Skip to content

Commit f8445b5

Browse files
author
Sajjad Arshad
committed
adding CTFs
0 parents  commit f8445b5

File tree

1,938 files changed

+675241
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,938 files changed

+675241
-0
lines changed

0CTF/.DS_Store

6 KB
Binary file not shown.

0CTF/2017/.DS_Store

6 KB
Binary file not shown.

0CTF/2017/Quals/.DS_Store

6 KB
Binary file not shown.

0CTF/2017/Quals/babyheap/babyheap

9.99 KB
Binary file not shown.

0CTF/2017/Quals/babyheap/libc-2.23.so

1.78 MB
Binary file not shown.

0CTF/2018/.DS_Store

6 KB
Binary file not shown.

0CTF/2018/Finals/.DS_Store

6 KB
Binary file not shown.

0CTF/2018/Finals/JSCustom.tar.gz

36.3 MB
Binary file not shown.

0CTF/2018/Finals/baby/baby.ko

6.37 KB
Binary file not shown.
6.21 KB
Binary file not shown.

0CTF/2018/Finals/blackhole2/libc.so.6

1.78 MB
Binary file not shown.

0CTF/2018/Finals/blackhole2/pow.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
#!/usr/bin/python -u
2+
# encoding: utf-8
3+
4+
import random, string, subprocess, os, sys
5+
from hashlib import sha256
6+
7+
os.chdir(os.path.dirname(os.path.realpath(__file__)))
8+
9+
def proof_of_work():
10+
chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
11+
print chal
12+
sol = sys.stdin.read(4)
13+
if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('0000'):
14+
exit()
15+
16+
def exec_serv(name, payload):
17+
p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
18+
p.stdin.write(payload)
19+
p.wait()
20+
21+
if __name__ == '__main__':
22+
proof_of_work()
23+
payload = sys.stdin.read(0x1000)
24+
exec_serv('./blackhole2', payload)
9.99 KB
Binary file not shown.
1.78 MB
Binary file not shown.

