files given:
- delphi-07a5c9d07a4c20ae81a2ddc66b9602d0dcceb74b
- libtwenty.so-4a3918b2efd9fbdfd20eeb8fa51ca76bc42eb2f2
TL;DR
- Reverse Command Protocol
- Integer Overflow
- Metacharacter Injection
Chris breadchris
breadchris
/ Git Trending Repos Python
Created
February 8, 2015 20:45
A python one liner to return all trending repos on Github
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| print["https://github.com%s"%x[9:-1]for x in __import__('re').findall('<a href="/[a-zA-Z0-9_]+/[a-zA-Z0-9_]+">',__import__('urllib2').urlopen("https://github.com/trending").read())if "/site/" not in x] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| syntax enable | |
| set background=dark | |
| colorscheme molokai | |
| filetype plugin indent on | |
| let &t_SI .= "\<Esc>[?2004h" | |
| let &t_EI .= "\<Esc>[?2004l" | |
| inoremap <special> <expr> <Esc>[200~ XTermPasteBegin() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int overflow() | |
| { | |
| char buf[136]; | |
| return read(0, &buf, 256u); | |
| } | |
| int main() | |
| { | |
| overflow(); | |
| return write(1, "WIN\n", 4u); |
breadchris
/ Delphi.md
Last active
May 24, 2021 17:59
Bsides Vancouver CTF 2015 - Delphi (200 ownable) Writeup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // challenge_6.c | |
| // Matasano Crypto Challenge | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| char* HEX_LOOKUP = "0123456789abcdef"; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (lambda s=__import__("socket").socket():s.bind(('',9237))==s.listen(5)==map(lambda c,d:c.send(c.recv(99)),(s.accept()[0]for _ in iter(int,1))))() |
- Format string
Given that this challenge was 600 points, I expected to be challenged with this one. But with 91 solves I think the people at SDSLabs kinda messed up on the points for this one lol.
Checking out what type of file we were dealing with here:
[~/Documents/CTFs/backdoor]$ file team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void randop() { | |
| munmap((void*)0x0F000000, MAPLEN); | |
| void *buf = mmap((void*)0x0F000000, MAPLEN, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0); | |
| unsigned seed; | |
| if(read(0, &seed, 4) != 4) return; | |
| srand(seed); | |
| for(int i = 0; i < MAPLEN - 4; i+=3) { | |
| *(int *)&((char*)buf)[i] = rand(); | |
| if(i%66 == 0) ((char*)buf)[i] = 0xc3; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tab_depth = 0 | |
| def log(s=None, **kwargs): | |
| global tab_depth | |
| msg = s if s is not None else ", ".join(["{} == {}".format(k, v) for k, v in kwargs.items()]) | |
| print("\t" * tab_depth + msg) | |
| def perms(n, l): | |
| global tab_depth |
OlderNewer