Pace Car Problems (Extra Credit, do 20 to skip Project 3)

PCP1:

PCP2:findtheflag

PCP3: Describe what choices the compiler made for the following 3 modulus functions: https://godbolt.org/z/1hqGTbcGo

PCP4: Classic Crackme: Crackme

PCP5: Write a crackme problem for the class, should be an x86 ELF, test it yourself, make it fun.

PCP6: Make me something creative that shows me you understand calling conventions (diagrams, a story, a poem, a song, anything that conveys the essence)

PCP7: In the following C program (source shown) devise a malicious input that causes the program to run the "win" function: (submit your exploit script)

PCP8: (a tad hard for where we are) The following binary pwn1 is running at nc 165.22.46.243 7331 make an exploit.

PCP9: The following binary pwnme is running at nc 165.22.46.243 13337 make an exploit.

PCP10: Solve the first 5 challenges for project 2: https://github.com/AndyNovo/pwns

PCP11 + 12: (PCP11) Solve callme32 from ROPemporium AND (PCP12) make a write-up explaining to someone new what you did (take a look at some example write-ups to help).

PCP13: Solve 3baby_boi from the fast track challenge set. The result of ldd --version gives: ldd --version ldd (Ubuntu GLIBC 2.31-0ubuntu9.7) 2.31. I'll even host it for you: nc 165.22.46.243 54321

PCP14: Solve warmup from last week's foobar CTF

PCP15: Register for tomorrow's PicoCTF, find (in the gym or live) the printf problems and solve one Binary Exploitation in the Gym

PCP16: formatz is the binary for this writeup: https://ctftime.org/writeup/26750 use the write-up to actually exploit this. I am hosting it for you at nc 165.22.46.243 8877 and the libc on that server is libc.so.6

PCP17: I'm showing you some vulnerable source code. Here is the task: compile it with all of the protections turned off and exploit it. Now start to remove the protections and tell me how close to full green can you go before you can't exploit it anymore (or if you can exploit it with just gcc source.c).

For reference here is a compilation with no protections of any kind: gcc -m32 -std=c99 -Wall -fno-stack-protector -no-pie -z execstack -Wl,-z,norelro -o pwnme source.c

PCP18: From the 25 challenge problems do number 4: small_boi (SROP)

PCP19: Learn the .fini_array trick by solving this binary (by following the writeup) and finding one other .fini_array problem and writeup on the internet somewhere. Share with me the other fini_array problems you find.

PCP20: Tackle problem 14 from the 25 challenge problems.

PCP21: Linking a specific glibc. Follow the notes from class22 with the house_of_spirit demo from https://github.com/shellphish/how2heap, click the arrow on the table to get to the interactive demo (and type run) to see what success looks like (the predicted address emerging from malloc). Now grab the source code for house_of_spirit.c and compile it using gcc, no special flags. Use patchelf and LD_LIBRARY_PATH to get that same behavior on your box, then use pwntools to get the same behavior in python. Take a screenshot of you correctly linking in the 2 methods.

PCP22: nc 165.22.46.243 8869 is running ClonewarS

PCP23: nc 165.22.46.243 8969 The binary: a.out, the glibc (2.27): libc.so.6 and linker ld.so.2 also source follows:

PCP25: (skipping one for alignment) The bins: make a DM to me in which you explain the 5 basic bin types (small, large, unsorted, fast, tcache). Which ones are singly linked? What is the difference between tcache and fastbins? How do you end up in the smallbins for sizes that are also tcache and fastbin sizes? This is "short answer" style, really to know that you can think casually about it. So if you are rushing through, copy pasting, or just trying to knock out a HW then stop, and ask yourself if you could explain it at a whiteboard to a friend. Once you think could whiteboard it, then hit me up.

PCP26 + 24: (counts for 2) Make your own version of tcache. Let's say you just have 8 bins one each for sizes: 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80, and 0x90. Create a tcache struct with room for 8 counts that you can add a chunk to up to a maximum size of 10 chunks per bin.

PCP28: OK so use the notes instructions to connect a malloc.c debug glibc, follow the fastbin dup instructions to make a double-free. Attempt to target an address like got.puts and have it fail. Take a screenshot of the malloc.c security check that you failed.

PCP29: Using glibc2.23 connected to the heap playground pop a shell.

PCP30: dupme.zip has everything for the binary running at: nc 165.22.46.243 8230 (glibc 2.30 with glibc leak)

PCP31: Setup an environment in which you are running a full green target practice linked against glibc 2.34.

PCP32: Use the target practice file in 2.23 to do an unsorted bin attack and free the top chunk using only mallocs

PCP33 + 34: Connect the fsopplayground to glibc 2.23, great a fake vtable and fake filestream and link them into the _IO_list_all, pop a shell

PCP35 + 36: A in the course for solving this one: hoo.zip is hosted at nc 165.22.46.243 9009

PCP37: Use a similar strategy to the notes to generate a stack leak.

PCP38: House of Einherjar: files zipped hosted at: nc 165.22.46.243 8899

PCP39: Write an exploitable program where the intended solution involves at least 1 of the how2heap exploits. (We're hosting a CTF this summer, if you make one we'd happily include it)