0CTF/2018/Finals/keen_of_glory

234 KB
Binary file not shown.

0CTF/2018/Finals/pemu/.DS_Store

6 KB
Binary file not shown.

0CTF/2018/Finals/pemu/binary/main

17.5 KB
Binary file not shown.

0CTF/2018/Finals/pemu/binary/main.c

Lines changed: 240 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,240 @@
1+
#include <stdio.h>
2+
#include <stdlib.h>
3+
#include <sys/types.h>
4+
#include <sys/stat.h>
5+
#include <fcntl.h>
6+
#include <string.h>
7+
#include <unistd.h>
8+
9+
#define MAX_FILENAME_LENGTH 64
10+
#define MAX_FILENAME_COUNT 16
11+
12+
char global_filename_list[MAX_FILENAME_COUNT][MAX_FILENAME_LENGTH];
13+
int global_filename_count;
14+
15+
char temp_filename[MAX_FILENAME_LENGTH];
16+
const char * read_filename()
17+
{
18+
memset(temp_filename, 0, MAX_FILENAME_LENGTH);
19+
int l = 0;
20+
int c = getchar();
21+
while ((
22+
(c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') ||(c >= 'a' && c <= 'z')) &&
23+
l < MAX_FILENAME_LENGTH-1)
24+
{
25+
temp_filename[l++] = c;
26+
c = getchar();
27+
}
28+
temp_filename[l] = '\0';
29+
30+
31+
return temp_filename;
32+
}
33+
34+
35+
char temp_meta_path[MAX_FILENAME_LENGTH + 64];
36+
const char * get_meta_path(const char * path)
37+
{
38+
memset(temp_meta_path, 0, sizeof(temp_meta_path));
39+
strncpy(temp_meta_path, path, MAX_FILENAME_LENGTH-1);
40+
strcat(temp_meta_path, ".meta");
41+
return temp_meta_path;
42+
}
43+
44+
int update_meta(const char * filename)
45+
{
46+
const char * meta_path = get_meta_path(filename);
47+
FILE * meta_fp = fopen(meta_path, "wb+");
48+
if (!meta_fp) {
49+
puts("Error!");
50+
exit(-1);
51+
}
52+
53+
struct stat st;
54+
if (0 != lstat(filename, &st))
55+
{
56+
printf("Error!");
57+
exit(-1);
58+
}
59+
fwrite(&st, sizeof(st), 1, meta_fp);
60+
fclose(meta_fp);
61+
return 0;
62+
}
63+
int dump_file(const char * filename)
64+
{
65+
FILE * fp = fopen(filename, "rb");
66+
if (!fp)
67+
{
68+
puts("Error!");
69+
exit(-1);
70+
}
71+
72+
char c;
73+
while (fread(&c, 1, 1, fp) == 1)
74+
{
75+
write(1, &c, 1);
76+
}
77+
fclose(fp);
78+
return 0;
79+
}
80+
int read_int()
81+
{
82+
int l = 0;
83+
char buf[16];
84+
int c = getchar();
85+
while (((c >= '0' && c <= '9') || (c == '-')) && l < 15)
86+
{
87+
buf[l++] = c;
88+
c = getchar();
89+
}
90+
buf[l] = '\0';
91+
return atoi(buf);
92+
93+
}
94+
int create()
95+
{
96+
char buf[1024];
97+
if (global_filename_count > MAX_FILENAME_COUNT)
98+
{
99+
printf("you cannot create more file...sorry...");
100+
exit(-1);
101+
}
102+
printf("filename:");
103+
const char * filename = read_filename();
104+
105+
int i;
106+
int exist = 0;
107+
108+
for (i = 0; i < global_filename_count; i++)
109+
{
110+
if (strcmp(&global_filename_list[i][0], filename) == 0)
111+
{
112+
exist = 1;
113+
}
114+
}
115+
116+
printf("data:");
117+
int l = 0;
118+
int c = getchar();
119+
while (c != '\n' && c >= 0 && c <= 255)
120+
{
121+
buf[l++] = c;
122+
c = getchar();
123+
}
124+
125+
FILE * fp = fopen(filename, "a+b");
126+
if (!fp) {
127+
puts("Error!");
128+
exit(-1);
129+
}
130+
fwrite(buf, l, 1, fp);
131+
fclose(fp);
132+
133+
update_meta(filename);
134+
if (!exist)
135+
{
136+
strncpy(&global_filename_list[global_filename_count][0], filename, MAX_FILENAME_LENGTH-1);
137+
global_filename_count += 1;
138+
}
139+
}
140+
141+
int show()
142+
{
143+
printf("filename:");
144+
const char * filename = read_filename();
145+
const char * meta_file = get_meta_path(filename);
146+
147+
FILE * meta_fp = fopen(meta_file, "rb");
148+
if (!meta_fp) {
149+
puts("Error!");
150+
exit(-1);
151+
}
152+
153+
struct stat st;
154+
fread(&st, sizeof(st), 1, meta_fp);
155+
fclose(meta_fp);
156+
157+
printf("access time:%lx\n", st.st_atime);
158+
printf("modify time:%lx\n", st.st_mtime);
159+
printf("create time:%lx\n", st.st_ctime);
160+
161+
printf("data:");
162+
163+
dump_file(filename);
164+
}
165+
int list()
166+
{
167+
int i;
168+
for (i = 0; i < global_filename_count; i++)
169+
{
170+
printf("%s\n", &global_filename_list[i][0]);
171+
}
172+
}
173+
int dump()
174+
{
175+
write(1, &global_filename_count, sizeof(global_filename_count));
176+
177+
int i;
178+
for (i = 0; i < global_filename_count; i++)
179+
{
180+
write(1, &global_filename_list[i][0], MAX_FILENAME_LENGTH);
181+
const char * filename = &global_filename_list[i][0];
182+
const char * meta_filename = get_meta_path(filename);
183+
write(1, "$$$$", 4);
184+
dump_file(filename);
185+
write(1, "$$$$", 4);
186+
dump_file(meta_filename);
187+
write(1, "$$$$", 4);
188+
}
189+
return 0;
190+
}
191+
int load()
192+
{
193+
printf("not implemented\n");
194+
return 0;
195+
}
196+
int menu()
197+
{
198+
printf("\n");
199+
printf("=========menu=======\n");
200+
printf("1. create/append file\n");
201+
printf("2. show file\n");
202+
printf("3. list\n");
203+
printf("4. dump file system\n");
204+
printf("5. load file system\n");
205+
printf("6. exit\n");
206+
printf("your choice:");
207+
int option = read_int();
208+
if (option > 6 || option < 1) return menu();
209+
else return option;
210+
}
211+
int main()
212+
{
213+
global_filename_count = 0;
214+
memset(global_filename_list, 0, sizeof(global_filename_list));
215+
216+
alarm(20);
217+
setbuf(stdin, NULL);
218+
setbuf(stdout, NULL);
219+
setbuf(stderr, NULL);
220+
while (1)
221+
{
222+
int option = menu();
223+
switch(option)
224+
{
225+
case 1:
226+
create(); break;
227+
case 2:
228+
show(); break;
229+
case 3:
230+
list(); break;
231+
case 4:
232+
dump(); break;
233+
case 5:
234+
load(); break;
235+
case 6:
236+
exit(0);
237+
}
238+
}
239+
240+
}

