circleous

about me: security r&d; ctf player w/ valgrind; vuln research

2024 0xL4ugh CTF - Ada Indonesia Coy 🇮🇩

Introduction

This writeup covers the “Ada Indonesia Coy” challenge from the 0xL4ugh CTF 2024. The challenge presents an Electron application with multiple security vulnerabilities that can be chained together to achieve Remote Code Execution (RCE). The exploit path demonstrates several advanced techniques including DOM clobbering, prototype pollution via IPC, and Electron’s webpack module interception.

Challenge Setup and Configuration

The Electron application is configured with the following critical security settings in the BrowserWindow initialization:

Read more →

Decompiling WASM

The Problem

Have you ever looked at WASM decompiled code using wasm2c from wabt toolkit and thought, “there has to be a better way”? While WASM’s instruction set keeps things simple (except for those vectors and floating-point numbers!), the stack machine design can sometimes lead to less-than-optimal code after decompilation.

Take a look at this code snippet: (taken from revsite2 challenge LITCTF 2024)

static void w2c_visit_ad(Z_revsite2_instance_t* instance) {
  // [SNIP]
  FUNC_PROLOGUE;
  /* push rbp */
  /* mov rbp, rsp */
  u32 w2c_i0, w2c_i1, w2c_i2;
  u64 w2c_j0, w2c_j1;
  w2c_i0 = instance->w2c_g0;
  w2c_l0 = w2c_i0;
  /* sub rsp, N */
  w2c_i0 = 2048u;
  w2c_l1 = w2c_i0;
  w2c_i0 = w2c_l0;
  w2c_i1 = w2c_l1;
  w2c_i0 -= w2c_i1;
  w2c_l2 = w2c_i0;
  w2c_i0 = w2c_l2;
  instance->w2c_g0 = w2c_i0;
  // [SNIP]

This might look familiar if you’ve dabbled in C/C++ before. It’s just a standard function prologue, but thanks to WASM’s design, it ends up a bit bloated. What could potentially be a single instruction gets broken down into multiple steps. It’s readable, sure, but not exactly optimized.

Read more →

Gemastik 2022 - Fast Miner

Ide awal dari soal ini sederhana sebenernya buat aware orang tentang Bitcoin block hash. Bitcoin block hash ini punya satu karakteristik dimana hasil double hash (SHA-256) dari block header harus memiliki beberapa bit nol di belakangnya sebagai bentuk Proof-of-Work. Ide ini sebenernya lebih cocok untuk jadi soal misc-cryptography, but here we are :p

Ide penggunaan bitcoin block hash ini sudah ada di beberapa CTF sebelumnya, i.e.

Ringkasan Soal

source code bisa diakses di https://gist.github.com/circleous/a97be308540c9163592a540750456589#file-main-py

Read more →

View all posts →