ihciah

Pwnable.kr Toddler's Bottle writeup

ihciah@gmail.com

It has been a long time since I finish(nearly) these problems...

1. fd

In linux, 0 is std_input, 1 is std_output, 2 is std_error_output.

We just need to send LETMEWIN to std_input and set fd to 0 which means (our input - 0x1234) == 0.

ihciah

# Based on code by ShaoWeiYuan
# Multi-object annotation supported
# Depends on opencv and numpy
# Press 'n' to switch to next one, 'r' to restart annotation for this picture, and press 'q' when you want to stop.

import cv2, os
import numpy as np

file_list = []
saved_list = []

ihciah

Pwnable.kr md5 calculator writeup

ihciah@gmail.com

In process_hash, the size of input is 1024, the size after b64d is 512, however, it should be 1024*3/4, so there's a buffer overflow here.

Because of the stack canary, we can do nothing. I was confused here until I noticed the canary is also used in my_hash to generate random number. Since the canary is gs:0x14, it's always the same in all function calls.

We can calculate the canary value from the captcha because the seed of randomization is the current time, we can fetch it from http request to http://pwnable.kr.

After trying input b64e("AAAA"*(768/4)) to the program, jump to pass the canary check and break at ret, we can notice that the top of stack is AAAA....

ihciah

Pwnable.kr echo2 writeup

ihciah@gmail.com

FSB and UAF is used in this simple problem.

Let's have a look at it.

int __cdecl main(int argc, const char **argv, const char **envp)
{

ihciah

台湾行程 (Draft)

By Ihc

2.16~2.26

---

准备&Tips

• 华夏银行银行
• 准备visa(网上订高铁支付等)、银联银行卡
• 随身物品备忘：证件(学生证、身份证、入台证、台湾通行证、护照)、银行卡、手机、相机、充电器以及连接线、移动电源、雨伞、衣服、耳机、一转多插头、一次性毛巾、洗漱用品（电动牙刷充好电
• 打印入台证(彩)
• 空白本子(用来盖纪念章)

ihciah

Pwnable.kr crypto1 writeup

ihciah@gmail.com

In this challenge we can input username and password, then the server return an encrypted string of {username}-{password}-{cookie} in which the cookie is not known.

Since CBC is used, each 32 word in encrypted string is encrypted by last block and 16 word in original string.

So let's enter "A"*16 as username, and enter different password, the first 32 word of the encrypted data is the same.

So we can brute-force the cookie through trying each bit of cookie.

ihciah

# Original: @shanskc
[General]
# warning, notify, info, verbose
loglevel = warning
# all-tcp-mode = false
skip-proxy = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, localhost, *.local, e.crashlytics.com, apple.cn
bypass-tun = 0.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# dns-server = 119.29.29.29, 223.5.5.5, 114.114.114.114, 8.8.8.8

[Proxy]

ihciah

#!/bin/sh
sudo apt-get -y install curl python-pip
sudo pip install shadowsocks
sudo mkdir /etc/shadowsocks
printf "=====\nEnter your shadowsocks password\n=====\n"
read password
printf "=====\nEnter your shadowsocks port(>1024)\n=====\n"
read port
printf "\nConfigure shadowsocks with password: $password and at port: $port\n"
printf "{\n\t\"server\":\"::\",\n\t\"server_port\":$port,\n\t\"local_port\":10800,\n\t\"password\":\"$password\",\n\t\"timeout\":600,\n\t\"method\":\"rc4-md5\"\n}" | sudo tee /etc/shadowsocks/config.json > /dev/null

ihciah

#!/usr/bin/python

import re
pat=re.compile(r'NETNTLM:\s{1}(.*?):\$NETNTLM\$(.*?)\$(.*?)$', re.M)
with open('/home/ihciah/hostapd-2.2/hostapd/hostapd-wpe.log') as fo:
  lines=fo.read()
user_list={x[0]:x for x in pat.findall(lines)}
with open('mschap.hash','w') as f:
  f.write('\n'.join(map(lambda x:x[0]+"::::"+x[2]+":"+x[1],user_list.values())))

ihciah

{
  "Items": [ {
      "TemplateId": "BADGE_BATTLE_ATTACK_WON",
      "Badge": {
        "BadgeType": "BADGE_BATTLE_ATTACK_WON",
        "BadgeRanks": 4,
        "Targets": "\\nd\\350\\007"
      }
    }, {
      "TemplateId": "BADGE_BATTLE_TRAINING_WON",