README.md

awesome-ctf-wargame

Writeup oriented CTF skill improvement

The corresponding ctf problem and wargame will be curated based on each required skill. :exclamation: You may need the login account for browsing each wargame properly.

[*] System hacking / Pwnable

Basic introduction

• Pwning Pwnables

Wargames 📝

Difficulty	Wargames
Easy	(Exploit-exercise) Protostar
Medium	(Root-me) App System, (PwnerRank) Binary Exploitation
High	Pwnable.kr

[+] BoF (Buffer Overflow)

• Overwrite local variable
  • [Easy | x86] : (Protostar) Stack0, (Protostar) Stack1, (root-me) x86 BoF basic1
• Environment variable usage
  • [Easy | x86] : (Protostar) Stack2, (root-me) x86 basic4
• Overwrite EIP (to be other function like flag printing)
  • [Easy | x86] : picoctf-2013/rop1, (Protostar) Stack3, (Protostar) Stack4, (root-me) x86 BoF basic2
  • [Easy | x64] : (root-me) x64 BoF basic

Overwrite EIP + shellCode injection

Technique	Knowledge	Best Training 👍
shellcode injection	shellcode	pico-ctf-2013/overflow-4

• [Easy | x86] : (Protostar) Stack5

Ret2PLT, Ret2Libc, ROP

• [Easy | x86] : pico-ctf-2013/rop2

Threat Mitigation Bypass

ASLR : Mem Leak

Technique	Knowledge	Best Training 👍
ASLR Bypass	ROP, Mem leak	pico ctf 2013/rop3

Canary

PIE

Technique	Knowledge	Best Training 👍
Address Calac	ROP, Mem Leak, Address offset	defcon 2015 / r0pbaby

[+] Format String

Arbitrary memory read

Direct Parameter Access (n$)

Arbitrary memory write using %n

• [Easy | x86] : Protostar: Format1 |

[+] Heap Exploitation

shellphish/how2heap: A repository for learning various heap exploitation techniques. 🌟

[+] Exploitation technique 🌟

@Pwning Pwnables

• Jump to payload
  • ret2reg or jump to payload if the stack is executable and addresses aren’t randomized
• GOT overwrite
  • Commonly used in format string exploitation
  • Overwrite pointer in GOT with pointer to another location
• Code re-use (ret2libc, ret2plt, ROP)
  • Make use of existing code and instructions to exploit the binary

[+] TIP & Tools 👍

• GDB enhancer : 2O2L2H/gdb-switcher
  • gef : Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers :
  • peda: PEDA - Python Exploit Development Assistance for GDB
  • pwndbg: Exploit Development and Reverse Engineering with GDB Made Easy
• Exploit frameworks
  • Generate and search pattern string for exploit development : exploit-pattern @github
  • CTF framework and exploit development library pwntools @github
  • hellman/libformatstr: Simplify format string exploitation. libformatstr @github
• ROP tools
  • Ropper : find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC) : Ropper
  • ROPGadget : search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. : ROPGadget
• LIBC database
  • niklasb/libc-database: Build a database of libc offsets to simplify exploitation : libc-database

[*] Cryptography

[+] Caesar cryptography

[+] AES

[+] RSA

[*] Forensics

[*] Web

[+] SQL Injection

[+] XSS (Cross-site Scripting)