Janet is a functional and imperative programming language. The entire language (core library, interpreter, compiler, assembler, PEG) is less than 1MB. Last weekend I played the UMassCTF 2021 (with d4rkc0de). The CTF had a couple of Sandbox bypass challenges on Janet REPL v1.1. In both the challenges we are given binaries to a REPL (read–eval–print loop) shell which runs Janet. The first one is called “replme”:


I found this new programming language and wanted people to be able to try it out.


Author: Created by Jakob#9448

(Mirror for janet.zip in case it goes down.)

At this point, I…

Rop or return-oriented-programming is an exploit technique that is usually used to exploit buffer overflow vulnerabilities in programs running with exploit mitigation features like NX, ASLR, RELRO, etc.

There are a lot of different ROP chain techniques, a couple of them include:

  1. ret2libc: jump directly to a libc address “system”.
  2. ret2plt: jump to the Process Linkage Table entry for a function used in the binary and use it to leak GOT pointers — to predict libc version.
  3. ret2csu: use the gadgets available in __lib_csu_init to control rdx, rsi, rdi, use it to call execve syscall.
  4. SROP variant 1: Use “sigreturn”…

Recent zer0pts CTF 2021 had a reversing challenge: infected in the reversing, warmup category. [96 pts]

The backdoor is installed on this machine: nc others.ctf.zer0pts.com 11011 or nc any.ctf.zer0pts.com 11011

How can I use it to get the flag in /root directory?



Let's try to load the program in IDA and see what is the backdoor all about. Main just calls register_backdoor which registers a libfuse driver on /dev/backdoor.


It passes a cuse_lowlevel_ops struct named devops. Let's investigate this structure more to find open, read, write functions.

With the advent of tools like AuditD, SECCOMP and SELinux, we have rules to disable a list of Linux syscalls using a blacklist mechanism. These can be used to strengthen the security of the infrastructure but shouldn’t be trusted blindly. We look at a dumbed-down version of this problem in NahamCon’s CTF challenge SaaS (Syscall as a service).

You’ve heard of software as a service, but have you heard of syscall as a service?

Connect with:
nc jh2i.com 50016


saas (disassembly main)

The program allows us to run any syscall by specifying the values of rax and other registers. The first idea…

AeroCTF had a category of challenges revolving around PICs. The PIC code dump is given for us to analyze and extract the flag from it. ROM dump is given in a hex file: Beginning.hex, also a schematic:


The challenge is a flag-checking-service written in web assembly. The flag must be in format hxp{…}. Our goal is to guess the correct flag. I hosted the challenge on my local setup; used Nginx and made sure .wasm files are served with the correct mime-type.


by benediktwerner

Most people just give you a present for christmas, hxp gives you a glorious future.

If you’re confused, simply extract the flag from this 山葵 and you shall understand. :)

xmas_future-265eb0be46555aad.tar.xz (15.5 KiB)

reverse wasm

The challenge is a flag-checking-service in web assembly. The flag must be in format hxp{…}. Our goal is to…

Hacking a web application using magic files, sqlite3 injection and finally RCE.

Finally (again), a minimalistic, open-source file hosting solution.

file magician-3ace41f3b0282a70.tar.xz (2.1 KiB)

The challenge is very minimalistic and it took me quite a while to figure out as the vulnerability is not clear at first few glances.

Any file you upload to the application, it figures out the file type using finfo_file, and stores this information in an SQLite database.

$s = "INSERT INTO upload(info) VALUES ('" .(new finfo)->file($_FILES['file']['tmp_name']). " ');";

The insert statement is not parametrised; it’s vulnerable to SQL injection. But we don’t directly…

Hey! We have found this old cartridge under a desk in the library of Lapland. It appears to be for a system called “Emu 2.0”, made back in 1978. These systems don’t get produced anymore, and we can’t seem to find anyone that owns one.

Thankfully we have the documentation for it, so maybe we can use it to write an emulator and see what this ROM does?

Files: folder
Author: Milkdrop

The “Emu 2.0” is an 8bit RISC microprocessor. This is a CTF problem from the recent X-Mas CTF 2019. It has two registers, the first being A (Accumulator)…

A wild backdoor has appeared. Press 1 to ptrace :D

While going though some vulnerable servers I was able to find a backdoor present that is only 249 bytes long. The backdoor’s md5sum is 93363683dcf1ccc4db296fa5fde69b71 and is undetected on virustotal and other threat intelligence websites. Reversing this binary gave us insights on how malware authors are using techniques to make their backdoors undetectable and hard to analyze or even reverse engineer. Here’s the sample.

lionaneesh@d4rkc0de:~$ file pay.bin 
pay.bin: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), statically linked, corrupted section header size

The binary has stripped all debugging symbols…

Voldemort concealed his splitted soul inside 7 horcruxes.
Find all horcruxes, and ROP it!
author: jiwon choi

ssh horcruxes@pwnable.kr -p2222 (pw:guest)


Horcruxes is a 32bit ELF binary that initializes 7 of Voldemort’s horcuxes in memory. There horcuxes has random constants that we need to leak out to allow us to beat Voldemort.

horcruxes@prowl:~$ ./horcruxes 
Voldemort concealed his splitted soul inside 7 horcruxes.
Find all horcruxes, and destroy it!
Select Menu:222
How many EXP did you earned? : 2222
You'd better get more experience to kill Voldemort

Lets see what exactly is EXP and how do we predict it to kill…

Aneesh Dogra

Always been a tinker! Started coding in 2008 (when I was in 8th grade). Fell in love with x86 assembly, C and Linux: Manipulation of memory and getting RCE

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store