I’m back again with some more CTF writeups because apparently that’s all we do here now. This time, two web problems from Google CTF!

For PlaidCTF a few weeks ago, I created a series of problems titled “idIoT”. In this series of challenges, players got the opportunity to attack two websites, a Google Home, an FTP server, a WiFi camera, and a Particle Photon. Participants seemed to enjoy these challenges, so I thought I’d do a little writeup on the creation of these challenges and my own solution guide, like the one Zach did for S-Exploitation last week.

In preparation for PlaidCTF 2018 I designed a two part web challenge called S-Exploitation (Paren Trap and the Wizard of OSS). Although I intended the first part to be an easier web challenge, and the second to be a tricky follow up, the former had only 16 solves and the latter just 2. Since I had a number of people ask me for clarification after the CTF, and to help other organizers to learn from it, I’ve described below how S-exploitation was designed and meant to be solved.

Generalized algebraic data types (or GADTs) are a powerful tool that can augment algebraic type systems enabling them to be far more expressive. In addition to enabling polymorphic recursion, they also serve as a fundamental unit for existential types. In this post we will look at what all of those phrases mean, and how GADTs can be used in practice.

Another year, another DEF CON. This year, from the far reaches of LegitBS’s wild imagination came an architecture so bizarre and so confusing that it was actually pretty good. Over the course of three days, we were introduced to cLEMENCy, an intriguing RISC architecture that sported 9-bit bytes, middle endianness, and reversible stacks. It took many sleepless nights, but once again the were able to tool and exploit our way to a tight victory. As a member of the Plaid Parliament of Pwning, here is an overview of the year’s biggest CTF from my perspective.