
DEFCON Capture the Flag Qualification Challenge #1 - drjohnson
http://www.endgame.com/blog/defcon-capture-the-flag-qualification-challenge-1.html
======
jmgrosen
This is probably the easier way of solving the challenge; indeed, this is
exactly how my team did it. However, there's a somewhat more interesting
solution, exploiting a badly implemented doubly-linked list:
[https://blog.skullsecurity.org/2014/defcon-quals-writeup-
for...](https://blog.skullsecurity.org/2014/defcon-quals-writeup-for-shitsco-
use-after-free-vuln)

------
gear54rus
Good God. Whenever I read these, I always get chills down my spine. Part of me
wants to do the same, get better at it (I know tiny parts of many things
including what is discussed here but not even remotely close to the author),
the other one just wonders how does one get so good as to perform all this by
themselves. Reverse engineering is beautiful :)

~~~
nutate
He gave us a bit of a run-through presentation of his tactics for the latest
shmoocon CTF. It seemed like it was a combination of time, skill, more time,
patience... and skill? The world of reversing is so beyond my ken, but I love
having people around who know how to do it.

When I asked how to get started, he suggested I just jump into a CTF and try.

[edit] I work at endgame (see my other comment), we're hiring, etc. etc.

~~~
demallien
Http://crackmes.de They have lots of challenges, with difficulty levels going
from 1-10, and each challenge has an annotated solution explaining how to
crack the program.

------
NamTaf
This stuff is like crack to me. I love these sort of explanations. I have
absolutely no ability to do any of it and can only kind of follow it, but it's
so facinating to read about.

------
nutate
Anyone who's interested we (Endgame) are hiring. Check the careers page and
get in touch. I'm on the data science team, but we have a variety of openings
in DC and SF.

------
chigley
> Therefore, if we are copying into s2 and we only leak data after the 4th
> character, we can assume that by default in the uninitialized stack there is
> a null at s23.

I'm very inexperienced with reverse-engineering, and haven't finished the
article yet, but is "s23" here a typo? I can't find any other reference to it
in the article, and it doesn't make sense to me. Should it be "s2"? Thanks

~~~
shadesandcolour
It might be a slight typo, but I think that s23 is referring to the 3rd index
in s2. Since the 4th character (or index 3 in a 0-index string), is the one
that is causing the leak, this must be where the null character is.

~~~
chigley
That makes perfect sense, thank you!

------
dhon_
> We can see that the bit in bold here was 0x0100 as var_14.

Should that be "0x01"?

 _Edit_

> The null after the 0x1 is implied

Oh I see, strncpy stopped when it hit the (implied) null (0x00) character

------
Kiro
I love the concept of CTFs but as a web developer (JS/PHP) this is like Greek
to me. I presume you need to be a hardcore low-level security hacker to even
consider doing CTFs.

~~~
laichzeit0
I'm not a low-level security hacker but I've created and debugged enough C
code in my career to follow exactly what is going on here.

I don't know if I would have been able to derive this solution on my own
though, that's where the creativity comes in. However, I'm guessing these CTF
challenges are usually kind of "similar" in the same way that ACM programming
challenges are. If you do these sort or challenges often enough it should
become easier.

