You can find slides, additional material and further readings to accompany our lessons here.

Lesson 0: What is CTF and who is flagbot?

Introductory lesson to CTFs and what our team does.

Slides: lesson0.pdf

Lesson 1: Buffer Overflows [9. March 2020 / 4. October 2021]

How to not infect yourself and pwning your first binary.

Slides: lesson1.pdf

Recording: 1080p 720p 480p

TOC

  • Setting up your environment
  • Buffer Overflows
    • The Stack
    • Overflows
    • ROP

Challenge

  • Files: babybof.zip
  • Server: spclr.ch 1337
  • Author: Robin Jadoul

Additional Materials

Further Readings

Lesson 2: Exploit Automation [16. March 2020 / 25. October 2021]

Learning python by exploiting C binaries?

Slides: lesson2.pdf

Recording: 1080p 720p 480p

TOC

  • News
  • Previous Challenge
    • Flag 1
    • Flag 2
  • pwntools
    • Basics
    • Tubes
    • Working with Binaries
    • Shellcoding
    • ROP
  • ropper
  • ropium

Challenge

Oh no! Our fibonacci calculator is getting exploited, can you figure out how? I heard it had something to do with negative numbers…

  • Hints: This binary has only readable memory, so you probably want to remove that limit ;) You will probably have to use a sigreturn frame for this, since there are not enough gadgets for all registers. Also, setting rax is gonna require some effort :)
  • Files: babyrop.zip
  • Server: spclr.ch 1338
  • Author: Robin Jadoul

Further Readings

Lesson 3: Linux Hardening [23. March 2020 / 8. November 2021]

How to defeat Linux once and for all!

Slides: lesson3.pdf

Recording: 1080p 720p 480p

TOC

  • Previous Challenge
  • Exploit Mitigations
    • Data Execution Prevention (DEP)
    • Stack Canary
    • Address Space Layout Randomization (ASLR)
    • General Tips against Randomization
    • Relocation Read-Only (RELRO)
  • Other Tips

Challenge

On the surface this challenge should be very easy to exploit, however, there are some protections…

  • Hints: No hints this time! Please do not run to many concurrent attempts, otherwise the server will be overloaded!
  • Files: protections.zip
  • Server: [REDACTED]
  • Author: Robin Jadoul

Further Readings

Lesson 4: Reversing tools [30. March 2020]

An in-depth look into radare2

Slides: lesson4.pdf

Recording: 1080p 720p

TOC

  • Previous Challenge
  • Radare2 Introduction
    • Installation
    • Useful Commands
    • CTF Tactics

Challenge

  • Hints: No hints, this is not a lame youtube hacking tutorial.
  • Files: revvy.zip
  • Server: N/A
  • Author: Robin Jadoul

Further Readings

Intermezzo 1: AVR and Starcraft [6. April 2020]

A look into an AVR (arduino) challenge and how to reverse such things as well as a brief look at an actual exploit in Starcraft.

Recording: 1080p 720p

  • Challenge: Midnightsun CTF Challenges, challenge is named avr-rev
  • simavr:
  • AVR tools:
    • avr-gdb for debugging (install from package manager)
    • avr-binutils, avr-gcc for building (install from package manager)
  • IDA (and gdb) stuff:
    • avr_helper: includes processor support for arduino specific AVR chip. Also has some nice gdb functions for setting breakpoint and viewing context.
    • AVR scripts: Very useful scripts for working with AVR processors in IDA:
      • avr_dump_seq_load_xrefs.py allows you to get xrefs for addresses that are loaded into two registers (happens all the time in AVR)
      • avr_data_vector_names.py some registers combine together to form 16-bit registers, rename them appropriately (i.e. rename r26, r27 to XL, XH)
      • avr_loader_loop_copy.py emulate AVR loading loop, that copies data from ROM into RAM. Very useful, to get xrefs to actual strings!
      • avr_stack_vars.py rename offsets from Y (stack pointer in AVR) to stack variables
  • Challenge: Midnightsun CTF Challenges, challenge is named starcraft
  • Blizzard Dev Explanation: Very indepth and even shows correct offsets in binary where bugs are located!
  • EUD DB: database of interesting offsets to change with the bug
  • PM me (Leonardo Galli) on slack for link to the correct version, if you cannot find it!

Lesson 5: Constraint Solving and Symbolic Execution [13. April 2020]

Letting go of your angr

Slides: lesson5.pdf

Recording: TDB

TOC

  • Constraint Solving
    • General
    • Defining Variables
    • Defining the Domain
    • Defining Constraints
    • Solving for Constraints
  • Angr
  • Demo
  • Tips and tricks
  • Other tools

Challenge

This one’s easy - it’s the famous reversing bomb, 6-stages (or more?) of pure fundisarming. But wait, it’s with a twist! Now you actually need to solve each phase withangr. No manual reversing allowed!

  • Hints: This one’s easy - it’s the famous reversing bomb, 6-stages (or more?) of pure fundisarming. But wait, it’s with a twist! Now you actually need to solve each phase withangr. No manual reversing allowed!
  • Files: bomb.zip
  • Server: N/A
  • Author: CMU Labs

Defcon Debrief: Looking at fungez [18. May 2020]

How to make the linux kernel pwn itself without using any KASLR.

Leonardo Galli discusses an interesting kernel pwn challenge encountered during DEFCON Qualifiers 2020.

Recording: 1080p 720p

Lesson 6: Introduction to Reversing C++ Binaries [25. May 2020]

Please Stop Compiling With O3

Slides: lesson6.pdf

Recording: TBD

TOC

  • Readying IDA
  • Theory
  • Reconstructing Classes
  • C++ STL
    • Strings
    • Vectors
    • Maps
  • Demo

VISCON Talk: How does Zoom store recordings?

Reverse engineering C++ and custom file formats.

Slides: zoom.pdf

VISCON Talk: An Introduction to Fuzzing and a Direct Application to the Real World

Learn about fuzzing and why you should start doing it now! Furthermore, learn about neat tricks developed to fuzz the iPhone boot loader.

Slides: fuzzing.pdf