![]() ![]() It’s time to understand what the application is actually doing behind the scenes and to search for flaws we can exploit. It looks like the application performs some basic assertions to protect against out of bounds indexes. Load_key: failed (tci_msg: assert(index < DB_NUM & secure_db.value)) Load_key: failed (tci_msg: assert(index 0 Save_key: failed (tci_msg: assert(index 1 Then I simply connected to the remote service using netcat on my local machine: To avoid using Docker (for easy testing and debugging later) and ran it using nc -e and a bash while true loop to simulate xinetd. Instead, I transferred the challenge tar to a well-provisioned remote server for further testing. I attempted to run the BIOS image using QEMU on my Ubuntu 16.04 VM, but I needed at least 3 GB of free memory (the machine type only works with exactly 3 GB). The challenge files included a custom QEMU image with a new Super Hexagon specific machine type, QEMU patch files, a BIOS image, some placeholder flags, and a run script. They also linked to the 6,666 page ARMv8 Reference Manual, 1Īnd included a tar.xz file with the challenge files. Want to try and solve some parts yourself? Here is the archive: super_ When scanning through the problems, I quickly latched on to the Super Hexagon challenge once I heard it involved ARM exploitation. ![]() For this year’s HITCON CTF, I played with my academic team, Kernel Sanders. Welcome to a journey of AArch64 kernel exploitation, from the least privileged, to the most secure privilege level on the ARMv8 platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |