/dummyper/</guid>
      <description>Aero CTF 2021 - Dummyper (454 pts) This the first challenge I did. The challenge&amp;rsquo;s task was:
 This stupid program has encrypted our flag.
We only have a dump left.
 With a mysterious &amp;ldquo;dump.7z&amp;rdquo; that contains a &amp;ldquo;dump&amp;rdquo; file. This file is an ELF binary, so we load it in IDA.
Overview IDA complains about broken section table, but still succeeds to load the bin. We get classical glibc&amp;rsquo;s __libc_start_main, and the &amp;ldquo;main&amp;rdquo; function which looks like this:</description>
    </item>
    
    <item>
      <title>[UnionCTF 2021 - web] Cr0wnAir</title>
      <link>https://ret2school.github.io/post/writeup_cr0wnair/</link>
      <pubDate>Wed, 24 Feb 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/writeup_cr0wnair/</guid>
      <description>The challenge can be found right here.
UnionCTF - Cr0wnAir To solve this challenge, we had to exploit a vulnerability in jpv which allows us to bypass the regex validation in order to get a JWT. Then, we were able to change the algorithm from RS256 to HS256 and forge a new JWT with the public key, a key that we were able to retrieve thanks to a weak e.</description>
    </item>
    
    <item>
      <title>[UnionCTF 2021 - RE] Unionware</title>
      <link>https://ret2school.github.io/post/unionware/</link>
      <pubDate>Mon, 22 Feb 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/unionware/</guid>
      <description>UnionCTF - Unionware This challenge gives us two files: an &amp;ldquo;unionware.ps1&amp;rdquo; and a &amp;ldquo;important_homework.txt.unionware&amp;rdquo; containing seemingly random bytes. The challenge tells us that a ransomware encrypted the important homework and asks us to decrypt it.
Analyzing the Powershell While looking at the powershell, we can see an obfuscated Powershell command, which seems to split some random string and then evaluating it. So, we&amp;rsquo;ll just run the part of the script which deobfuscates the payload without executing it, which give us:</description>
    </item>
    
    <item>
      <title>[UnionCTF 2021 - pwn] babyrarf</title>
      <link>https://ret2school.github.io/post/babyrarf/</link>
      <pubDate>Sun, 21 Feb 2021 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/babyrarf/</guid>
      <description>The binary can be found right here.
[UnionCTF] Babyrarf Welcome guys,
This Write-Up is about de first pwn challenge of unionctf: babyrarf. It was a really easy challenge with a stack based buffer overflow. The source code was provided so, no need to reverse the binary :).
Let&amp;rsquo;s take a look at the src!
#include &amp;lt;stdio.h&amp;gt;#include &amp;lt;stdlib.h&amp;gt;#include &amp;lt;stdint.h&amp;gt;#include &amp;lt;unistd.h&amp;gt; typedef struct attack { uint64_t id; uint64_t dmg; } attack; typedef struct character { char name[10]; int health; } character; uint8_t score; int read_int(){ char buf[10]; fgets(buf, 10, stdin); return atoi(buf); } void get_shell(){ execve(&amp;#34;/bin/sh&amp;#34;, NULL, NULL); } attack choose_attack(){ attack a; int id; puts(&amp;#34;Choose an attack:\n&amp;#34;); puts(&amp;#34;1.</description>
    </item>
    
    <item>
      <title>[Hitcon CTF 2020 - forensic] AC1750</title>
      <link>https://ret2school.github.io/post/forensic/</link>
      <pubDate>Tue, 01 Dec 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/forensic/</guid>
      <description>Hello world,
The write up is about the AC1750 challenge in HITCON ctf. It&amp;rsquo;s a forensic challenge, where we need to analyze packets captured by Wireshark to find out what an attacker is doing on the network.
First, we need to analyze intercepted traffic with wireshark. We see a lot of HTTP packets, and some contain &amp;ldquo;Archer&amp;rdquo; references. We can see weird UDP packets with port 20002.
After some google-fu on port 20002, we come accross this, and we can see there is a CVE targeting T-Link Archer devices.</description>
    </item>
    
