https://hegzploit.github.io/writeups/Recent content in Writeups on HegzploitHugo -- gohugo.ioenme (AT) this domain (Yusuf Hegazy)me (AT) this domain (Yusuf Hegazy)©2026, All Rights ReservedMon, 30 Dec 2019 11:14:14 +0900weeklyhttps://hegzploit.github.io/writeups/babiersteps/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/babiersteps/<h2 id="checksec">Checksec</h2> <pre tabindex="0"><code>Canary : ✘ NX : ✓ PIE : ✘ Fortify : ✘ RelRO : Full </code></pre><p>We only care about the stack canary as we will be overflowing RIP to control execution flow, and thankfully It&rsquo;s disabled.</p> <h2 id="exploitation">Exploitation</h2> <h3 id="1-rip-control">1. RIP Control</h3> <p>We overflow the binary with a cyclic pattern, however, for this being a 64-bit binary we can&rsquo;t overflow RIP with a non-canonical address.</p> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Canonical Address </button> <div class="expand__content"> An address is said to be canonical in the 64-bit world when the upper 16 bits are copies of the 48th bit. </div> </div> <p>The easiest way to find the RIP offset without overflowing RIP is by breaking at the <code>ret</code> instruction and searching for our pattern in <code>rsp</code>.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/babysteps/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/babysteps/<h2 id="checksec">Checksec</h2> <p>It&rsquo;s an aboslute mess, nothing is turned on fortunately :)</p> <pre tabindex="0"><code>Canary : ✘ NX : ✘ PIE : ✘ Fortify : ✘ RelRO : Partial </code></pre><h2 id="exploitation">Exploitation</h2> <h3 id="1-eip-control">1. EIP Control</h3> <p>We obtain our offset very easily in GEF.<br /> <img src="https://hegzploit.github.io/writeups/babysteps/babysteps_offset.png" alt=""></p> <center> <p><img src="https://hegzploit.github.io/img/ach_offset.png" alt=""></p> </center> <h3 id="2-exploitation">2. Exploitation</h3> <p>We start by analyzing the stack at the overflown state.<br /> <img src="https://hegzploit.github.io/writeups/babysteps/babysteps_stackstate.png" alt=""></p> <p>Looking at the registers, It appears that only two registers point to our stack. <code>eax</code> and <code>esp</code>.</p> <p>We search for gadgets jumping to any of these registers.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/detour/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/detour/<h2 id="checksec">Checksec</h2> <pre tabindex="0"><code>Canary : ✓ NX : ✓ PIE : ✘ Fortify : ✘ RelRO : ✘ </code></pre><p>RelRO is completely disabled unlike any other challenge we have encountered, this means that we have write permessions to all the relocations.</p> <h2 id="exploitation">Exploitation</h2> <p>Running the binary will let us specify an address and a value and then It will assign that value to the adderss we provided.</p> <pre tabindex="0"><code>hegz@pop-os$ ./detour What: 1234 Where: 123123123213 Segmentation fault (core dumped) </code></pre><p>I confirmed this by analyzing the binary in ghidra, below is the decompilation.</p>Yusuf Hegazyfeatured imagepwnNahamCTF22https://hegzploit.github.io/writeups/dweeno/Sun, 01 May 2022 00:00:00 +0000me (AT) this domain (Yusuf Hegazy)Sun, 01 May 2022 00:00:00 +0000https://hegzploit.github.io/writeups/dweeno/<details> <summary> Serial Output</summary> <pre tabindex="0"><code>00110011 00111001 00110100 00110010 00101110 00110100 01100100 01100011 00110111 01101101 01100101 01100111 01100010 00110110 00110011 01100110 01100010 01100001 00110111 01100100 01100100 01100000 00110011 01100010 00110110 01100110 00110000 01100111 00110011 01100011 01100111 01100111 00110001 01101101 01100001 00110111 00110110 00101000 </code></pre></details> <details> <summary> Wiring Diagram</summary> <p><img src="https://hegzploit.github.io/writeups/dweeno/sketch.jpg" alt=""></p> </details> <details> <summary> Arduino Code</summary> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c++" data-lang="c++"><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span> <span class="n">flag</span> <span class="o">=</span> <span class="s">&#34;REDACTED&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="n">curr</span><span class="p">,</span> <span class="n">first</span><span class="p">,</span> <span class="n">second</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">in1</span><span class="o">=</span><span class="mi">29</span><span class="p">,</span> <span class="n">in2</span><span class="o">=</span><span class="mi">27</span><span class="p">,</span> <span class="n">in3</span><span class="o">=</span><span class="mi">25</span><span class="p">,</span> <span class="n">in4</span><span class="o">=</span><span class="mi">23</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">out1</span><span class="o">=</span><span class="mi">53</span><span class="p">,</span> <span class="n">out2</span><span class="o">=</span><span class="mi">51</span><span class="p">,</span> <span class="n">out3</span><span class="o">=</span><span class="mi">49</span><span class="p">,</span> <span class="n">out4</span><span class="o">=</span><span class="mi">47</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="n">i</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="nf">get_output</span><span class="p">(</span><span class="n">String</span> <span class="n">bits</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">String</span> <span class="n">output</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out1</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out2</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out3</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">digitalWrite</span><span class="p">(</span><span class="n">out4</span><span class="p">,</span> <span class="p">((</span><span class="n">bits</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">==</span> <span class="sc">&#39;1&#39;</span><span class="p">)</span><span class="o">?