diff --git a/cscg25/forensics/intro2/intro-forensics-2.pcapng b/cscg25/forensics/intro2/intro-forensics-2.pcapng new file mode 100644 index 0000000..2c10651 Binary files /dev/null and b/cscg25/forensics/intro2/intro-forensics-2.pcapng differ diff --git a/cscg25/misc/nokia/sms.txt b/cscg25/misc/nokia/sms.txt new file mode 100644 index 0000000..2135808 --- /dev/null +++ b/cscg25/misc/nokia/sms.txt @@ -0,0 +1,3 @@ +//SCKL1583 0B05041583000000030103013000480E01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFF9FFFFF3FFC71FFFFFFDFFFEFBFFDED0F32 +//SCKL1583 0B050415830000000301030273DFFCC18FF8EDB7BDE1DFFB6FB7FB71B7BAEFDFFB6DB7FB7B8F12718FFCF30FF8E3BFFFFFFFFFFFFFFFFF1FFFFFFFFFFFFFFFFF +//SCKL1583 0B0504158300000003010303FFFFFFFC0FFFFC0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00 \ No newline at end of file diff --git a/cscg25/pwn/intro1/Dockerfile b/cscg25/pwn/intro1/Dockerfile new file mode 100644 index 0000000..0e91025 --- /dev/null +++ b/cscg25/pwn/intro1/Dockerfile @@ -0,0 +1,55 @@ +FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS ynetd-builder + +ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \ + https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \ + /usr/local/bin/repro-sources-list.sh + +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \ + /usr/local/bin/repro-sources-list.sh && \ + apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ + musl-dev \ + musl-tools \ + make \ + xz-utils && \ + rm -f /usr/local/bin/repro-sources-list.sh + +WORKDIR /work + +ADD --chmod=0666 --checksum=sha256:4300f2fbc3996bc389d3c03a74662bfff3106ac1930942c5bd27580c7ba5053d \ + https://yx7.cc/code/ynetd/ynetd-0.1.2.tar.xz \ + /work/ynetd-0.1.2.tar.xz + +RUN tar -xJf ynetd-0.1.2.tar.xz && cd ynetd-0.1.2 && CC="musl-gcc" CFLAGS="-static" make + +FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS challenge-builder + +ADD --chmod=0755 --checksum=sha256:c125df9762b0c7233459087bb840c0e5dbfc4d9690ee227f1ed8994f4d51d2e0 \ + https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.4/repro-sources-list.sh \ + /usr/local/bin/repro-sources-list.sh + +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked --mount=type=cache,target=/var/lib/apt,sharing=locked \ + /usr/local/bin/repro-sources-list.sh && \ + apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \ + gcc libc-dev make && \ + rm -f /usr/local/bin/repro-sources-list.sh + +WORKDIR /work + +COPY ./intro-pwn.c ./Makefile /work + +RUN make +RUN echo "85c479b7682a099fd5e1365ade142f55a8d0c2be7278126c74f0155f9f04b450 ./intro-pwn" | sha256sum -c + +FROM debian:bookworm-20250203-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS runner + +COPY --from=ynetd-builder /work/ynetd-0.1.2/ynetd /ynetd + +COPY --from=challenge-builder /work/intro-pwn /intro-pwn + +COPY ./flag /flag + +EXPOSE 1024 + +CMD ["/ynetd", "-se", "y", "-p", "1024", "/intro-pwn"] \ No newline at end of file diff --git a/cscg25/pwn/intro1/Makefile b/cscg25/pwn/intro1/Makefile new file mode 100644 index 0000000..c3e36de --- /dev/null +++ b/cscg25/pwn/intro1/Makefile @@ -0,0 +1,8 @@ +CC = gcc +CFLAGS = -Wall -Wextra -g -std=c99 -g -fno-stack-protector -no-pie + +intro-pwn: intro-pwn.c + $(CC) $(CFLAGS) -o intro-pwn intro-pwn.c + +clean: + rm -f intro-pwn \ No newline at end of file diff --git a/cscg25/pwn/intro1/flag b/cscg25/pwn/intro1/flag new file mode 100644 index 0000000..435dc67 --- /dev/null +++ b/cscg25/pwn/intro1/flag @@ -0,0 +1 @@ +CSCG{testflag} diff --git a/cscg25/pwn/intro1/intro-pwn b/cscg25/pwn/intro1/intro-pwn new file mode 100755 index 0000000..77956aa Binary files /dev/null and b/cscg25/pwn/intro1/intro-pwn differ diff --git a/cscg25/pwn/intro1/intro-pwn-1.zip b/cscg25/pwn/intro1/intro-pwn-1.zip new file mode 100644 index 0000000..57ab490 Binary files /dev/null and b/cscg25/pwn/intro1/intro-pwn-1.zip differ diff --git a/cscg25/pwn/intro1/intro-pwn.c b/cscg25/pwn/intro1/intro-pwn.c new file mode 100644 index 0000000..e76d0b1 --- /dev/null +++ b/cscg25/pwn/intro1/intro-pwn.c @@ -0,0 +1,39 @@ +#include +#include + +// --------------------------------------------------- SETUP + + +void ignore_me_init_buffering() +{ + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +// --------------------------------------------------- VULNERABLE FUNCTION + +void win() +{ + system("echo no cat /flag for you"); +} + +void vuln() { + char name[16]; + printf("What is your name?