Merge pull request #54 from TheRomanXpl0it/fixes

bynect · web-flow · commit 5d594f3382c3 · 2025-09-01T23:10:45.000+02:00
Fixes and improvements
diff --git a/content/posts/csaw-19-embedded-security-challenge-report/index.md b/content/posts/csaw-19-embedded-security-challenge-report/index.md
@@ -4,9 +4,10 @@ date: '2019-11-11'
 lastmod: '2019-11-11T15:25:44+01:00'
 categories:
 - articles
+- CSAW
 tags:
-- esc
 - csaw
+- esc
 authors:
 - matteojug
 - cristianrichie
diff --git a/content/posts/csaw-20-embedded-security-challenge-report/index.md b/content/posts/csaw-20-embedded-security-challenge-report/index.md
@@ -4,9 +4,10 @@ date: '2020-11-12'
 lastmod: '2020-11-12T17:03:23+01:00'
 categories:
 - articles
+- CSAW
 tags:
-- esc
 - csaw
+- esc
 authors:
 - matteojug
 - cristianrichie
diff --git a/content/posts/csaw-23-embedded-security-challenge-report/index.md b/content/posts/csaw-23-embedded-security-challenge-report/index.md
@@ -4,9 +4,10 @@ date: '2023-09-28'
 lastmod: '2024-11-14T20:07:57+01:00'
 categories:
 - articles
+- CSAW
 tags:
-- esc
 - csaw
+- esc
 authors:
 - Titto
 ---
diff --git a/content/posts/csaw-24-cybersecurity-awareness-communication-challenge-report/index.md b/content/posts/csaw-24-cybersecurity-awareness-communication-challenge-report/index.md
@@ -4,9 +4,10 @@ date: '2024-11-17'
 lastmod: '2024-11-17T18:37:43+01:00'
 categories:
 - articles
+- CSAW
 tags:
-- cac
 - csaw
+- cac
 authors:
 - Titto
 ---
diff --git a/content/posts/csaw-24-embedded-security-challenge-report/index.md b/content/posts/csaw-24-embedded-security-challenge-report/index.md
@@ -4,9 +4,10 @@ date: '2024-11-14'
 lastmod: '2024-11-17T18:37:43+01:00'
 categories:
 - articles
+- CSAW
 tags:
-- esc
 - csaw
+- esc
 authors:
 - Titto
 ---
@@ -17,7 +18,7 @@ authors:
 
 Some of our members participated in the [CSAW Embedded Security Challenge](https://www.csaw.io/esc) 2024. Below is the qualification report that allowed the team representing TRX to qualify for the final, which took place at Esisar in Valence.
 
-## TRX Technical Labs - Qualification report
+## TRX Technical Labs - Final report
 
 <div class="responsive-wrap">
     <iframe src="/csaw24/CSAW_quals_paper_2024.pdf" width="100%" height="1080"></iframe>
diff --git a/content/posts/csaw-quals-18-doubletrouble/index.md b/content/posts/csaw-quals-18-doubletrouble/index.md
@@ -7,6 +7,7 @@ categories:
 - csawquals18
 tags:
 - pwn
+- csaw
 authors:
 - malweisse
 ---
diff --git a/content/posts/flare-on-2017-writeups/index.md b/content/posts/flare-on-2017-writeups/index.md
@@ -3,7 +3,7 @@ title: Flare-On 2017 writeups
 date: '2017-10-14'
 lastmod: '2023-07-03T19:19:24+02:00'
 categories:
-- articles
+- writeup
 tags:
 - flare-on
 authors:
diff --git a/content/posts/trend-micro-ctf-2019-libchakracore-so/index.md b/content/posts/trend-micro-ctf-2019-libchakracore-so/index.md
@@ -3,7 +3,7 @@ title: Trend Micro CTF 2019 libChakraCore.so
 date: '2019-09-09'
 lastmod: '2019-09-09T22:49:17+02:00'
 categories:
-- articles
+- writeup
 tags:
 - pwn
 - jit
diff --git a/content/posts/trxctf25-virtual_insanity/index.md b/content/posts/trxctf25-virtual_insanity/index.md
@@ -18,6 +18,7 @@ authors:
 Dancing, Walking, Rearranging Furniture
 
 **DISCLAIMER**: This challenge doesn't require brute-forcing
+
 ## Overview of the challenge
 
 The challenge is a standard ret2win with a pretty obvious overflow of 0x30 bytes, the binary is compiled without stack canary protection but has pie, with no apparent way to leak addresses.
@@ -26,11 +27,11 @@ The challenge is a standard ret2win with a pretty obvious overflow of 0x30 bytes
 
 The intended solution involves performing a partial overwrite to redirect execution to the `win` function. However, the return address on the stack is a libc address. To work around this, we can leverage [vsyscall](https://0xax.gitbooks.io/linux-insides/content/SysCall/linux-syscall-3.html) to traverse the stack until we locate the address of `main`. By modifying its least significant byte (LSB), we can transform it into the address of `win`. When execution returns, `vsyscall` effectively acts as a `ret` gadget, allowing us to redirect control flow to `win`.
 
