# 0xTen ## 0xTen - [Intro](https://0xten.gitbook.io/public/master.md): I post writeups about CTFs I play and share techniques. I mostly play with ELT and Crusaders of Rust. (NOTE: This blogsite is currently outdate, you can find recent exploits in my github profile) - [Hackthebox👽](https://0xten.gitbook.io/public/hackthebox.md): This section is dedicated to my activity on HTB. - [Boxes](https://0xten.gitbook.io/public/hackthebox/retired-boxes.md): The boxes in this section have already been retired from Hackthebox and sharing my solution is perfectly fine. Hope you enjoy! - [Attended](https://0xten.gitbook.io/public/hackthebox/retired-boxes/attended.md): Attended was on of the hardest box I ever even touched. It helped me to improve my pwn skills a lot so it's 100% worth it. - [Challenges](https://0xten.gitbook.io/public/hackthebox/retired-challenges.md): The challenges in this section have already been retired from Hackthebox and sharing my solution is perfectly fine. Hope you enjoy! - [knote](https://0xten.gitbook.io/public/hackthebox/retired-challenges/knote.md): knote is a medium pwn challenge that consists on a very straight forward linux kernel double free without SMAP, SMEP, KPTI or kASLR. - [Business Ctf](https://0xten.gitbook.io/public/hackthebox/business-ctf.md) - [2022](https://0xten.gitbook.io/public/hackthebox/business-ctf/2022.md) - [Midenios](https://0xten.gitbook.io/public/hackthebox/business-ctf/2022/midenios.md): Midenios was a browser exploitation challenge featuring a heap OOB on firefox - [UHC🔮](https://0xten.gitbook.io/public/uhc.md): This section is dedicated to my activity on UHC. - [Quals](https://0xten.gitbook.io/public/uhc/quals.md): This section is dedicated to writeups on the quals of the UHC CTF - [8th Edition](https://0xten.gitbook.io/public/uhc/quals/8th-edition.md) - [Super Secret Password](https://0xten.gitbook.io/public/uhc/quals/8th-edition/super-secret-password.md) - [Trampoline](https://0xten.gitbook.io/public/uhc/quals/8th-edition/trampoline.md) - [I like to buy or smth](https://0xten.gitbook.io/public/uhc/quals/8th-edition/untitled.md) - [pwnable.kr🐱](https://0xten.gitbook.io/public/pwnable.md): This section is dedicated to my activity on pwneable.kr. - [Toddler's Bottle](https://0xten.gitbook.io/public/pwnable/toddlers-bottle.md): Toddler's Bottle is the first section of challenges on pwnable.kr and are meant to be the easiest ones. - [fd](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/fd.md): fd is the 1st challenge of Toddler's Bottle at pwnable.kr - [bof](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/bof.md): bof is the 3rd challenge of Toddler's Bottle at pwnable.kr - [random](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/random.md): random is the 6th challenge of Toddler's Bottle at pwnable.kr - [uaf](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/uaf.md): uaf is the 16th challenge of Toddler's Bottle at pwnable.kr - [Boitatech🐍](https://0xten.gitbook.io/public/boitatech.md): Boitatech is a brazilian community the host a awesome event that fetures a CTF every year. - [2021](https://0xten.gitbook.io/public/boitatech/2021.md): This years CTF was the first time it was hosted entirely through discord, using a bot. - [bankapp](https://0xten.gitbook.io/public/boitatech/2021/bankapp.md): bankapp was the challenge I created for the Boitatech CTF 2021, it was a medium -> hard heap exploitation challenge. - [DEFCON☠️](https://0xten.gitbook.io/public/defcon.md) - [2022](https://0xten.gitbook.io/public/defcon/2022.md) - [Quals](https://0xten.gitbook.io/public/defcon/2022/quals.md) - [Smuggler's