Treasure Hunt 116 pts (71 solves) Web Author: ark Check out the challenge here yourself https://alpacahack.com/ctfs/round-7/challenges/treasure-hunt

Challenge description I did not solve it in time (30 minutes late T.T). However, I spent quite of lot of time on this challenge, so I might as well do a write up for future me. Special thanks to Mystiz and cire meat pop for helping me on this challenge. Reverse engineering The provided binary will connect to a remote authentication server which provides the user/password The original authentication server is hosting on 139.162.36.205 6666 and gives the folloing response when connected. root:$6$tet$.84DBkpbpZEcXF.WKDJJDSStwXYJir3.WSKOma1e5N20d4SDpbMPLryTcZaB7buisGAsT2GW1bdad74Hh3Ply0:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

Challenge description The challenge provides an web application with its source code. Once accessing the site URL, you can see the site returning a list of users. Source code Let us take look on what this application does from the provided source code. The following is the API which was used to retrieve users from database. @app.route('/api/data') def data():

Challenge description This is a subsequent challenge based on UAF. It has been covered here. Let see what are the differences between UAF and UAF2. diff zoo.c ../uaf_14a0a6f911cd2fa4cb75e3896153ec4b/zoo.c 5a6 > #define MAX_NAME_SIZE 0x40 29a31,34 > void get_shell() {

Challenge description It is my first time actually solving heap challenges so I think it is worthwhile to do a write-up before I forget everything like I always do. As the challenge name implies, the challenge was about exploiting a use-after-free vulnerbility to achieve code execution. You can checkout the descriptions provided here by the challenge author which covered most of the information you need to solve the challenge. Let us establish some facts about the challenge binary and the libc version.