Nightmare

Nightmare is an intro to binary exploitation / reverse engineering course based around ctf challenges. I call it that because it's a lot of people's nightmare to get hit by weaponized 0 days, which these skills directly translate into doing that type of work (plus it's a really cool song).

Static Site

There is a github pages site which basically hosts the content of Nightmare, but it actually looks good. You can find it at: https://guyinatuxedo.github.io/

If you want to manually build the site, I just used mdbook. After installing rust and cargo, just install mdbook with sudo cargo install mdbook. Then just run mdbook build.

What makes Nightmare different?

It's true there are a lot of resources out there to learn binary exploitation / reverse engineering skills, so what makes this different?

*    Amount of Content     		-    There is a large amount of content in this course (currently over 90 challenges), laid out in a linear fashion.

*    Well Documented Write Ups 		-    Each challenge comes with a well documented writeup explaining how to go from being handed the binary to doing the exploit dev.

*    Multiple Problems per Topic 	-    Most modules have multiple different challenges. This way you can use one to learn how the attack works, and then apply it to the others. Also different iterations of the problem will have knowledge needed to solve it.

*    Using all open source tools 	-    All the tools used here are free and open sourced. No IDA torrent needed.

*    A Place to Ask Questions 		-    So if you have a problem that you've been working for days and can't get anywhere (and google isn't helping).

I have found that resources that have many of these things to be few and far between. As a result it can make learning these skills difficult since you don't really know what to learn, or how to learn it. This is essentially my attempt to help fix some of those problems.

Discord

If you get stuck on something for hours on end and google can't answer your question, try asking in the discord (or if you just feel like talking about cool security things). Here is a link to it https://discord.gg/p5E3VZF

Also if you notice any typos or mistakes, feel free to mention it in the Discord. With how much content is here, there is bound to be at least one.

Special Thanks

Special Thanks to these people:

noopnoop 	-	For dealing with me / making a few writeups
digitalcold -	For giving the advice / showing me how good the static sit would look
you nerd 	- 	For looking at this

Index

Here is the index for all of the content in this course. Feel free to go through the whole thing, or only parts of it (don't let me tell you how to live your life). For the order that you do the challenges in a module, I would recommend starting with the first.

Intro

0.) Intro to the Project

1.) Intro to Assembly

  • Intro to assembly
  • Sample assembly reverse challs

2.) Intro to Tooling

  • gdb-gef
  • pwntools
  • ghidra

3.) Beginner RE

  • pico18_strings
  • helithumper_re
  • csaw18_tourofx86pt1
  • csaw19_beleaf

Stack pt 0 Stack Tendencies

4.) Buffer Overflow of Variables

  • Csaw18/boi
  • TokyoWesterns17/just_do_it
  • Tamu19_pwn1

5.) Buffer Overflow Call Function

  • Csaw18_getit
  • Tu17_vulnchat
  • Csaw16_warmup

5.1) aslr/pie intro

  • quick aslr/pie explanation

6.) Buffer Overflow Call Shellcode

  • Tamu19_pwn3
  • Csaw17_pilot
  • Tu18_shelleasy

6.1) nx intro

  • nx explanation

7.) ROP Chain Statically compiled

  • dcquals19_speedrun1
  • bkp16_simplecalc
  • dcquals16_feedme

7.1) stack canary intro

  • stack canary introduction

7.2) relro intro

  • relro introduction

8.) ROP Dynamically Compiled

  • csaw17_svc
  • fb19_overfloat
  • hs19_storytime
  • csaw19_babyboi
  • utc19_shellme

General pt 0 Stardust Challenges

9.) Bad Seed

  • h3_time
  • hsctf19_tuxtalkshow
  • sunshinectf17_prepared

10.) Format strings

  • backdoor17_bbpwn
  • twesterns16_greeting
  • pico_echo
  • watevr19_betstar

11.) Index Array

  • dcquals16_xkcd
  • sawmpctf19_dreamheaps
  • sunshinectf2017_alternativesolution

12.) Z3

  • tokyowesterns17_revrevrev
  • tuctf_future
  • hsctf19_abyte

13.) Angr

  • securityfest_fairlight
  • plaid19_icancount
  • defcamp15_r100

Stack pt 1 Return to Stack (truly a perfect game)

14.) Ret2system

  • asis17_marymorton
  • hxp18_poorcanary
  • tu_guestbook

15.) Partial Overwrite

  • Tu17_vulnchat2
  • Tamu19_pwn2
  • hacklu15_stackstuff

16.) SROP

  • backdoorctf_funsignals
  • inctf17_stupiddrop
  • swamp19_syscaller
  • csaw19_smallboi

17.) Stack Pivot / Partial Overwrite

  • defconquals19_speedrun4
  • insomnihack18_onewrite
  • xctf16_b0verfl0w

18.) Ret2Csu / Ret2dl

  • ropemporium_ret2csu
  • 0ctf 2018 babystack

General pt 1

19.) Shellcoding pt 1

  • defconquals19_s3
  • Csaw18_shellpointcode
  • defconquals19_s6

20.) Patching/Jumping

  • dcquals18_elfcrumble
  • plaid19_plaid_part_planning_III
  • csaw16_gametime

21.) .NET Reversing

  • csaw13_dotnet
  • csaw13_bikinibonanza
  • whitehat18_re06

22.) Movfuscation

  • sawmpctf19_future
  • asis18quals_babyc
  • other_movfuscated

23.) Custom Architectures

  • h3_challenge0
  • h3_challenge1
  • h3_challenge2
  • h3_challenge3

Heap Pt 0

24.) Basic Heap overflow

  • protostar_heap1
  • protostar_heap0
  • protostar_heap2

25.) Intro to heap exploitation / binning

  • explanation

26.) Heap Grooming

  • explanation
  • swamp19_heapgolf
  • pico_areyouroot

27.) Edit Freed Chunk (pure explanation)

  • Use After Free
  • Double Free
  • Null Byte Heap Consolidation

28.) Fastbin Attack

  • explanation
  • 0ctf18_babyheap
  • csaw17_auir

29.) tcache

  • explanation
  • dcquals19_babyheap
  • plaid19_cpp

30.) unlink

  • explanation
  • hitcon14_stkof
  • zctf16_note

31.) Unsorted Bin Attack

  • explanation
  • hitcon_magicheap
  • 0ctf16_zer0storage

32.) Large Bin Attack

  • largebin0_explanation
  • largebin1_explanation

33.) Custom Malloc

  • csawquals17_minesweeper
  • csawquals18_AliensVSSamurai
  • csawquals19_traveller

General Pt 2

34.) Qemu / Emulated Targets

  • csaw18_tour_of_x86_pt_2
  • csaw15_hackingtime
  • csaw17_realism

35.) Integer Exploitation

  • puzzle
  • int_overflow_post
  • signed_unsigned_int_expl

36.) Obfuscated Reversing

  • csaw15_wyvern
  • csaw17_prophecy
  • bkp16_unholy

37.) FS Exploitation

  • swamp19_badfile

38.) Grab Bag

  • csaw18_doubletrouble
  • hackim19_shop
  • unit_vars_expl
  • csaw19_gibberish

Heap pt 2

39.) House of Spirit

  • explanation
  • hacklu14_oreo

40.) House of Lore

  • explanation

41.) House of Force

  • explanation
  • bkp16_cookbook

42.) House of Einherjar

  • explanation

43.) House of Orange

  • explanation

44.) More tcache

  • csaw19_poppingCaps0
  • csaw19_poppingCaps1

Ending Documentation

References

What's next