-Before overwrite:\
-![](img1.png)
+**Before overwrite:**
+![](/trxctf25/virtual/img1.png)
 
-After overwrite:\
-![](img2.png)
+**After overwrite:**
+![](/trxctf25/virtual/img2.png)
 
 ## Solve Script
 
@@ -57,10 +58,10 @@ set follow-exec-mode same
 def conn():
     if args.LOCAL:
         return process([exe.path])
-    
+
     if args.GDB:
         return gdb.debug([exe.path], gdbscript=GDB_SCRIPT)
-    
+
     return remote(REMOTE_NC_CMD.split()[1], int(REMOTE_NC_CMD.split()[2]))
 
 def main():
@@ -77,4 +78,4 @@ if __name__ == "__main__":
 
 ## Flag
 
-`TRX{1_h0p3_y0u_d1dn7_bru73f0rc3_dc85efe0}`
+`TRX{1_h0p3_y0u_d1dn7_bru73f0rc3_dc85efe0}`
diff --git a/content/posts/wctf-2019-babypwn/index.md b/content/posts/wctf-2019-babypwn/index.md
@@ -3,7 +3,7 @@ title: WCTF 2019 BabyPwn
 date: '2019-07-06'
 lastmod: '2019-07-06T15:08:55+02:00'
 categories:
-- articles
+- writeup
 tags:
 - pwn
 - crypto
@@ -168,7 +168,7 @@ To do so we have to carefully choose the parameters of the DH key exchange.
 In function dh_exchange at 0x00411ae0 we are asked for 3 hex-encoded values
 
 ```
-p (in hexadecimal, length <= 1000) : 
+p (in hexadecimal, length <= 1000) :
 q (in hexadecimal, length <= 1000) :
 g (in hexadecimal, 0x2 <= g <= 0x40 ) :
 ```
@@ -203,7 +203,7 @@ To at least complete the exchange, our parameters p, q, g need to satisfy some c
   if (q_bit_len_ge_200 < 0x200) {
     return 0;
   }
-  
+
     ….
 
 p_min_1_mod_q = __gmpz_divisible_p(p_minus_1,q);
@@ -226,7 +226,7 @@ We will be prompted for g^a and then the server will compute the shared key as g
 ```c
 // function key_exchange@0x00412064
     BCryptGenRandom((BCRYPT_ALG_HANDLE)0x0,nonce,0x40,2);
-    …..  
+    …..
     __gmpz_set_str(b,nonce_hex,0x10);
     __gmpz_powm(g_to_b,g,b,p);
     __gmp_sprintf(local_8c4,&DAT_00418b38,g_to_b);
@@ -237,7 +237,7 @@ We will be prompted for g^a and then the server will compute the shared key as g
 
 ### Solution
 
-So we need to find a way to choose g^a so that g^ab mod p = 0x0102030405060708091011121314151617181920212223242526272829303132 
+So we need to find a way to choose g^a so that g^ab mod p = 0x0102030405060708091011121314151617181920212223242526272829303132
 
 The key insight to solve the challenge is that g^a = b-th root of 0x0102030405060708091011121314151617181920212223242526272829303132 mod p
 
@@ -259,7 +259,7 @@ So mainly thanks to point 2 and 3 we can use *pohlig hellman* algorithm to solve
 
 To do so we repeatedly
 
-1. generate q as a 0x200 bits prime, then we generate several (in my final exploit ~100) small primes 
+1. generate q as a 0x200 bits prime, then we generate several (in my final exploit ~100) small primes
 2. check that p = 2 * q * primes + 1 is prime
 Now that we have the correct p and q we can store them to use in the exploit
 
diff --git a/static/trxctf25/virtual/img1.png b/static/trxctf25/virtual/img1.png
diff --git a/static/trxctf25/virtual/img2.png b/static/trxctf25/virtual/img2.png
diff --git a/themes/hello-friend-trx/assets/scss/_variables.scss b/themes/hello-friend-trx/assets/scss/_variables.scss
@@ -3,28 +3,25 @@
 $accent-color: #16a085;
 
 /* Light theme color */
-$light-background: #fafafa; /*#fff;*/
+$light-background: #f8f8f8;
 $light-background-secondary: #eaeaea;
-$light-background-header: #fafafa;
+$light-background-header: #f8f8f8;
 $light-color: #222;
 $light-color-variant: black;
 $light-color-secondary: #727272;
 $light-border-color: #dcdcdc;
 $light-table-color: #dcdcdc;
-
 $light-hover-color: $accent-color;
 
 /* Dark theme colors */
-$dark-background: #1b1c1d; /*#232425;*/
-$dark-background-secondary: #232425; /*#3b3d42;*/
-
+$dark-background: #1b1c1d;
+$dark-background-secondary: #232425;
 $dark-background-header: #1b1c1d;
 $dark-color: #a9a9b3;
 $dark-color-variant: white;
 $dark-color-secondary: #b3b3bd;
 $dark-border-color: #4e4e57;
 $dark-table-color: #4e4e57;
-
 $dark-hover-color: $accent-color;
 
 $media-size-phone: "(max-width: 684px)";
