29c3ctf - minesweeper

Challenge Overview

Escaping Python Sandboxes

Note: This is all written for Python 2.7.3. These details might be different in other versions of Python - especially 3+!

CSAW CTF: HorseForce Writeup

This time around, I’d written a challenge for CSAW CTF. There were 32 challenges, in all sorts of topics such as Web, Reversing, Exploitation, etc. The challenge I wrote was the 300 point Web challenge, HorseForce.

Tracing Bugs in Wireshark

So word spread pretty quickly about the wireshark bugs being thrown around Defcon 20 CTF. After I got my hands on acme pharms packet capture I quickly set out to recover the evil packets and weaponize them :)


As a University research lab, we often have students who are not familiar with concepts that the professional security community finds second nature.

Stripe CTF Level01

On Febuary 22nd, the Stripe company ran a straightforward 6 level CTF. The first level provides a single setuid binary and corresponding source and the task of obtaining the flag (a password to another user’s account) from a text file (/home/level02/.password) owned and only viewable by the next level’s account. In addition, we have a single directory which we can write to.

School CTF: Count Them All

Being provided a txt file titled “long.txt” with the challenge title of “Count them all”, and the description “One important aspect of an inventory is to count all the swords you’ve got. Count them all.” was the premise for a challenge in the recent School CTF. Opening the file in a text editor (I used Notepad++) we can see that the file is comprised of a single line made up of a large amount of 1s. Using python we can easily open up the file and count the amount of 1s. It would be quite boring to do it manually.

Pop Pop Ret Finder

If you’ve attempt to write an SEH Record exploit, you know that it could be a little time consuming to find a pop pop ret instruction sequence inside a module that has SafeSEH off. This is because first you’d need to find which modules, if any, has SafeSEH off, and then search the sequence within those memory address. You could find the pop instruction for most registers, like “pop esp”, “pop eax”, “pop edx”, etc. Also, theres a good chance you don’t know the opcodes for these, so you’d probably assemble each of them to figure out the opcodes and then proceed to search for matches individually. The most frustrating part is that, after doing all this, it is very likely that there wasn’t any match to begin with.