Generate symbol file:
python kernel_syms.py
as -o kernal_syms.o kernel_syms.sLoad the symbols into gdb:
Baptiste MOINE Creased
This challenge is fairly simple, a first binary (dharma) drops a second one (2O3naSbh, but let's call it stage2) using a well-known in-memory loading technique (please refer to this article for details).
As this is a CTF challenge, we're looking for the shortest path to get the flag: let's just patch the binary to make it drops the binary to a common file descriptor (e.g., stdout, stdin, stderr).
Because I'm lazy, I decided to apply the following patch:
--- dharma
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| while IFS=';' read -r USER PASSWORD; do | |
| echo "Creating ${USER} user..." | |
| useradd -s /bin/bash -d /home/${USER} -m ${USER} | |
| usermod -aG sudo ${USER} | |
| echo "${USER}:${PASSWORD}" | chpasswd | |
| echo "Default password set to ${PASSWORD} for ${USER} user." | |
| done < users.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import requests | |
| import html | |
| creased = 14542 | |
| s = requests.Session() | |
| def get_chall_ids(): | |
| finished = False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.clear(arch='amd64', log_level='info') | |
| LOCAL = False | |
| p = None | |
| def create_process(): | |
| global p | |
| if LOCAL: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.clear(arch='amd64', log_level='info') | |
| PROMPT = b'peterpan@pwnuser:~$ ' | |
| LOCAL = False | |
| p = None | |
| def create_process(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| # Doc: docs.pwntools.com/en/stable/ | |
| context.log_level = 'debug' # debug/info/error/warning. | |
| context.arch = 'i386' # i386/x64/arm, etc. | |
| ## OPEN SOCKET. | |
| sock = remote('challenges.ecsc-teamfrance.fr', 2000) | |
| ## OR, OPEN LOCAL PROCESS. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import base64 | |
| from pwn import * | |
| context.log_level = 'info' | |
| PROMPT = '>>> ' | |
| def get_con(): | |
| p = remote('ctf.bzh', 11000) |
This file has been truncated, but you can view the full file.
Creased
/ format_protostar.sh
Last active
June 14, 2018 09:32
Protostar Stack Overflow (0-7), Format String (0-4), Heap Overflow (0-3) and Net (0-2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export TMP=$(mktemp -d) | |
| /bin/cat <<-EOF >${TMP}/exploit.py | |
| #!/usr/bin/env python | |
| # -*- coding:Utf-8 -*- | |
| #==========================================================# | |
| # [+] Title: Exploitation code for Protostar format 0 # | |
| # [+] Author: Baptiste M. (Creased) # | |
| # [+] Website: bmoine.fr # |
NewerOlder