Posts by samosad

• May 29, 2019

  punchymclochface writeup (FAUST CTF 2019)

  This is a RCE-as-a-service that runs COBOL code encoded in punch card images upladed by user. Hard parts are generating valid punch card images with desired code and writing COBOL that runs shellcode using available charset. Patch is chmod -r data (disable listing in service data dir as flags are in randomly-named files).