--allow-empty
This commit is contained in:
BIN
cscg25/forensics/intro2/intro-forensics-2.pcapng
Normal file
BIN
cscg25/forensics/intro2/intro-forensics-2.pcapng
Normal file
Binary file not shown.
3
cscg25/misc/nokia/sms.txt
Normal file
3
cscg25/misc/nokia/sms.txt
Normal file
@@ -0,0 +1,3 @@
|
||||
//SCKL1583 0B05041583000000030103013000480E01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFF9FFFFF3FFC71FFFFFFDFFFEFBFFDED0F32
|
||||
//SCKL1583 0B050415830000000301030273DFFCC18FF8EDB7BDE1DFFB6FB7FB71B7BAEFDFFB6DB7FB7B8F12718FFCF30FF8E3BFFFFFFFFFFFFFFFFF1FFFFFFFFFFFFFFFFF
|
||||
//SCKL1583 0B0504158300000003010303FFFFFFFC0FFFFC0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00
|
||||
55
cscg25/pwn/intro1/Dockerfile
Normal file
55
cscg25/pwn/intro1/Dockerfile
Normal file
@@ -0,0 +1,55 @@
|
||||
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS ynetd-builder
|
||||
|
||||
ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \
|
||||
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \
|
||||
/usr/local/bin/repro-sources-list.sh
|
||||
|
||||
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \
|
||||
/usr/local/bin/repro-sources-list.sh && \
|
||||
apt-get update && \
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
|
||||
musl-dev \
|
||||
musl-tools \
|
||||
make \
|
||||
xz-utils && \
|
||||
rm -f /usr/local/bin/repro-sources-list.sh
|
||||
|
||||
WORKDIR /work
|
||||
|
||||
ADD --chmod=0666 --checksum=sha256:4300f2fbc3996bc389d3c03a74662bfff3106ac1930942c5bd27580c7ba5053d \
|
||||
https://yx7.cc/code/ynetd/ynetd-0.1.2.tar.xz \
|
||||
/work/ynetd-0.1.2.tar.xz
|
||||
|
||||
RUN tar -xJf ynetd-0.1.2.tar.xz && cd ynetd-0.1.2 && CC="musl-gcc" CFLAGS="-static" make
|
||||
|
||||
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS challenge-builder
|
||||
|
||||
ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \
|
||||
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \
|
||||
/usr/local/bin/repro-sources-list.sh
|
||||
|
||||
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \
|
||||
/usr/local/bin/repro-sources-list.sh && \
|
||||
apt-get update && \
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
|
||||
gcc libc-dev make && \
|
||||
rm -f /usr/local/bin/repro-sources-list.sh
|
||||
|
||||
WORKDIR /work
|
||||
|
||||
COPY ./intro-pwn.c ./Makefile /work
|
||||
|
||||
RUN make
|
||||
RUN echo "85c479b7682a099fd5e1365ade142f55a8d0c2be7278126c74f0155f9f04b450 ./intro-pwn" | sha256sum -c
|
||||
|
||||
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS runner
|
||||
|
||||
COPY --from=ynetd-builder /work/ynetd-0.1.2/ynetd /ynetd
|
||||
|
||||
COPY --from=challenge-builder /work/intro-pwn /intro-pwn
|
||||
|
||||
COPY ./flag /flag
|
||||
|
||||
EXPOSE 1024
|
||||
|
||||
CMD ["/ynetd", "-se", "y", "-p", "1024", "/intro-pwn"]
|
||||
8
cscg25/pwn/intro1/Makefile
Normal file
8
cscg25/pwn/intro1/Makefile
Normal file
@@ -0,0 +1,8 @@
|
||||
CC = gcc
|
||||
CFLAGS = -Wall -Wextra -g -std=c99 -g -fno-stack-protector -no-pie
|
||||
|
||||
intro-pwn: intro-pwn.c
|
||||
$(CC) $(CFLAGS) -o intro-pwn intro-pwn.c
|
||||
|
||||
clean:
|
||||
rm -f intro-pwn
|
||||
1
cscg25/pwn/intro1/flag
Normal file
1
cscg25/pwn/intro1/flag
Normal file
@@ -0,0 +1 @@
|
||||
CSCG{testflag}
|
||||
BIN
cscg25/pwn/intro1/intro-pwn
Executable file
BIN
cscg25/pwn/intro1/intro-pwn
Executable file
Binary file not shown.
BIN
cscg25/pwn/intro1/intro-pwn-1.zip
Normal file
BIN
cscg25/pwn/intro1/intro-pwn-1.zip
Normal file
Binary file not shown.