Cove](https://0xten.gitbook.io/public/defcon/2022/quals/smugglers-cove.md): Smuggler's Cove was a pwn challenge based on LuaJIT based lua interpreter + pointer corruption to disalign jitted function - [RealWorld CTF🐉](https://0xten.gitbook.io/public/realworld-ctf.md): RealWorld CTF is a jeopardy CTF hosted by Chaitin Tech and features many real world applications/projects - [2022](https://0xten.gitbook.io/public/realworld-ctf/2022.md) - [Dice CTF 🎲](https://0xten.gitbook.io/public/dice-ctf.md): Dice CTF is an awesome CTF hosted by Dice Gang - [2022](https://0xten.gitbook.io/public/dice-ctf/2022.md) - [babyrop](https://0xten.gitbook.io/public/dice-ctf/2022/babyrop.md): babyrop is a simple heap-use-after-free exploitation challenge in glibc 2.34, meaning no allocator hooks to be used as function pointers for PC control. We are also stuck w/ seccomp and can't /bin/sh. - [2023](https://0xten.gitbook.io/public/dice-ctf/2023.md) - [Insomnihack💀](https://0xten.gitbook.io/public/insomnihack.md) - [2022](https://0xten.gitbook.io/public/insomnihack/2022.md) - [ClearSale CTF🏆](https://0xten.gitbook.io/public/clearsale-ctf.md): ClearSale CTF is organized by the awesome team back at https://eflag.io - [2021](https://0xten.gitbook.io/public/clearsale-ctf/2021.md) - [Secret Notes](https://0xten.gitbook.io/public/clearsale-ctf/2021/secret-notes.md): Secret notes was an XSS challenge that consisted on a self xss that could be leveraged through csrf, it was also necessary to bypass CSP. - [Esse Esse Erre Effe](https://0xten.gitbook.io/public/clearsale-ctf/2021/esse-esse-erre-effe.md): Esse Esse Erre Effe stand for the portuguese pronunciation of SSRF. It's a simple SSRF using a redirect to bypass filters and extract metadata from them cloud infrastructure. - [Fresca Soda](https://0xten.gitbook.io/public/clearsale-ctf/2021/fresca-soda.md): Fresca soda was a pretty neat HTTP Request Smuggling challenge. - [Healthchecker](https://0xten.gitbook.io/public/clearsale-ctf/2021/healthchecker.md): Healthchecker was a ASP.NET challenge that provided us the .dll file of the backend app. - [InCTF🏆](https://0xten.gitbook.io/public/inctf.md): InCTF is a huge CTF organized by team bi0s. - [2021](https://0xten.gitbook.io/public/inctf/2021.md) - [Ancient House](https://0xten.gitbook.io/public/inctf/2021/ancient-house.md): At first glance this was a regular heap exploitation challenge, but instead of ptmalloc it uses jemalloc as the memory allocator. - [ASIS CTF🏆](https://0xten.gitbook.io/public/asis-ctf.md) - [2020](https://0xten.gitbook.io/public/asis-ctf/2020.md) - [Shared house](https://0xten.gitbook.io/public/asis-ctf/2020/shared-house.md): Shared house is a kernel heap exploitation challenge feauturing an off-by-null vulnerability - [2021](https://0xten.gitbook.io/public/asis-ctf/2021.md) - [Mini Memo](https://0xten.gitbook.io/public/asis-ctf/2021/mini-memo.md): Mini memo is a linux kernel heap challenge that is vulnerable to a 4-bytes buffer overflow of randomly generated bytes and a linked-list unlink corruption. - [N1CTF🏆](https://0xten.gitbook.io/public/n1ctf.md) - [2021](https://0xten.gitbook.io/public/n1ctf/2021.md) - [babyguess](https://0xten.gitbook.io/public/n1ctf/2021/babyguess.md): babyguess is a kernel buffer overflow challenge featuring a race condition and a buffer overread - [HacktivityCon🏆](https://0xten.gitbook.io/public/hacktivitycon.md): HacktivityCon is a conference hosted by hackerone and features an awesome CTF. - [2021](https://0xten.gitbook.io/public/hacktivitycon/2021.md) - [faucet](https://0xten.gitbook.io/public/hacktivitycon/2021/faucet.md): faucet is a fairly simple format strings challenge that consists on leaking a variable