Saturday, December 07, 2019

The Gomium Browser - Exploits

In my last blog post, I described The Gomium Browser, a pwn challenge of the Google CTF 2019 finals that 4 teams (pasten, 5BC, p4, A*0*E) solved.

The challenge was framed as a command-line browser, but basically boiled down to answering this question: if you control Go source code but can only import the fmt package, can you get enough code execution to execute xcalc?

In this blog post let's look at some of the exploits that teams came up with, either during the CTF or after.

Thursday, November 07, 2019

The Gomium Browser - Google CTF 2019 finals challenge

Last weekend were the Google CTF 2019 finals in London with 10 invited teams, part of a larger event named ESCAL8 with VRP researchers (BugSWAT), students (init.g), etc.

I wrote a CTF challenge for the event: The Gomium Browser. Out of 10 teams 4 teams solved it (pasten, 5BC, p4, A*0*E) and a 5th team (Balsn) was really close, unfortunately their exploit was unreliable.

In this blog post I won't spoil too much and just introduce the challenge, if you'd like to try it yourself. Then in another post, I'll explain what it was all about, present my exploit and links to some of the other teams write-ups. There were some really interesting ones.