    <item>
      <title>[AeroCTF 2020 - RE] go away</title>
      <link>https://ret2school.github.io/post/aero_ctf_2020/</link>
      <pubDate>Thu, 26 Nov 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/aero_ctf_2020/</guid>
      <description>Hello world,
This writeup concerns the most difficult challenge I did on the CTF (having occupied myself a few hours to break it). At first glance, we have an &amp;ldquo;obfuscated&amp;rdquo; binary, which makes system calls to mmap and mprotect: we immediately think of a packer, and we will therefore have to unpack it.
Unpacking crackme Unpacking is not a problem on Linux when you are used to malware packers on Windows, thanks to radare2 and its visual mode.</description>
    </item>
    
    <item>
      <title>[AeroCTF 2020 - RE] 1000 and 1 night</title>
      <link>https://ret2school.github.io/post/1000_and_1_night/</link>
      <pubDate>Wed, 25 Nov 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/1000_and_1_night/</guid>
      <description>Author: supersnail
Files can be found here
For this challenge, we get an archive with a lot of files, the name of which seems to be a hash. Each file is an ELF x86_64 program file. In addition, a server listens, and requests:
Enter valid token to binary with name &amp;lt;8c235f89a8143a28a1d6067e959dd858&amp;gt; Token: at connection. We therefore understand quickly enough that we will have to automate the reversing of all these ELFs to send the correct token back to the server, and thus have the flag, the server requesting a series of tokens before spitting the flag.</description>
    </item>
    
    <item>
      <title>[UTCTF 2020 - RE] Crack the heart</title>
      <link>https://ret2school.github.io/post/crack_the_heart/</link>
      <pubDate>Wed, 25 Nov 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/crack_the_heart/</guid>
      <description>Author: supersnail
For this challenge, I first noticed (like in every other writeups) a big structure of offsets, that pointed to &amp;ldquo;funclets&amp;rdquo; followed by jump with rcx-relative offsets.
The relative jump function:
The first funclet just checks for the process being debugged, the &amp;ldquo;load_r9&amp;rdquo; funclet that jumps to the next funclet after skipping &amp;ldquo;n&amp;rdquo; bytes of garbage. Then the crackme calls a funclet &amp;ldquo;write_message&amp;rdquo; with the parameters (offset to &amp;ldquo;Why should I go out with you?</description>
    </item>
    
    <item>
      <title>[CSAW CTF 2020 - RE] Cuba</title>
      <link>https://ret2school.github.io/post/cuba/</link>
      <pubDate>Sun, 13 Sep 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/cuba/</guid>
      <description>Hi
This is my write up for the challange Cuba of CSAW CTF 2020 :
So this challenge is a CUBA program wrapped in a Windows Executable. CUBA is a GPU langage created by NVIDIA to work around GPU with high performance langage.
https://docs.nvidia.com/cuda/cuda-c-programming-guide/index.html
Luckily there is a public SDK for it, with a disassembler :
https://docs.nvidia.com/cuda/cuda-binary-utilities/index.html
Using a tool called cuobjdump, we can extract the assembly code :
To extract ptx text from a host binary, use the following command: cuobjdump -ptx &amp;lt;host binary&amp;gt;  And after reversing the output, we can see that it&amp;rsquo;s a simple xor looping through a ciphered flag</description>
    </item>
    
    <item>
      <title>Team introduction</title>
      <link>https://ret2school.github.io/post/list_team/</link>
      <pubDate>Tue, 25 Feb 2020 00:00:00 +0000</pubDate>
      
      <guid>https://ret2school.github.io/post/list_team/</guid>
      <description>Background The r2s (ret2school) team has been created in 2020 by french ctf players from the REsearch discord server. We do CTF for fun to learn new things, if you’re looking for a CTF team, we’re fully open.
Members The team is composed of:
 nasm (19 yo, interested in RE/pwn) supersnail (chad reverser) Zeynn (20 yo, web/reverse/crypto) x. (the Guesser, the carry-er) Tek 0xPierre r0da (RE stuff) op (pwn/RE, a little bit of everything :) look Ast4te  </description>
    </item>
    
  </channel>
</rss>