That's a wrap!
#Pwn2Own
Vancouver is complete. Overall, we awarded $1,132,500 for 29 unique 0-days. Congrats to
@_manfp
for winning Master of Pwn with $202,500 and 25 points. Here's the final top 10 list:
Confirmed! Seunghyun Lee (
@0x10n
) of KAIST Hacking Lab used a UAF to get code execution in the
#Google
Chrome renderer. He earns $60,000 and 6 Master of Pwn points.
#Pwn2Own
PartitionAlloc still leaving us some super-easy-to-exploit raw pointers 🤗
This v8sbx bypass unfortunately still isn't fixed, work is underway to make the metadata read-only (i.e. ShadowMetadata)
I've uploaded a list of resources that I accumulated throughout learning Windows pwnable. The list isn't exactly well sorted, but hopefully it would be useful as a reference for those trying to learn Windows pwnable with Linux backgrounds.
2nd place on zer0pts CTF 2022 with
@SuperGuesser
+ KAIST GoN.
Due to COVID cohort I only had my lowly smartphone for the whole CTF, but one has to cope with such environments :)
Solved gitfileexplorer, chirashi-sushi
modern-rome, memsafed, accountant, sbx-note, redis-lite (1/2)
Submitted my latest research on browser security to Black Hat USA
#BHUSA
related to my two Pwn2Own entries! Looking forward to discuss about finding and exploiting the bugs, revealing long overlooked design issues & show even more exploit techniques in the way :)
@BlackHatEvents
Good luck everyone on
#Pwn2Own
! Hoping that my unfortunate random draw of third-to-last Edge double-tap won't get duped with the Chrome ones 🙏
Oh and if anyone from
@thezdi
working with P2O could check my email please do so ASAP, thanks :)
The V8 Sandbox is now in scope for Chrome VRP for bypass submissions, meeting specific criteria, with rewards up to $5,000!
Please see the Chrome VRP rules [] for full submission criteria and eligibility details.
Ranked
#1
at WACon 2022 Quals (a local ctf w/ chals made by
@SuperGuesser
) with old KAIST GoN members ironore15,
@c0m0r1
&
@gPayl0ad
as "The Goose". Still in my mandatory military service so had to play on an overnight stay outside.
Review: CTF was tasty, Dewar's 12yo was fun.
Good luck everyone on
#Pwn2Own
! Hoping that my unfortunate random draw of third-to-last Edge double-tap won't get duped with the Chrome ones 🙏
Oh and if anyone from
@thezdi
working with P2O could check my email please do so ASAP, thanks :)
Played HITCON CTF 2020 part-time as G0D (KAIST GoN + Definit +zer0pts). I had too much univ stuff on my hands so couldn't participate much. Solved Revenge of Pwn and worked on Archangel Michael's Storage, got all infoleaks but had no time to ROP 😭
Authored some challenges for 2023 X-mas CTF:
CTF starts at Dec. 23 10:00 and ends at Dec. 25 23:59 (UTC+9).
Challenges are crowdsourced from the Dreamhack user community.
Relax, have fun and enjoy Christmas and the CTF!
Authored some challenges for 2023 X-mas CTF:
CTF starts at Dec. 23 10:00 and ends at Dec. 25 23:59 (UTC+9).
Challenges are crowdsourced from the Dreamhack user community.
Relax, have fun and enjoy Christmas and the CTF!
Participated in DEFCON 30 CTF Quals for 0xEA as a member of
@zer0pts
& GoN. Solved BIOS, smuggler's cove, Crypto Chall (+
@c0m0r1
). Additionally worked on constricted, ncuts.
As much as I would like to talk about, there are things better left unsaid; so GG!
* 2022 Fall GoN Open Qual CTF 개최 *
2022 Fall GoN Qual CTF가 개최됩니다!
기간: 8.22 22:00 ~ 8.29 21:00(KST)
URL:
이번 대회는 KAIST 정보보호대학원과 사이버보안연구센터의 후원을 받아 진행되며 다양한 상품이 준비되어 있으니 많은 참여 부탁드립니다.
Ranked 2nd place in zer0pts CTF 2021 as K-Students (KaisHack GoN x PLUS x CyKor). Solved Stopwatch, GuestFS:AFR, OneShot, nasm kit. All first-blood except for AFR.
