We are given a binary with all protections turned on, and c source code.. [d@d-20tk001gus yaw]$ pwn checksec --file=yawa [*] '/home/d/Downloads/DUCTF24/yaw/yawa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'.' #include <stdio.h> #include <stdlib.h> #include <unistd.h> void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int menu() { int choice; puts("1. Tell me your name"); puts("2. Get a personalised greeting"); printf("> "); scanf("%d", &choice); return choice; } int main() { init(); char name[88]; int choice; while(1) { choice = menu(); if(choice == 1) { read(0, name, 0x88); } else if(choice == 2) { printf("Hello, %s\n", name); } else { break; } } } First, we need to leak out the canary....

‘syscalls’ was a very neat shellcode with seccomp challenge. Initial Analysis We are given a binary ‘syscalls’ and a Dockerfile. First, we take a look at the binary with the file command, and see that it is a stripped 64 bit ELF. [d@d-20tk001gus syscall]$ file syscalls syscalls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19b78a52059d384f1b4def02d5838b625773369d, for GNU/Linux 3.2.0, stripped Next we use checksec to see what protections are on....

This challenge is very similar to the last challenge Running on Prayers, except instead of an unbounded gets into a buffer, we read in 0x40 bytes using fgets. Because space is limited, we have to inject our shellcode in stages, as the name suggets. undefined8 vuln(void) { char local_28 [32]; printf("Cramped..."); fgets(local_28,0x40,stdin); return 0; } Again we can use jmp rsp, but this time we will use somthing like sub rsp, 0x20 jmp rsp after rsp....

We are given an executable and a netcat port. The name of the challenge suggests that this is a ROP challenge. Looking at the binary, all protections are off and the stack is executable, so we can inject shellcode. checksec --file RunningOnPrayers [*] '/home/df00/Desktop/RunningOnPrayers' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments The binary itself is very minimal, There is a main function that calls a vuln function....

This was a fun challenge involving shellcode. I solved it the hard way by writing my own shellcode, but I saw two simpler ways to solve it after the CTF were over so I will briefly discuss those at the end. We are given a file and a netcat port. Taking a look at the file, all protections are off. checksec --file=shelleater [*] '/home/df00/Desktop/shelleater' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments Looking at the dissambly, the binary will exectute your shellcode, but not if it contains 0x80 or 0x050f....

Again we are given c code along with a binary and a Dockerfile. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #define DECK_SIZE 0x52 #define QUEEN 1111111111 void setup() { setbuf(stdin, NULL); setbuf(stdout, NULL); setbuf(stderr, NULL); srand(time(NULL)); } void win() { char flag[256]; FILE *flagfile = fopen("flag.txt", "r"); if (flagfile == NULL) { puts("Cannot read flag.txt."); } else { fgets(flag, 256, flagfile); flag[strcspn(flag, "\n")] = '\0'; puts(flag); } } long lrand() { long higher, lower; higher = (((long)rand()) << 32); lower = (long)rand(); return higher + lower; } void game() { int index; long leak; long cards[52] = {0}; char name[20]; for (int i = 0; i < 52; ++i) { cards[i] = lrand(); } index = rand() % 52; cards[index] = QUEEN; printf("==============================\n"); printf("index of your first peek?...

We are given a binary and source code. Taking a look at the source code: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <unistd.h> void print_flag(void) { char flag[256]; FILE *flag_file = fopen("flag.txt", "r"); fgets(flag, sizeof flag, flag_file); puts(flag); } const char *const responses[] = {"L", "amongus", "true", "pickle", "GINKOID", "L bozo", "wtf", "not with that attitude", "increble", "based", "so true", "monka", "wat", "monkaS", "banned", "holy based", "daz crazy", "smh", "bruh", "lol", "mfw", "skissue", "so relatable", "copium", "untrue!...