• Sudo Exploit Writeup

    calendar January 29, 2021 ยท 14 min read ยท sudo  ยท
    Share on: linkedin copy

    Writeup by: Zanderdk

    Introduction

    On the 2021-01-26 qualy released this article describing a “new” (actually 10 year old) bug in sudo that allows an attacker to do privilege escalation though a heap buffer overflow. Unfortunately they did not release exploit/POC so I decided to build one myself and failed. โ€ฆ


    Read More

  • BambooFox CTF: The Vault

    calendar January 18, 2021 ยท 4 min read  ยท
    Share on: linkedin copy

    The challenge is a simple HTML file with a keypad that allows you to input 4 digit pin. The file loads main.js and calls Module.ccall('validate') to check the pin.

    Upon beautifying the JS we see that it calls run() which in turns runs:

    1
2
3
4
5

    preRun();
initRuntime();  // => __wasm_call_ctors => โ€ฆ

    Read More