I had too much time on my hands during a flight and decided to answer the question: “How hard would it be to write a compiler in TypeScript’s type system?”
Unsurprisingly, this led me down an incredibly cursed Rabbit-hole that I have graciously documented for your abject horror enjoyment!
You can find all of the source code here.
Although I ended up not spending much time on this year’s RWCTF, I did (with the help of my awesome teammates) solve one problem: RWDN. The intended solution involved a bug in one of their middleware handlers that was designed incorrectly and allowed attackers to bypass a crucial check. However, I found that there was an alternate bypass that would have worked even if their code was correct. Let’s discuss what the bug is, and why it could be a problem for “real world” applications.
Much like the rest of the world, DEF CON CTF returned this year in a hybrid online/in-person format. For those who wanted it, space was reserved on the game floor to hack amidst the other teams that came to Vegas. For the rest of us who were still a bit nervous about large crowds, the infrastructure would be hosted online and accessible from anywhere in the world. Torn between the two choices, we opted this year for a middle ground: all of us together, but in a house 300 miles away.
A few months ago I installed the latest Android beta, excited by its new design language. Three days later I had to uninstall it when I got stranded at the grocery store thanks to the Uber app crashing. However, in that short time I benefitted from another new feature (that iPhone users already enjoy) wherein the OS would notify me when an app used the clipboard. Excited by this, I took the same ideas and ported them to Chrome via an open source extension called Kill Switch.
When you get right down to it, I’m a web guy. I know JavaScript back to front and can spot an SSRF a mile away. So what am I supposed to do when DEF CON ctf has no web?? Dust off IDA and remember how to reverse… 8 different architectures at once.
In many regards, 2020 has felt like a collective Blue Screen of Death. However, a raging virus was not enough to keep DEF CON from happening. This year it booted into Safemode, an online-only version of the popular security conference. Along with it, the titular DEF CON CTF reimagined itself for a virtual future.
For PlaidCTF this year, I created a demake of The Witness in Hypercard. Since most of the technology I used is over 20 years old, and a lot of the documentation seems lost to time, I created a short video that discusses how I made it, and what resources I used in order to make it happen.
With 30,000,000 weekly downloads, it’s reasonable to expect that qs has been written from the ground up to be efficient, secure, and robust. Unfortunately, as is often the case with small projects that become unexpectedly big, it is plagued by legacy options and sibylline code. Without understanding how it really works, it is incredibly difficult to use safely.
As the Vegas festivities wrap up, I once again have an opportunity to reflect on the year’s biggest CTF and the culmination of my time as an undergraduate with the Plaid Parliament of Pwning. I’m looking forward to playing with them as an alumni, but now is a good time for me to share some of my thoughts with the rest of the community and to hear what everyone else is thinking.
With that in mind, let’s talk DEF CON!
On August 12th, 2018, the Plaid Parliament of Pwning earned second place in DEF CON CTF, one of the most competitive hacking competitions in the world. Placing ahead of us this year were our colleagues on DEFKOR00T, marking their second such victory over the past four years. Although this year I cannot provide an account of the how the winning team played, we still have many great stories to tell, and we learned a lot from DEF CON 2018.
Google CTF has come to a close, and with a very narrow victory on our part. As we decompress and mull over a set of excellent problems, we will post a few writeups of the ones we solved. Here is a writeup for the web problem “Cat Chat.”
Google CTF has come to a close, and with a very narrow victory on our part. As we decompress and mull over a set of excellent problems, we will post a few writeups of the ones we solved. Here is a writeup for the web problem “Translate.”
In preparation for PlaidCTF 2018 I designed a two part web challenge called S-Exploitation (Paren Trap and the Wizard of OSS). Although I intended the first part to be an easier web challenge, and the second to be a tricky follow up, the former had only 16 solves and the latter just 2. Since I had a number of people ask me for clarification after the CTF, and to help other organizers to learn from it, I’ve described below how S-exploitation was designed and meant to be solved.
Generalized algebraic data types (or GADTs) are a powerful tool that can augment algebraic type systems enabling them to be far more expressive. In addition to enabling polymorphic recursion, they also serve as a fundamental unit for existential types. In this post we will look at what all of those phrases mean, and how GADTs can be used in practice.
Another year, another DEF CON. This year, from the far reaches of LegitBS’s wild imagination came an architecture so bizarre and so confusing that it was actually pretty good. Over the course of three days, we were introduced to cLEMENCy, an intriguing RISC architecture that sported 9-bit bytes, middle endianness, and reversible stacks. It took many sleepless nights, but once again the were able to tool and exploit our way to a tight victory. As a member of the Plaid Parliament of Pwning, here is an overview of the year’s biggest CTF from my perspective.
Defcon CTF 2016 was held from August 5th to 7th during the annual Defcon conference. This year DARPA chose to host their Cyber Grand Challenge (CGC) — a CTF-style competition between fully autonomous Cyber Reasoning Systems (CRS’) — at Defcon as well, so the Legitimate Business Syndicate oriented their competition around it to allow the winning machine to compete against the human teams. The new format brought with it several interesting gameplay mechanisms as well as a couple of issues, resulting in a fun but occasionally problematic contest. During the competition I played with the Plaid Parliament of Pwning (PPP), with whom I placed first. This is a brief reflection of how the game operated, what succeeded, and what did not.
While language and grammar are undoubtably linguistic constructs, they have very practical uses inside the realm of computer science. However, while looking for language and grammar parsing tools written for Node, I was disappointed to find no easy-to-use and suitably-flexible libraries. In response, I began development on Tyranny, a node module that allows for the description and parsing of arbitrary context-free grammars. Here is what it is, how it works, and what it does.
Over the past few weeks, I have begun working on a set of tools called hakkit for helping me to write CTF scripts in node.js. Many of the ideas are lifted off of pwnlib, but soon after I started, I realized that by utilizing Node’s stream APIs, I could take my tools a step further than the pwnlib ones. By behaving similar to unix file descriptors, Node streams allow for powerful and extensible data manipulation.
In the coming weeks we will start adding posts and discussing current projects and goals, including an upcoming post about developing Down to the Wire itself. Until then, however, I wanted to share a little bit about what DttW is, and why we decided to start it.