\n"); + gets(name); + printf("Hello %s!\nI have a present for you: %d\n", name, 0xc35f); +} + +// --------------------------------------------------- MAIN + +int main(int argc, char **argv) +{ + (void)argc; + (void)argv; + + ignore_me_init_buffering(); + + vuln(); + return 0; +} diff --git a/cscg25/pwn/intro1/last-year/README.md b/cscg25/pwn/intro1/last-year/README.md new file mode 100644 index 0000000..9bcfd3e --- /dev/null +++ b/cscg25/pwn/intro1/last-year/README.md @@ -0,0 +1,9 @@ +This is an introductory challenge for exploiting Linux binaries with memory corruptions. Nowadays there are quite a few mitigations that make it not as straight forward as it used to be. +So in order to introduce players to pwnable challenges, [LiveOverflow created a video walkthrough](https://www.youtube.com/watch?v=hhu7vhmuISY) of the first challenge. + +This challenge was already featured in last year's CSCG. We are aware that public writeups exist, but we figured this challenge is still a nice-to-have for newcomers, so we released it again. + +*Note*: The video writeup of LiveOverflow is not completely functional. To give you hint: It's about the address of the `ret` instruction that was chosen to re-align the stack. + +Suppose `ASLR` is rather 'smooth' - meaning a whole bunch of nibbles are zero - (which is pretty much always the case in our setup) all addresses within the offset range of `0xa00` to `0xaff` +translate to addresses looking like `xxxxxxxxxx0axx`, requiring you to send the bytes `xx xx xx xx xx xx 0a xx` over the wire. Now the problem with this is that `0a` is a newline (`\\n`), which in turn terminates `gets()` (refer to `man 3 gets`), meaning that your payload terminates prematurely. \ No newline at end of file diff --git a/cscg25/pwn/intro1/last-year/pwn1 b/cscg25/pwn/intro1/last-year/pwn1 new file mode 100755 index 0000000..4b824c7 Binary files /dev/null and b/cscg25/pwn/intro1/last-year/pwn1 differ diff --git a/cscg25/pwn/intro1/last-year/pwn1.c b/cscg25/pwn/intro1/last-year/pwn1.c new file mode 100644 index 0000000..cafa804 --- /dev/null +++ b/cscg25/pwn/intro1/last-year/pwn1.c @@ -0,0 +1,70 @@ +#include +#include +#include +#include +#include + +// pwn1: gcc pwn1.c -o pwn1 + +// --------------------------------------------------- SETUP + +void ignore_me_init_buffering() { + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +void kill_on_timeout(int sig) { + if (sig == SIGALRM) { + printf("[!] Anti DoS Signal. Patch me out for testing."); + _exit(0); + } +} + +void ignore_me_init_signal() { + signal(SIGALRM, kill_on_timeout); + alarm(60); +} + +// --------------------------------------------------- MENU + +void WINgardium_leviosa() { + printf("┌───────────────────────┐\n"); + printf("│ You are a Slytherin.. │\n"); + printf("└───────────────────────┘\n"); + system("/bin/sh"); +} + +void welcome() { + char read_buf[0xff]; + printf("Enter your witch name:\n"); + gets(read_buf); + printf("┌───────────────────────┐\n"); + printf("│ You are a Hufflepuff! │\n"); + printf("└───────────────────────┘\n"); + printf(read_buf); +} + +void AAAAAAAA() { + char read_buf[0xff]; + + printf(" enter your magic spell:\n"); + gets(read_buf); + if(strcmp(read_buf, "Expelliarmus") == 0) { + printf("~ Protego!\n"); + } else { + printf("-10 Points for Hufflepuff!\n"); + _exit(0); + } +} +// --------------------------------------------------- MAIN + +void main(int argc, char* argv[]) { + ignore_me_init_buffering(); + ignore_me_init_signal(); + + welcome(); + AAAAAAAA(); +} + + diff --git a/cscg25/rev/intro3/rev3.bndb b/cscg25/rev/intro3/rev3.bndb new file mode 100644 index 0000000..bc97013 Binary files /dev/null and b/cscg25/rev/intro3/rev3.bndb differ