hitcon writeups for telescope, 11011001 and revenge

Author: VoidMercy

2020/HITCON/11011001/README.md

@@ -1,3 +1,5 @@
 # 11011001
 
-Read [solve.py](./solve.py)
+See [solve.py](./solve.py). The binary implements constraints on 20 20-bit integers. Represent the constraints for 20x20 bit variables in z3 and SAT solve.
+
+

2020/HITCON/revenge/README.md

@@ -1,3 +1,3 @@
 # revenge
 
-Read [solve.py](./solve.py)
+We obtain the stdout and stderr of the pwntools script, so we can use the assembler to leak the flag through errors. Use ".include" on the flag file to include the flag as assembly code, which will error when assembled. See [solve.py](./solve.py)

2020/HITCON/telescope/README.md

@@ -0,0 +1,7 @@
+Lost the solve script but here is writeup. The vulnerability is that the size of the output protobuf after being parsed from array then serialized to string is not checked. This means we need a message that is longer after being parsed then serialized. It turns out backwards compatability with packed fields does this, so we can manually fuzz the message until we get a perfect off-by-one overflow into the next chunk after the message is serialized again. This message overflows with one 0x71 byte:
+
+```
+0a6ac182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020c182858a94a8d020717110effdb6f50d
+```
+
+Using this, we can easily obtain overlapping chunks, get leaks, overwrite tcache fd, overwrite freehook, win.