Skip to content

Instantly share code, notes, and snippets.

View parksjin01's full-sized avatar
Get a first job

Damotorie parksjin01

Get a first job
View GitHub Profile
parksjin01 / Codegate-prequals 2017
Last active June 26, 2017 07:10
Codegate-prequals 2017 writeup


  • program is small and simple. Just normal stackoverflow problem, and we can get canary by memory leak.
  • It's server program so get user input by recv() function and this function add 0x0a at the end of user input.
  • So if we type just 40bytes of letter than we can get canary. canary's last byte is overwritten with 0x0a but it doesn't matter
  • Most of cases, canary's last byte is just \x00 so we can just guess last is \x00
  • Next protection is NX, we can bypass NX by ROP and Return to libc method.
  • I make [simple python script] which do ls -al command. But there are critical error in script.
  • I have to send the result to client side and I need to do it by redirection of IO. But I can't find how to call function in libc many times with rop chain in x86 program.
  • I solve this problem, I have question about rop chain yet but I solved it with linux command.
  • I use cat ./flag|nc instead of ls -al and I solved it. But I can't understand why other people's writeup doesn'
parksjin01 / Bitsctf 2017
Last active June 14, 2017 12:56
Bitsctf 2017 writeup


  • pwn1 is really basic problem about buffer overflow.
  • When we excute program, they just print buffer address to us to calculate address easier.
  • Buffer size is only 0x10 so I'll write shellcode after ret
  • This simple python script will help you to pwning it.


  • This problem is not hard too. Only difficulty is that I couldn't see library function name.
  • I make my own function table too make reversing more easily
parksjin01 / Insomni'hack Teaser CTF
Last active June 14, 2017 07:18
Insomni'hack Teaser CTF 2017


  • This is simple server program, and we should make user named baby.
  • If you exec program and connect with nc you can see 3 options (We have time limit to use, In one session we can only use 15 seconds)
  • First we can do stack overflow, Second we can do fsb and last we can do heap overflow.
  • I couldn't find the usage of heap overflow but I found usage of others.
  • This program's NX bit is enabled so we have to leak memory to do some stack overflow.
  • With %20p*144 and last hex number is the canary.
  • Canary doesn't change after server is turned on. That means we can check canary first and then do stackoverflow next. (Actually if you use automatic script with python, you can do these things at once, but if you do this with your hands you have time limit so you have to try many times. I recommand automatic code)
  • In stack overflow function memory looks like this
  • [canary(8byte)][buffer(1032byte)][socket_fd(8byte)]
parksjin01 / UIUC-CTF 2017
Created April 29, 2017 15:02
UIUC-CTF 2017 writeup


  • There are fsb in program and we can print flag by it
  • If we wrote %p%p%p%p%p%p%p%p%p%p%p%p%p as input and then 10th value to 13th value is flag
  • flag: flag{always_give_110%}


  • If we correct all problem we can only get 3 points and we have to get extactly 5 points to get flag
  • We have to change score variable by buffer overflow.
  • memory payload is like this(input buffer -> 80bytes, score variable -> 4bytes, canary -> 4bytes)
  • We can make point 5 by this script (python -c 'print "a"*80+"\x05"+"\x00"*4';cat)
parksjin01 / 0CTF 2017
Last active June 12, 2017 11:31
0CTF 2017 wtireup


  • First we can overflow and control eip if out input is longer than 32 letters.
  • Second we can only type printable letters(0x20~0x7f) and we have to make shellcode with these letters.
  • Finally NX bit is enabled so we can run shellcode in buffer. It means we have to use rop programming to get shell
  • It's 32 bit program so function call isn't fastcall but if we want to do rop program we have to use fastcall function.
    execve function use fastcall method even if program is x86 bit. Now what we have to do is make sure edi, esi, edx has proper argument
    for calling execve
  • #Not finished yet


parksjin01 / PlaidCTF 2015
Created April 23, 2017 15:33
PlaidCTF 2015 writeup


  • To solve this program, we need to know and use format string bug.
  • To explain more easliy I'll suppose aslr is turned off
  • 0xffffd600:	0xf7fe76db	0x00000000	0xffffd628	0x0804852c
    0xffffd610:	0xffffd648	0xf7fedee0	0xf7e6662b	0x00000000
    0xffffd620:	0xf7fb9000	0xf7fb9000	0xffffd62c	0x0804a480
    0xffffd630:	0x0804a080	0x00000400	0xf7fb95a0	0x00000000
    0xffffd640:	0xf7fb9000	0xf7fb9000	0x00000000	0xf7e21637

0xffffd650: 0x00000001 0xffffd6e4 0xffffd6ec 0x00000000

parksjin01 / PlaidCTF 2016
Last active April 24, 2017 14:22
PlaidCTF 2016 writeup

Unix Time Formatter

  • First we have to know we can use multi env, In binary they check debug bit and result is differ with that flag
  • Also when we try to quit program with option 5, free function is occured first and then ask user to quit really, we can occur
    DFB(Double Free Bug) to get flag.
  • At last when this program calculates number to unix time, this program use /bin/date -d @time format time and format is user input.
  • If we can input ';/bin/bash #\ at format place we can get shell, however we can only input %aAbBcCdDeFgGhHIjklmNnNpPrRsStTuUVwWxXyYzZ:-_/0^#
    these characters so we can't input it directly. We have to use DFB here.
  • Format: %c
    strdup(0x7fffaec863f8) = 0x251d420
parksjin01 / Tamu 2017
Created April 22, 2017 04:01
Tamu 2017 writeup


  • It's really easy and simple buffer overflow problem.
  • Just input 27 dumy letters and input \x1e\xab\x11\xca
  • Payload: (python -c 'print "aaaaaaaaaaaaaaaaaaaaaaaaaaa"+"\x1e\xab\x11\xca"';cat)
  • flag: gigem{T00_435Y}
  • bin is at here


  • Also, it's really easy and simple buffer overflow problem.
  • Input 0x8c dummy letters and input address of print_flag function(0x08048548)
parksjin01 / CSAW 2016
Created April 8, 2017 06:12
CSAW 2016 writeup


  • First this program is stripped so we have to find ep with readelf funtion. EP of main function is 0x40061d
  • Payload: [buffer]*64 + rbp + ret
  • To bypass ASLR we have to know start address of easy function and it's provided
  • Actual payload looks like this 'a'*72+'\x0d\x06\x40\x00'+'\x00'*4
  • It's python code is at here


  • This program also need to find ep, and ep of main function is 0x401087
  • To execute this program in local you have to make user which name is tutorial and you have to execute this program with admin permission
parksjin01 / PicoCTF 2014
Last active April 4, 2017 13:58
PicoCTF 2014 wrtieup


  • As you can see in prob title, it's caesar encryption prob.
  • Use web tool to decrypt it.
  • flag: ukppnrwryeavgtwicfmnrkbnzeqawg

The Valley of Fear

  • Like hdd sector seek, first number in () is paragraph, sencond number is line in paragraph, third is word in sentence
  • flag: the flag, is Ceremonial plates.