I participated in the Hack.LU CTF again this year with, just like in 2013, but now together with the great Team HacknamStyle from KU Leuven. We ended up 24th of 220 active teams by solving the DataOnly challenge (52 solves), among others:
DataOnly (Category: Exploiting)
Cthulhu is too chaotic and has lost the machine with his files. Cthulhu still has an old fileserver running on it though… Get the flag from /flag in the filesystem. Connect to cthulhu.fluxfingers.net:1509. Binaries.
This blogpost contains a writeup of the second phase of the Hack.LU 2013 Wannabe challenge. The first phase writeup can be found here: Hack.LU 2013 CTF Wannabe Writeup Part One: Web Exploitation
During the first phase, we managed to get ourselves a limited shell (www-data) on a webserver. In this phase, we had to exploit a custom C program compiled for Linux x64 which contained a couple of buffer overflow vulnerabilities. Because of some memory protection measures, a Return-Oriented Programming (ROP) approach was taken. The whole process is described in more detail below. Continue Reading