Bruce Chen, a vulnerability researcher, shares insights on how participating in CTFs enhanced his skills in vulnerability discovery and exploitation, particularly in IoT and browser security. He provides examples of overcoming challenges, such as gaining root access to an IP camera and bypassing control flow guard in the Windows Chrome browser. He concludes that CTFs are beneficial for skill improvement and advises aspiring researchers to focus on real-world challenges and documentation.

1. How CTF help on my career
as a vulnerability researcher
bruce30262

2. About me
Bruce Chen ( @bruce30262 )
● Vulnerability researcher at STAR Labs, mainly focus on Browser & IoT
vulnerability research
● Former vulnerability researcher at NCSIST & TeamT5
● MSRC 2023 Most Valuable Security Researcher
● Retired CTF player ( 2014 ~ 2022 )
● Mainly focus on binary challenges ( Pwn / Reverse )

3. What I learned from CTFs
● Static & Dynamic program analyzing
○ Static: Reverse engineering
○ Dynamic: Software debugging
● Vulnerability discovering and exploitation techniques
● Scripting / Tooling
● Hacking mindset

4. Case 1:
Getting root shell on an IoT device

5. Skills for IoT vulnerability research
● Forensic / Crypto
○ Firmware extraction and decryption
● Static & Dynamic program analysis
○ Finding vulnerabilities via reverse engineering
○ Debugging target service
● Exploitation
○ Buffer overflow, Shellcode, ROP, command injection…etc
● Misc ( e.g. Hardware )

6. Getting root shell on an IoT device
● It’s important to have a root shell on the research target
○ Can use it for service enumeration, install gdb …etc
● But sometimes the device doesn’t provide shell by default
○ No ssh, telnet…etc
● We’ll need to get the root shell with some tricks

7. Getting root shell on an IoT device
● Target: an IP camera
● No ssh or telnet, but have UART pins
○ With UART we were able to login to U-boot and run some commands
● We were able to modify the boot command
○ Default is /init, can modify to other program, but no arguments allowed
○ Modify to /bin/sh will ended up freezing the serial console

8. Getting root shell on an IoT device
● Start searching useful program in the device
● Found vi
● Launching vi will enter the editor interface
○ Use ! to execute shell command :
echo root:test | /usr/sbin/chpasswd -m && /init
● Successfully getting root shell after login with the modified root password

9. Case 2:
Bypassing CFG in
Windows Chrome browser

10. Real world CTF challenges are useful
● Pwnable
○ Browser
○ Linux kernel
○ VM escape
● Reverse
○ Challenges from Flare-on challenge

11. Getting RCE in Windows Chrome browser
● We reach to a point where we can control a C++ object in the browser
○ Can read/write the object memory
○ Fully control its member and vtable
● Normally we can achieve RCE by controlling the vtable
○ e.g. stack pivot -> ROP
● However, CFG is enabled in Windows Chrome
○ Can’t jump to arbitrary code address when calling virtual function

12. Bypassing CFG
● We can still jump to a valid virtual function, can we do something about it ?
● There are CTF challenges with similar solution
○ PlaidCTF 2020 - mojo
○ SCTF-XCTF 2020 - EasyMojo
● Looking at those write-ups, we found that we can search for useful virtual
functions in Chrome and do some evil stuff.

13. Bypassing CFG
void Start() override {
DCHECK(!IsStarted());
dict_iterator_ = locker_.begin();
}
● locker_ is controllable, can point to anywhere

14. Bypassing CFG
void Start() override {
DCHECK(!IsStarted());
dict_iterator_ = locker_.begin();
}
● locker_.begin()allowing us to read data from anywhere

15. Bypassing CFG
void Start() override {
DCHECK(!IsStarted());
dict_iterator_ = locker_.begin();
}
● dict_iterator_ stores the leaked data, which can be read from the object
memory

16. Bypassing CFG
● With this we can achieve arbitrary memory read
● With similar method we can also achieve arbitrary memory write, and
achieve RCE eventually
● This technique is called COOP ( Counterfeit Object-Oriented Programming )
○ Exist since 2015
○ Can also be used to bypass other mitigations like BTI in ARM

17. Conclusion
● CTF is definitely useful
○ Improving various skills
○ Cultivate hacking mindset
○ Accumulating experiences
● Advice for CTFers ( that want to get into infosec career )
○ Focus on improving skills and mindset
○ Try more real world CTF challenges
○ Learn things that’s rarely seen in CTF ( e.g. Fuzzing, MIPS/ARM…etc )
○ Write write-up and always take note

18. THANK YOU

19. (backup slide)

20. Case 0:
NotPetya ransomeware analysis

21. Analyzing NotPetya ransomeware
● Static analysis
○ Reverse engineer the ransomware and the malicious bootloader
● Dynamic analysis
○ Debugging the malicious bootloader
● Forensic / Crypto
○ Perform disk forensics to understand how it was
corrupted/encrypted