39
cscg25/pwn/intro1/intro-pwn.c
Normal file
39
cscg25/pwn/intro1/intro-pwn.c
Normal file
@@ -0,0 +1,39 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
// --------------------------------------------------- SETUP
|
||||
|
||||
|
||||
void ignore_me_init_buffering()
|
||||
{
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
setvbuf(stdin, NULL, _IONBF, 0);
|
||||
setvbuf(stderr, NULL, _IONBF, 0);
|
||||
}
|
||||
|
||||
// --------------------------------------------------- VULNERABLE FUNCTION
|
||||
|
||||
void win()
|
||||
{
|
||||
system("echo no cat /flag for you");
|
||||
}
|
||||
|
||||
void vuln() {
|
||||
char name[16];
|
||||
printf("What is your name?\n");
|
||||
gets(name);
|
||||
printf("Hello %s!\nI have a present for you: %d\n", name, 0xc35f);
|
||||
}
|
||||
|
||||
// --------------------------------------------------- MAIN
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
(void)argc;
|
||||
(void)argv;
|
||||
|
||||
ignore_me_init_buffering();
|
||||
|
||||
vuln();
|
||||
return 0;
|
||||
}
|
||||
9
cscg25/pwn/intro1/last-year/README.md
Normal file
9
cscg25/pwn/intro1/last-year/README.md
Normal file
@@ -0,0 +1,9 @@
|
||||
This is an introductory challenge for exploiting Linux binaries with memory corruptions. Nowadays there are quite a few mitigations that make it not as straight forward as it used to be.
|
||||
So in order to introduce players to pwnable challenges, [LiveOverflow created a video walkthrough](https://www.youtube.com/watch?v=hhu7vhmuISY) of the first challenge.
|
||||
|
||||
This challenge was already featured in last year's CSCG. We are aware that public writeups exist, but we figured this challenge is still a nice-to-have for newcomers, so we released it again.
|
||||
|
||||
*Note*: The video writeup of LiveOverflow is not completely functional. To give you hint: It's about the address of the `ret` instruction that was chosen to re-align the stack.
|
||||
|
||||
Suppose `ASLR` is rather 'smooth' - meaning a whole bunch of nibbles are zero - (which is pretty much always the case in our setup) all addresses within the offset range of `0xa00` to `0xaff`
|
||||
translate to addresses looking like `xxxxxxxxxx0axx`, requiring you to send the bytes `xx xx xx xx xx xx 0a xx` over the wire. Now the problem with this is that `0a` is a newline (`\\n`), which in turn terminates `gets()` (refer to `man 3 gets`), meaning that your payload terminates prematurely.
|
||||
BIN
cscg25/pwn/intro1/last-year/pwn1
Executable file
BIN
cscg25/pwn/intro1/last-year/pwn1
Executable file
Binary file not shown.
70
cscg25/pwn/intro1/last-year/pwn1.c
Normal file
70
cscg25/pwn/intro1/last-year/pwn1.c
Normal file
@@ -0,0 +1,70 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
|
||||
// pwn1: gcc pwn1.c -o pwn1
|
||||
|
||||
// --------------------------------------------------- SETUP
|
||||
|
||||
void ignore_me_init_buffering() {
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
setvbuf(stdin, NULL, _IONBF, 0);
|
||||
setvbuf(stderr, NULL, _IONBF, 0);
|
||||
}
|
||||
|
||||
void kill_on_timeout(int sig) {
|
||||
if (sig == SIGALRM) {
|
||||
printf("[!] Anti DoS Signal. Patch me out for testing.");
|
||||
_exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
void ignore_me_init_signal() {
|
||||
signal(SIGALRM, kill_on_timeout);
|
||||
alarm(60);
|
||||
}
|
||||
|
||||
// --------------------------------------------------- MENU
|
||||
|
||||
void WINgardium_leviosa() {
|
||||
printf("┌───────────────────────┐\n");
|
||||
printf("│ You are a Slytherin.. │\n");
|
||||
printf("└───────────────────────┘\n");
|
||||
system("/bin/sh");
|
||||
}
|
||||
|
||||
void welcome() {
|
||||
char read_buf[0xff];
|
||||
printf("Enter your witch name:\n");
|
||||
gets(read_buf);
|
||||
printf("┌───────────────────────┐\n");
|
||||
printf("│ You are a Hufflepuff! │\n");
|
||||
printf("└───────────────────────┘\n");
|
||||
printf(read_buf);
|
||||
}
|
||||
|
||||
void AAAAAAAA() {
|
||||
char read_buf[0xff];
|
||||
|
||||
printf(" enter your magic spell:\n");
|
||||
gets(read_buf);
|
||||
if(strcmp(read_buf, "Expelliarmus") == 0) {
|
||||
printf("~ Protego!\n");
|
||||
} else {
|
||||
printf("-10 Points for Hufflepuff!\n");
|
||||
_exit(0);
|
||||
}
|
||||
}
|
||||
// --------------------------------------------------- MAIN
|
||||
|
||||
void main(int argc, char* argv[]) {
|
||||
ignore_me_init_buffering();
|
||||
ignore_me_init_signal();
|
||||
|
||||
welcome();
|
||||
AAAAAAAA();
|
||||
}
|
||||
|
||||
|
||||
BIN
cscg25/rev/intro3/rev3.bndb
Normal file
BIN
cscg25/rev/intro3/rev3.bndb
Normal file
Binary file not shown.
Reference in New Issue
Block a user