V8, the JavaScript engine, is largely undocumented. An important source to understand V8 are design documents. To the best of my knowledge, there is no index of all design docs. I made an attempt to create at least a partial index, i.e. all design docs I know of. It is not limited to design docs in the strict sense; more like “Google Doc with details about V8 development”.

Python jail escapes have evolved into their own CTF category over the past years. I recently gave a talk and wrote a blog post for my CTF team, where I give an introduction to the topic and show some classical examples. CSAW CTF finals I played with team polyflag, overall the CTF was pretty mid with a lot of guessing and an unacceptable required VPN setup, where we had to install some random VPN client on our machines (with sudo curl ... | bash of course) and then had to authenticate with a Google, LinkedIn, Microsoft or GitHub account.

This is the second part of my adoption of …ing the technical interview. A blog series by Aphyr about writing programs in funny, non-standard ways. Again this is a writeup of a CTF challenge I created. Specifically, the dive in the lake challenge of LakeCTF, organized by the CTF of EPFL polygl0ts.

I really like the blog series …ing the technical interview by Aphyr. Besides the humor, I enjoy seeing Turing completeness in parts of systems that many people use but that were not designed to write entire programs in.

This is a writeup of an easy/medium pwn challenge called “Profile” featuring a type confusion, some GOT overwriting, and a funny but unnecessary one gadget exploit for the fun of it.

Solution to the Cyber Security Rumble Finals challenge simple-asm.