At UIUCTF 2023, I played with Project Sekai CTF team. We achieved 3rd place overall. Below is my writeup for some pwn challenges in the CTF. Zapping a Setuid 1 I was reading how Zapps work the other day and I thought I could do better. However, what happens when a setuid was zapped? Hint: Oops I left CVE-2009-0876 open. Looking around the VM, we saw a directory with a setuid binary named exe: uiuctf-2023:~/zapps/build$ ls -la total 2456 drwxr-xr-x 1 root root 76 Jun 19 18:12 . drwxr-xr-x 1 ro...| nyancat0131
This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug. Resources on VScript can be found here. Here is the exploit script. UAF by resizing array in sort compare function The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort: // v: VM, o: array object, func: compare func _qsort(v, o, 0, _array(o)->Size()-1, func); The r index passed into _qsort is fixed at the beginning, so by abusing array.| nyancat0131
Introduction This post will cover the exploitation chain I used to attack Source 1 Dedicated Servers. I have verified the exploit against these games: Left 4 Dead Left 4 Dead 2 Counter-Strike: Global Offensive Source Engine file system Source Engine allows games to “mount” multiple directories as the file search path. For example, we have a and b directories. When we mount those directories to the file system, the game will access both directories under the same virtual root (like virtual...| nyancat0131