bi0s

virtio-note - bi0sCTF 2024

k1R4

2024-02-28

Pwn

tl;dr

The patch adds a vulnerable virtio device
The device accesses pointers without bound check
Abuse OOB pointer access to setup arb r/w primitive
Craft open,read,write ropchain on heap
Overwrite virtqueue handler with stack pivoting gadget

Batman Investigation II - Gotham Underground Corruption - bi0sCTF 2024

Azr43lKn1ght

2024-02-27

Forensics

Full solution of Batman Investigation II - Gotham Underground Corruption from bi0sctf 2024

tl;dr

Challenge 2 of Batman Investigation series
Memory Forensics - WinDBG Dump Debugging - Malware Analysis - Blockchain Forensics - Password Retrieval - MAC Artefact Analysis

Memory Forensics Incident Response Malware Analysis WinDBG Dump Debugging bi0sctf2024 Blockchain Forensics Password Retrieval MAC Artefact Analysis

Tallocator - bi0sCTF 2024

Tourpran

2024-02-26

Pwn

tl;dr

native.c:
- Reverse engineering matrix operations performed.
tallocator.c:
- Exploiting an arbitrary free to corrupt heap metadata.
- Reverse shellcode to execute an ORW.

Android bi0sctf Reverse_Shell

palindromatic - bi0sCTF 2024

k1R4

2024-02-26

Pwn

tl;dr

Sanitizing request causes null byte overflow which corrupts type
Processing corrupted request doesn’t remove it from incoming_queue
Reaping corrupted request still leaves it in incoming_queue causing UAF
Setup crosscache to abuse UAF
UAF provides free primitive through double reset

Heap bi0sCTF Exploitation Kernel

Is It Okay - bi0sCTF 2024

Winters

2024-02-26

Misc

tl;dr

Fuzzing to find the /internal endpoint
Chaining CVE-2023–24329 and the SSRF in the /okay endpoint to access the internal docker registry host.
Downloading image blobs using the docker registry API.
Using CVE-2024-21488 to get RCE on the vec service.
As the templates directory of the core service is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service.
Hence we can read the flag from the core service.

SSRF Docker registry System misconfiguration

BFS - Brainf*ck Search - bi0sCTF 2024

R0R1

2024-02-26

Misc

tl;dr

Using brainf*ck to search for flag bytes within a huge tape
3 levels with varying constraints to leak flag
Intended as a code golfing challenge

bi0sctf

Variety Notes - bi0sCTF 2024

Luc1f3r,Lu513n

2024-02-26

Web

tl;dr

Capturing the flag id through redos attack in /search endpoint
XSS in /uuid/noteid/raw and HTML injection in /uuid/noteid
CSP frame-src bypass through server side redirect

bi0sCTF ReDos CSP bypass

Year in Review - 2023

teambi0s

2024-01-05

YearInReview

YearInReview

Text editor v2 - ASIS CTF Finals 2023

k1R4

2024-01-01

Pwn

tl;dr

Adding the last character to a tab causes null byte overflow
Use said overflow to unset prev_inuse bit
Coalesce upwards with fake chunk to perform unlink attack
Unlink attack places .bss pointer in place of heap pointer
Editing .bss allows for Arbitrary R/W

Heap Exploitation

Phantomfeed - HTB University CTF 2023

Winters

2023-12-16

Web

tl;dr

Leak JWT token through Race Condition.
Leak authorization token via an open redirect.
Chaining XSS & CSRF in the oauth pipeline to leak the Admin’s oauth access token.
RCE via CVE-2023-33733.

Race Condition HTBUniversityCTF Oauth RCE Web