DownUnderCTF 2024 - pwn/yawa

We are given a binary with all protections turned on, and c source code.. [d@d-20tk001gus yaw]$ pwn checksec --file=yawa [*] '/home/d/Downloads/DUCTF24/yaw/yawa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'.' #include <stdio.h> #include <stdlib.h> #include <unistd.h> void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int menu() { int choice; puts("1. Tell me your name"); puts("2. Get a personalised greeting"); printf("> "); scanf("%d", &choice); return choice; } int main() { init(); char name[88]; int choice; while(1) { choice = menu(); if(choice == 1) { read(0, name, 0x88); } else if(choice == 2) { printf("Hello, %s\n", name); } else { break; } } } First, we need to leak out the canary....

July 7, 2024

UIUCTF 2024 - pwn/syscalls

‘syscalls’ was a very neat shellcode with seccomp challenge. Initial Analysis We are given a binary ‘syscalls’ and a Dockerfile. First, we take a look at the binary with the file command, and see that it is a stripped 64 bit ELF. [d@d-20tk001gus syscall]$ file syscalls syscalls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19b78a52059d384f1b4def02d5838b625773369d, for GNU/Linux 3.2.0, stripped Next we use checksec to see what protections are on....

July 2, 2024

JerseyCTF 2024 - pwn/stage-left

This challenge is very similar to the last challenge Running on Prayers, except instead of an unbounded gets into a buffer, we read in 0x40 bytes using fgets. Because space is limited, we have to inject our shellcode in stages, as the name suggets. undefined8 vuln(void) { char local_28 [32]; printf("Cramped..."); fgets(local_28,0x40,stdin); return 0; } Again we can use jmp rsp, but this time we will use somthing like sub rsp, 0x20 jmp rsp after rsp....

March 24, 2024

JerseyCTF 2024 - pwn/running-on-prayers

We are given an executable and a netcat port. The name of the challenge suggests that this is a ROP challenge. Looking at the binary, all protections are off and the stack is executable, so we can inject shellcode. checksec --file RunningOnPrayers [*] '/home/df00/Desktop/RunningOnPrayers' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments The binary itself is very minimal, There is a main function that calls a vuln function....

March 24, 2024

WolvCTF 2024 - pwn/shelleater

This was a fun challenge involving shellcode. I solved it the hard way by writing my own shellcode, but I saw two simpler ways to solve it after the CTF were over so I will briefly discuss those at the end. We are given a file and a netcat port. Taking a look at the file, all protections are off. checksec --file=shelleater [*] '/home/df00/Desktop/shelleater' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments Looking at the dissambly, the binary will exectute your shellcode, but not if it contains 0x80 or 0x050f....

March 18, 2024

LA CTF 2024 - pwn/52-card-monty

Again we are given c code along with a binary and a Dockerfile. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #define DECK_SIZE 0x52 #define QUEEN 1111111111 void setup() { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); srand(time(NULL)); } void win() { char flag[256]; FILE *flagfile = fopen("flag.txt", "r"); if (flagfile == NULL) { puts("Cannot read flag.txt."); } else { fgets(flag, 256, flagfile); flag[strcspn(flag, "\n")] = '\0'; puts(flag); } } long lrand() { long higher, lower; higher = (((long)rand()) << 32); lower = (long)rand(); return higher + lower; } void game() { int index; long leak; long cards[52] = {0}; char name[20]; for (int i = 0; i < 52; ++i) { cards[i] = lrand(); } index = rand() % 52; cards[index] = QUEEN; printf("==============================\n"); printf("index of your first peek?...

February 21, 2024

LA CTF 2024 - pwn/aplet123

We are given a binary and source code. Taking a look at the source code: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <unistd.h> void print_flag(void) { char flag[256]; FILE *flag_file = fopen("flag.txt", "r"); fgets(flag, sizeof flag, flag_file); puts(flag); } const char *const responses[] = {"L", "amongus", "true", "pickle", "GINKOID", "L bozo", "wtf", "not with that attitude", "increble", "based", "so true", "monka", "wat", "monkaS", "banned", "holy based", "daz crazy", "smh", "bruh", "lol", "mfw", "skissue", "so relatable", "copium", "untrue!...

February 21, 2024