We’re given an Attack/Defense challenge containing 5 services: registration, auth, registry, image-builder and nginx. Auth policy allows to pull (push, delete, etc) an image only for its owner, so it’s not possible to register another account and pull checker’s image. There is an internal account used in image-builder, it has access to all images.

Given heap offset write and read in custom qemu pcie device obtain qemu escape.

An “olymp problem” solution with a simple buffer overflow with some interesting leak techniques, complicated by the fact that we can only overflow a prefix polymial hash.

We were given a ROM for the Varvara system running on Uxntal assembly. The ROM loads the provided shellcode into memory, checks if the lower 4 bits of each byte are not in [0, 2, 3, 6, 7, 0xe], and if true, executes it. The goal is to read the flag located at "flag".

Basically, we were given a malware sample (whether it was “real” or not is to be determined), a traffic dump, and a file supposedly encrypted by it important_note.txt. The sample consisted of a small binary MsMpEng.exe, a binary file AmMonitoringProvider.mof, and a DLL mpsvc.dll. The binary calls ServiceCrtMain from the DLL and there its purpose is concluded. ServiceCrtMain opens the binary file, decrypts it (using the first 256 bytes of the DLL as the key), then maps it to executable memory. It then passes that address as a callback to LineDDA. With the help of one of my teammates, we managed to dump the aforementioned memory to a file. I could have reverse engineered it, but having binwalked it, I isolated the part of the dump that was a DLL (no doubt being loaded by the dumped code) and started analyzing malware.dll, which was the right call.

We were given a website that loads a WASM module. The website splits a string into 6 parts, then runs 6 different WASM check functions on the parts. If they are successful, it gives us the flag. I used wasm2ida to get an ELF binary with the same code and Ghidra with the WASM plugin to get decompilation. The checks themselves looked SMT-solvable, so I first tried to use Z3 but failed miserably. I then went on to use angr on a binary I wrote myself with the functions copied from disassembly.