</span> <span class="nl">HIGH</span> <span class="p">:</span> <span class="n">LOW</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in1</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in2</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in3</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">+=</span> <span class="n">String</span><span class="p">(</span><span class="n">digitalRead</span><span class="p">(</span><span class="n">in4</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">output</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">//converts a given number into binary </span></span></span><span class="line"><span class="cl"><span class="n">String</span> <span class="nf">binary</span><span class="p">(</span><span class="kt">int</span> <span class="n">number</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">String</span> <span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span><span class="p">(</span><span class="n">number</span><span class="o">!=</span><span class="mi">0</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="p">(</span><span class="n">number</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">?</span> <span class="s">&#34;0&#34;</span> <span class="o">:</span> <span class="s">&#34;1&#34;</span><span class="p">)</span><span class="o">+</span><span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">number</span> <span class="o">/=</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">((</span><span class="kt">int</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">length</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="s">&#34;0&#34;</span><span class="o">+</span><span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">r</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">setup</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out1</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out2</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out3</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">out4</span><span class="p">,</span> <span class="n">OUTPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in1</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in2</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in3</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">pinMode</span><span class="p">(</span><span class="n">in4</span><span class="p">,</span> <span class="n">INPUT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">begin</span><span class="p">(</span><span class="mi">9600</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">loop</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">&lt;</span> <span class="n">strlen</span><span class="p">(</span><span class="n">flag</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">curr</span> <span class="o">=</span> <span class="n">binary</span><span class="p">(</span><span class="n">flag</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">first</span> <span class="o">=</span> <span class="n">curr</span><span class="p">.</span><span class="n">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="mi">4</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">second</span> <span class="o">=</span> <span class="n">curr</span><span class="p">.</span><span class="n">substring</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="mi">8</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">print</span><span class="p">(</span><span class="n">get_output</span><span class="p">(</span><span class="n">first</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">Serial</span><span class="p">.</span><span class="n">println</span><span class="p">(</span><span class="n">get_output</span><span class="p">(</span><span class="n">second</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">i</span><span class="o">++</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div></details> <p>Looking at the code we can break it down into a couple of steps:</p>Yusuf Hegazyfeatured imagepwnNahamCTF22Hardwarehttps://hegzploit.github.io/writeups/leaky-pipe/Sun, 17 Jan 2021 19:07:42 +0200me (AT) this domain (Yusuf Hegazy)Sun, 17 Jan 2021 19:07:42 +0200https://hegzploit.github.io/writeups/leaky-pipe/<p>In this challenge we recieved a binary in which we are asked to exploit and somehow retrieve the flag.<br /> you can find the binary for this challenge <a href="https://github.com/hegzploit/0xL4ugh-Pwn-Challs">here</a></p> <h2 id="initial-analysis">Initial Analysis</h2> <p>We start by running the binary and checking it behavior.</p> <pre tabindex="0"><code>./leaky_pipe We have just fixed the plumbing systm, let&#39;s hope there&#39;s no leaks! &gt;.&gt; aaaaah shiiit wtf is dat address doin here... 0x7ffde7760410 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA &lt;--- our input Segmentation fault (core dumped) </code></pre><p>And as we see, we can already get a segfault by spamming some A&rsquo;s in the input.</p>Yusuf Hegazypwnhttps://hegzploit.github.io/writeups/trigger-happy/Sat, 16 Jan 2021 16:33:49 +0200me (AT) this domain (Yusuf Hegazy)Sat, 16 Jan 2021 16:33:49 +0200https://hegzploit.github.io/writeups/trigger-happy/<p>It was the first ever pwn challenge I solve in a CTF and I really liked it hence I wanted to bring it to this CTF (you can even check my poorly written writeup for that challenge which I refuse to remove as It&rsquo;s pretty awesome to look back and see how much did we grow).</p> <p>You can check my video on format string vulnerabilies as a refresher for these types of attacks (It&rsquo;s in arabic tho).</p>Yusuf Hegazypwnhttps://hegzploit.github.io/writeups/notreallyai/Mon, 08 Jun 2020 07:22:58 +0000me (AT) this domain (Yusuf Hegazy)Mon, 08 Jun 2020 07:22:58 +0000https://hegzploit.github.io/writeups/notreallyai/<ul> <li>Misusage of the libc <code>printf()</code> function can lead to serious information leakage and even code execution.</li> <li>when we pass one argument (for example <code>printf(foo)</code>) we can: <ul> <li>leak stack addresses using <code>%x</code> or <code>%p</code> format specifiers.</li> <li>overwrite any pointer&rsquo;s value using <code>%n</code> specifier (note that we can&rsquo;t overwrite plain stack addresses as the %n format specifier can only overwrite by reference and not by value)</li> </ul> </li> </ul> <p>For more information on format strings please check <a href="http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf">this awesome resource</a></p>Yusuf Hegazypwn