CSAW Red 19 Tumbler

I was one of the two teams that solved Tumbler from CSAW Red.

Problem

Pwn 500

No way that cryptocurrency is a scam, that would NEVER happen

nc pwn.chal.csaw.io 1000

Analysis

The libc provided was 2.23.

$ strings libc.so.6 | grep GNU
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al.
Compiled by GNU CC version 5.4.0 20160609.
        GNU Libidn by Simon Josefsson

Decompiling the binary, it is immediately apparent that we have an arbitrary write primitive in one of the later functions called.

void arb_write(void)

{
  void *__buf;

  puts("Which coin do you want to edit?");
  __buf = (void *)get_number();
  puts("What are you writing?");
  read(0,__buf,0x100);
  return;
}

Continue Reading »

Seating Charts

Creating a seating chart for a class is an extremely interesting problem that delves into the realms of both web design and competitive programming.

Overview

There are two questions I attempted to answer.

  1. How to create an easy to use interface that minimizes the cognitive load on the user
  2. How to best create the seating chart given a list of preferences for each student

Continue Reading »

Java Tricks

Honestly, you should switch to c++. But if you insist on using Java, here are some cool tricks.

Memory

Memory allocation is extremely cheap (~1e6 bytes per 1ms) compared to everything else - don’t be afraid to allocate huge arrays. That being said, be careful you don’t hit a MLE.

Be careful of the dimensional order of 2D arrays.

Continue Reading »

Secret Hitler 0day

This is a zero-day I discovered on the open source Secret Hitler game.

By submitting crafted parameters to the /password-reset endpoint, attackers are able to takeover arbitrary non-staff accounts.

This vulnerability can be mitigated by disabling JSON parsing.

We control all of the parameters passed through req.body.

const { username, password, password2, tok } = req.body;

Continue Reading »

Secret Hitler Vulns

Two low-moderate vulnerabilites on the open source Secret Hitler game. Note that a lot of the vulnerabilites are due to the use of JSON parsing, which allows attackers to submit arbitrary objects to the endpoints.

Obfuscated IP Leakage

The check in the /profile endpoint is unnecessarily complex, and forgets an edge case.

if (req && req.user && requestingUser && requestingUser !== 'undefined' && req.user.username && requestingUser !== req.user.username) {
  // Error 
}

Continue Reading »