Short writeup:
Played Google CTF as
@Water_Paddler
by
@kaanezder
's suggestion, ranked 5th place.
TBH due to my current affiliation I couldn't play much, but still a good experience overall.
Ranked
#1
for
#seccon
2020 ctf as a member of KAIST GoN under the alliance team HangulSarang in commemoration of Hangul Day ()
Solution for kvdb, first blood out of two solvers. Worked together with
@ashuu_lee
, great teamwork.
Ranked
#1
at WACon 2022 Quals (a local ctf w/ chals made by
@SuperGuesser
) with old KAIST GoN members ironore15,
@c0m0r1
&
@gPayl0ad
as "The Goose". Still in my mandatory military service so had to play on an overnight stay outside.
Review: CTF was tasty, Dewar's 12yo was fun.
1st place at 2020 Cyber Operations Challenge! Participated as KAIST GoN with ironore15,
@sumango3
, heohyun73. I solved Drone FCS, RModule and Killer Model. Great work everyone!!
Ranked
#1
at 2021 Whitehat Contest (Military Div) with pwn3r_45,
@pr0cf51
and ironore15.
Half a year of CTF absence surely does weigh one much, couldn't solve the one and only pwn chal "AVar" which should have taken no more than 3~5hrs... (1/2)
CVE-2024-3400 seems awfully similar to a bug I found in a domestic networking/IoT device vendor lol... they just never stop using unsanitized attacker-controlled session ids to create filenames haha
Happened to come across this bug recently as it still exist on LTS versions.
Interestingly a new refcount overflow bug seem to be accidentally introduced as a bugfix?
However on latest LTS (6.1.x) neither of the bugs can actually be triggered... (1/2)
Ranked 1st @ 2020 Christmas CTF from with
@mathboy770
,
@stereotype32
,
@RBTree_
.
Solved address_book (only solver 😎), show me the pcap & the "guessy parts" of XP 😉
Was initially writing a chal exploiting CVE-2022-31144 for 2022 GoN Open Qual CTF, but found out this bug and couldn't resist making a 0-day chal 😅
The two bugs exhibit the same exploit primitives, so technically no change in chal difficulty.. probably 😏
2022 Fall GoN Open Qual CTF has finally concluded after a week-long run. Congratulations to all the top rankers and GG to all the participants for the great work!
I authored F ~ J: Heliodor (Web), Emerald Tablet (Web), Reconquista (Pwn), Redis-made (Pwn), NPU (Pwn). (1/2)
KAIST GoN에서 주최하는 내부 CTF 대회가 Dreamhack 플랫폼에서 최초로 공개되어 진행됩니다.
CTF는 3월 15일부터 7일간 진행되며 쉬운 문제부터 화끈한 문제까지 총 20문제 가량 준비되어 있습니다.
소정의 상품도 준비가 되어있으니 많은 참여 부탁드립니다!
2022 Spring GoN Open Qual CTF에 참가해주신 여러분 모두 수고 많으셨습니다!
저는 NullNull, Unconventional, Trino 시리즈, Showdown 총 7문제를 출제했습니다.
한달도 안된 따끈따끈한 CVE, 유사 0-day도 있는 출제진의 writeup을 아래에서 확인하실 수 있습니다.
2022 Fall GoN Open Qual CTF has finally concluded after a week-long run. Congratulations to all the top rankers and GG to all the participants for the great work!
I authored F ~ J: Heliodor (Web), Emerald Tablet (Web), Reconquista (Pwn), Redis-made (Pwn), NPU (Pwn). (1/2)
This is my writeup for the winsanity chal of CODEGATE 2020 CTF Finals. For those interested in trying out the challenge without knowing the solution, keep away from "exploit_writeup" and "prob_src" folder :)
#codegatectf
#codegate2020
First time ranking 1st place 🤸
Participated as member of KAIST GoN under an alliance team D0G$.
I solved 2.99... chals: Vi deteriorated (shoutout to last touches made by
@ptrYudai
) and Blind Shot, both a smooth first blood :D
#twctf
(1/n)
Another quick & smooth first blood at
@hack_lu
:)
Quite an easy introductory LFH (or just Windows heap) chal, will upload my writeup after midnight (based on KST)
In case anyone's interested, here are some (pwn/rev oriented) of the challenge binaries + my solutions for 2020 Cyber Operations Challenge Qual & Finals.
