It has been a long time since I finish(nearly) these problems...
In linux, 0
is std_input, 1
is std_output, 2
is std_error_output.
We just need to send LETMEWIN
to std_input and set fd to 0
which means (our input - 0x1234) == 0.
It has been a long time since I finish(nearly) these problems...
In linux, 0
is std_input, 1
is std_output, 2
is std_error_output.
We just need to send LETMEWIN
to std_input and set fd to 0
which means (our input - 0x1234) == 0.
# Based on code by ShaoWeiYuan | |
# Multi-object annotation supported | |
# Depends on opencv and numpy | |
# Press 'n' to switch to next one, 'r' to restart annotation for this picture, and press 'q' when you want to stop. | |
import cv2, os | |
import numpy as np | |
file_list = [] | |
saved_list = [] |
In process_hash
, the size of input is 1024
, the size after b64d
is 512, however, it should be 1024*3/4
, so there's a buffer overflow here.
Because of the stack canary, we can do nothing. I was confused here until I noticed the canary is also used in my_hash
to generate random number. Since the canary is gs:0x14
, it's always the same in all function calls.
We can calculate the canary value from the captcha
because the seed of randomization is the current time, we can fetch it from http request to http://pwnable.kr
.
After trying input b64e("AAAA"*(768/4))
to the program, jump to pass the canary check and break at ret
, we can notice that the top of stack is AAAA...
.
FSB
and UAF
is used in this simple problem.
Let's have a look at it.
int __cdecl main(int argc, const char **argv, const char **envp)
{
In this challenge we can input username and password, then the server return an encrypted string of {username}-{password}-{cookie}
in which the cookie
is not known.
Since CBC
is used, each 32 word in encrypted string is encrypted by last block and 16 word in original string.
So let's enter "A"*16
as username, and enter different password, the first 32 word of the encrypted data is the same.
So we can brute-force the cookie through trying each bit of cookie.
# Original: @shanskc | |
[General] | |
# warning, notify, info, verbose | |
loglevel = warning | |
# all-tcp-mode = false | |
skip-proxy = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, localhost, *.local, e.crashlytics.com, apple.cn | |
bypass-tun = 0.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 | |
# dns-server = 119.29.29.29, 223.5.5.5, 114.114.114.114, 8.8.8.8 | |
[Proxy] |
#!/bin/sh | |
sudo apt-get -y install curl python-pip | |
sudo pip install shadowsocks | |
sudo mkdir /etc/shadowsocks | |
printf "=====\nEnter your shadowsocks password\n=====\n" | |
read password | |
printf "=====\nEnter your shadowsocks port(>1024)\n=====\n" | |
read port | |
printf "\nConfigure shadowsocks with password: $password and at port: $port\n" | |
printf "{\n\t\"server\":\"::\",\n\t\"server_port\":$port,\n\t\"local_port\":10800,\n\t\"password\":\"$password\",\n\t\"timeout\":600,\n\t\"method\":\"rc4-md5\"\n}" | sudo tee /etc/shadowsocks/config.json > /dev/null |
#!/usr/bin/python | |
import re | |
pat=re.compile(r'NETNTLM:\s{1}(.*?):\$NETNTLM\$(.*?)\$(.*?)$', re.M) | |
with open('/home/ihciah/hostapd-2.2/hostapd/hostapd-wpe.log') as fo: | |
lines=fo.read() | |
user_list={x[0]:x for x in pat.findall(lines)} | |
with open('mschap.hash','w') as f: | |
f.write('\n'.join(map(lambda x:x[0]+"::::"+x[2]+":"+x[1],user_list.values()))) |
{ | |
"Items": [ { | |
"TemplateId": "BADGE_BATTLE_ATTACK_WON", | |
"Badge": { | |
"BadgeType": "BADGE_BATTLE_ATTACK_WON", | |
"BadgeRanks": 4, | |
"Targets": "\\nd\\350\\007" | |
} | |
}, { | |
"TemplateId": "BADGE_BATTLE_TRAINING_WON", |