containing the flag - [pawned](https://0xten.gitbook.io/public/hacktivitycon/2021/pawned.md): pawned was a basic heap challenge that consisted on an use-after-free bug. - [retcheck](https://0xten.gitbook.io/public/hacktivitycon/2021/retcheck.md): retcheck was a fairly simply buffer overflow challenge against a custom stack cookie implementation. - [shellcoded](https://0xten.gitbook.io/public/hacktivitycon/2021/shellcoded.md): shellcoded was mostly a easy reversing challenge rather then pwn since you only had to reverse the encoding applied to the shellcode. - [the library](https://0xten.gitbook.io/public/hacktivitycon/2021/the-library.md): The library was as simple as ret2libc can be. - [yabo](https://0xten.gitbook.io/public/hacktivitycon/2021/yabo.md): Yabo was a basic buffer overflow challenge with executable stack. - [ROP↩️](https://0xten.gitbook.io/public/pwn/rop.md): This section is dedicated to my personal notes on my studies about ROP (return-oriented programming) chains and how to build them. - [x64 ret2libc](https://0xten.gitbook.io/public/pwn/rop/x64-ret2libc.md): If a binary does not have enough useful gadgets but imports the libc library, we can try to return to libc and call gadgets like system() and execve(). - [Heap⛰️](https://0xten.gitbook.io/public/pwn/heap.md): This section is dedicated to my personal notes on my studies about heap exploitation. - [jemalloc](https://0xten.gitbook.io/public/pwn/heap/jemalloc.md) - [Fastbin dup - 2.31](https://0xten.gitbook.io/public/pwn/heap/fastbin-dup-2.31.md) - [Chunk Overlapping - 2.31](https://0xten.gitbook.io/public/pwn/heap/chunk-overlapping-2.31.md): Overlapping chunks through backwards consolidation on glibc 2.31 - [phoenix](https://0xten.gitbook.io/public/pwn/heap/phoenix.md): This session is dedicated to heap challenges from the phoenix VM from exploit education. - [heap-zero](https://0xten.gitbook.io/public/pwn/heap/phoenix/heap-zero.md): heap-zero is the first heap exploitation exercise from the phoenix vm from exploit education - [i486](https://0xten.gitbook.io/public/pwn/heap/phoenix/heap-zero/i486.md): x86 32bit version of the heap-zero exercise. - [heap-one](https://0xten.gitbook.io/public/pwn/heap/phoenix/heap-one.md): heap-one is the second heap exploitation exercise from the phoenix vm from exploit education - [i486](https://0xten.gitbook.io/public/pwn/heap/phoenix/heap-one/i486.md): x86 32bit version of the heap-one exercise. - [Format strings🩸](https://0xten.gitbook.io/public/pwn/format-strings.md): This section is dedicated to my personal notes on my studies about format strings vulnerabilities and how to arb read/write with them. - [Blind](https://0xten.gitbook.io/public/pwn/format-strings/blind.md): It's possible to pwn a format strings vulnerable binary without even having access to the a local copy of the binary by leaking some important data. - [Kernel🌽](https://0xten.gitbook.io/public/pwn/untitled.md): This section is dedicated to my personal notes on my studies about kernel exploitation. - [Browser🤖](https://0xten.gitbook.io/public/pwn/browser.md): This section is dedicated to my personal notes on my studies about heap browser exploitation. - [SQLi💉](https://0xten.gitbook.io/public/web/sqli.md): This section is dedicated to my personal notes on my studies about SQL Injections. - [Blind (Boolean Based)](https://0xten.gitbook.io/public/web/sqli/blind-boolean-based.md): Boolean based SQLi consists on abusing conditions that affect the response from the server if they are met or unmet. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://0xten.gitbook.io/public/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.