Thank you for playing 2022 Spring GoN Open Qual CTF!
I wrote a total of 7 challenges: NullNull, Unconventional, Trino series and Showdown.
You can check out authors' writeup below, which even contain a 20-day old CVE and a pseudo 0-day.
2021 대한민국 화이트햇 콘테스트 (전 사이버작전경연대회)의 팀원을 구하고 있습니다.
현재 대한민국 국군 (육/해/공/해병/국직 전부 포함) 소속, CTF 참여 경험이 있으며 수상을 목표로 같이 참여를 원하시는 분이라면
@pr0cf51
또는
@0x10n
에게 DM주시면 됩니다.
For 2022 Spring GoN Open Qual CTF, the first (experimental) public CTF held by KAIST GoN, I authored a challenge that require players to exploit this bug to obtain RCE!
Visit
@dreamhack_io
to check out the chal "Showdown" ⬇️
I might be jinxing it, but this of course works on Edge too (i.e. "double tap add-on"). The add-on is limited to once per contestant so wait for tomorrow's entry!
Had a brief participation in KipodAfterFree 2020 CTF as KAIST GoN. Solved yet another Windows pwnable chal, APT41. The solving process felt like 80% forensics oriented reversing + 20% pwnable...
🚩 2022 Fall 𝙂𝙤𝙉 Open Qual 현재 랭킹
8개 문제를 해결하신 G0RiyA님께서 1위를,
as3617님, imssm99님께서 차례로 2, 3위를 지키고 계십니다!
➤ 442명 참여 중
➤ 풀리지 않은 문제 5개!
➤ 포렌식 문제 추가 예정
8월 29일까지 계속되니 모두 파이팅이에요 👊
🔗
I took part in CODEGATE 2020 CTF Finals event as the challenge author of winsanity. It was my second authored chal (first one being winterpreter chal of Quals). There were 0 solvers, so I'll publish a detailed writeup soon.
#codegatectf
#codegate2020
Wonder why PwnKit seem so awfully familiar? The root cause is same with that of one-gadgets crashing on Busybox...
I bet I've seen this multiple times on CTFs, just to name one that I made: "Format Sniper" on
@dreamhack_io
featuring the bug as a "fun gimmick" 😏
@buptsb
I'm assuming that the v8ctf team intentionally left this info blank on the submission sheet for now, so I'll stick with their decision and wait until the sheet is updated :)
* 2022 Fall GoN Open Qual CTF Upcoming *
2022 Fall GoN Qual CTF is held once again!
Period: 8.22 22:00 ~ 8.29 21:00 (UTC+9)
URL:
This CTF is sponsored by KAIST GSIS & CSRC, and various prizes* are prepared so enjoy!
* Delivered only locally (to Korea).
@RBTree_
"So to me seems like a notorious coincidence" 🤡
Coincidence can happen, but it just highlights the lack of proper research into previous studies (or in this case, related chals)
I really don't get it, why would anyone copy a chal on a public, competitive, properly sponsored CTF?
... all with great teammates. Many of the above chals were just me finding vulns and throwing my teammates PoCs since writing exploits and debugging takes forever on a smartphone keyboard :(
I wrote the solvers for redis-lite and chirashi-sushi, others by teammates. (2/2)
@5aelo
Does the "Exploit requires JIT compilation" mean that it's exploitable in jitless mode, or simply that the bug/exploit does not directly involve a bug within JIT compilation? AFAIK jitless disables WASM, so I assume most of the WASM-related bugs would still require JIT?
...with the remaining 0.99 chals being eebpf, got AAR/W but had no firepower nor time left to do the remaining works 😭
Blind Shot was certainly a interesting chal, both because of the exploitation technique and because I've made an almost exactly same challenge...
(2/n)
CTF held internally by KAIST GoN is first being held open to all players on
@dreamhack_io
platform.
The competition takes place in March 15 22:00 ~ March 22 21:00 (UTC+9). We've prepared about 20 chals ranging from baby to spicy, so enjoy!
...which was going to be released in GoN internal CTF, but now since it's been released once again I might have to modify some parts 😏
TL;DR writeup:
Vi deteriorated: C++ exception handling + elegant heap shaping
Blind Shot: One-shot double-staged FSB (argv-flipping)
(3/n)