--allow-empty

This commit is contained in:
2025-03-10 04:20:44 +01:00
parent 9f12caa9a8
commit 5716bb9b25
12 changed files with 185 additions and 0 deletions

Binary file not shown.

View File

@@ -0,0 +1,3 @@
//SCKL1583 0B05041583000000030103013000480E01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFF9FFFFF3FFC71FFFFFFDFFFEFBFFDED0F32
//SCKL1583 0B050415830000000301030273DFFCC18FF8EDB7BDE1DFFB6FB7FB71B7BAEFDFFB6DB7FB7B8F12718FFCF30FF8E3BFFFFFFFFFFFFFFFFF1FFFFFFFFFFFFFFFFF
//SCKL1583 0B0504158300000003010303FFFFFFFC0FFFFC0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00

View File

@@ -0,0 +1,55 @@
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS ynetd-builder
ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \
/usr/local/bin/repro-sources-list.sh
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \
/usr/local/bin/repro-sources-list.sh && \
apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
musl-dev \
musl-tools \
make \
xz-utils && \
rm -f /usr/local/bin/repro-sources-list.sh
WORKDIR /work
ADD --chmod=0666 --checksum=sha256:4300f2fbc3996bc389d3c03a74662bfff3106ac1930942c5bd27580c7ba5053d \
https://yx7.cc/code/ynetd/ynetd-0.1.2.tar.xz \
/work/ynetd-0.1.2.tar.xz
RUN tar -xJf ynetd-0.1.2.tar.xz && cd ynetd-0.1.2 && CC="musl-gcc" CFLAGS="-static" make
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS challenge-builder
ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \
https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \
/usr/local/bin/repro-sources-list.sh
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \
/usr/local/bin/repro-sources-list.sh && \
apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
gcc libc-dev make && \
rm -f /usr/local/bin/repro-sources-list.sh
WORKDIR /work
COPY ./intro-pwn.c ./Makefile /work
RUN make
RUN echo "85c479b7682a099fd5e1365ade142f55a8d0c2be7278126c74f0155f9f04b450 ./intro-pwn" | sha256sum -c
FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS runner
COPY --from=ynetd-builder /work/ynetd-0.1.2/ynetd /ynetd
COPY --from=challenge-builder /work/intro-pwn /intro-pwn
COPY ./flag /flag
EXPOSE 1024
CMD ["/ynetd", "-se", "y", "-p", "1024", "/intro-pwn"]

View File

@@ -0,0 +1,8 @@
CC = gcc
CFLAGS = -Wall -Wextra -g -std=c99 -g -fno-stack-protector -no-pie
intro-pwn: intro-pwn.c
$(CC) $(CFLAGS) -o intro-pwn intro-pwn.c
clean:
rm -f intro-pwn

1
cscg25/pwn/intro1/flag Normal file
View File

@@ -0,0 +1 @@
CSCG{testflag}

BIN
cscg25/pwn/intro1/intro-pwn Executable file

Binary file not shown.

Binary file not shown.

View File

@@ -0,0 +1,39 @@
#include <stdio.h>
#include <stdlib.h>
// --------------------------------------------------- SETUP
void ignore_me_init_buffering()
{
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
}
// --------------------------------------------------- VULNERABLE FUNCTION
void win()
{
system("echo no cat /flag for you");
}
void vuln() {
char name[16];
printf("What is your name?\n");
gets(name);
printf("Hello %s!\nI have a present for you: %d\n", name, 0xc35f);
}
// --------------------------------------------------- MAIN
int main(int argc, char **argv)
{
(void)argc;
(void)argv;
ignore_me_init_buffering();
vuln();
return 0;
}

View File

@@ -0,0 +1,9 @@
This is an introductory challenge for exploiting Linux binaries with memory corruptions. Nowadays there are quite a few mitigations that make it not as straight forward as it used to be.
So in order to introduce players to pwnable challenges, [LiveOverflow created a video walkthrough](https://www.youtube.com/watch?v=hhu7vhmuISY) of the first challenge.
This challenge was already featured in last year's CSCG. We are aware that public writeups exist, but we figured this challenge is still a nice-to-have for newcomers, so we released it again.
*Note*: The video writeup of LiveOverflow is not completely functional. To give you hint: It's about the address of the `ret` instruction that was chosen to re-align the stack.
Suppose `ASLR` is rather 'smooth' - meaning a whole bunch of nibbles are zero - (which is pretty much always the case in our setup) all addresses within the offset range of `0xa00` to `0xaff`
translate to addresses looking like `xxxxxxxxxx0axx`, requiring you to send the bytes `xx xx xx xx xx xx 0a xx` over the wire. Now the problem with this is that `0a` is a newline (`\\n`), which in turn terminates `gets()` (refer to `man 3 gets`), meaning that your payload terminates prematurely.

BIN
cscg25/pwn/intro1/last-year/pwn1 Executable file

Binary file not shown.

View File

@@ -0,0 +1,70 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
// pwn1: gcc pwn1.c -o pwn1
// --------------------------------------------------- SETUP
void ignore_me_init_buffering() {
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
}
void kill_on_timeout(int sig) {
if (sig == SIGALRM) {
printf("[!] Anti DoS Signal. Patch me out for testing.");
_exit(0);
}
}
void ignore_me_init_signal() {
signal(SIGALRM, kill_on_timeout);
alarm(60);
}
// --------------------------------------------------- MENU
void WINgardium_leviosa() {
printf("┌───────────────────────┐\n");
printf("│ You are a Slytherin.. │\n");
printf("└───────────────────────┘\n");
system("/bin/sh");
}
void welcome() {
char read_buf[0xff];
printf("Enter your witch name:\n");
gets(read_buf);
printf("┌───────────────────────┐\n");
printf("│ You are a Hufflepuff! │\n");
printf("└───────────────────────┘\n");
printf(read_buf);
}
void AAAAAAAA() {
char read_buf[0xff];
printf(" enter your magic spell:\n");
gets(read_buf);
if(strcmp(read_buf, "Expelliarmus") == 0) {
printf("~ Protego!\n");
} else {
printf("-10 Points for Hufflepuff!\n");
_exit(0);
}
}
// --------------------------------------------------- MAIN
void main(int argc, char* argv[]) {
ignore_me_init_buffering();
ignore_me_init_signal();
welcome();
AAAAAAAA();
}

BIN
cscg25/rev/intro3/rev3.bndb Normal file

Binary file not shown.