0CTF/2018/Finals/pemu/binary/makefile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
main: main.c
2+
mipsel-linux-gnu-gcc main.c -fstack-protector-all -o main

0CTF/2018/Finals/pemu/pemu/loader

3.72 MB
Binary file not shown.

0CTF/2018/Finals/pemu/wrapper.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#!/usr/bin/python -u
2+
import os
3+
import time
4+
from backports import tempfile
5+
time.sleep(1)
6+
dirname = os.path.abspath(os.path.dirname(__file__))
7+
pemu = os.path.join(dirname, "pemu", "loader")
8+
bin = os.path.join(dirname, "binary", "main")
9+
with tempfile.TemporaryDirectory() as tmp:
10+
os.chdir(tmp)
11+
os.system("%s %s" % (pemu, bin))
12+

0CTF/2018/Finals/vtp/libc-2.23.so

1.78 MB
Binary file not shown.

0CTF/2018/Finals/vtp/vtp

38 KB
Binary file not shown.

0CTF/2018/Quals/.DS_Store

6 KB
Binary file not shown.

0CTF/2018/Quals/BabyHeap/babyheap

9.99 KB
Binary file not shown.

0CTF/2018/Quals/BabyHeap/libc.so.6

1.78 MB
Binary file not shown.

0CTF/2018/Quals/BabyStack/babystack

5.46 KB
Binary file not shown.

0CTF/2018/Quals/BabyStack/coll.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
import random, string, subprocess, os, sys
2+
from hashlib import sha256
3+
4+
random_str=''
5+
for i in xrange (0,1000000000):
6+
if (sha256(random_stra + str(i)).digest().startswith('\0\0\0')):
7+
print "Index is = ",i,"Result is =", sha256(random_str + str(i)).hexdigest()

0CTF/2018/Quals/BabyStack/pow.py

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#!/usr/bin/python -u
2+
# encoding: utf-8
3+
4+
import random, string, subprocess, os, sys
5+
from hashlib import sha256
6+
7+
os.chdir(os.path.dirname(os.path.realpath(__file__)))
8+
9+
def proof_of_work():
10+
chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
11+
print chal
12+
sol = sys.stdin.read(4)
13+
if len(sol) != 4 or not sha256(chal + sol).digest().startswith('\0\0\0'):
14+
exit()
15+
16+
17+
def exec_serv(name, payload):
18+
p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
19+
p.stdin.write(payload)
20+
p.wait()
21+
22+
if __name__ == '__main__':
23+
proof_of_work()
24+
payload = sys.stdin.read(0x100)
25+
exec_serv('./babystack', payload)
6 KB
Binary file not shown.
6.21 KB
Binary file not shown.
1.78 MB
Binary file not shown.
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
#!/usr/bin/python -u
2+
# encoding: utf-8
3+
4+
import random, string, subprocess, os, sys
5+
from hashlib import sha256
6+
7+
os.chdir(os.path.dirname(os.path.realpath(__file__)))
8+
9+
def proof_of_work():
10+
chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
11+
print chal
12+
sol = sys.stdin.read(4)
13+
if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('00000'):
14+
exit()
15+
16+
def exec_serv(name, payload):
17+
p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
18+
p.stdin.write(payload)
19+
p.wait()
20+
21+
if __name__ == '__main__':
22+
proof_of_work()
23+
payload = sys.stdin.read(0x800)
24+
exec_serv('./blackhole', payload)
9.99 KB
Binary file not shown.

0CTF/2018/Quals/HeapStormII/libc.so.6

1.78 MB
Binary file not shown.

0CTF/2018/Quals/HeapStormII/pow.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/usr/bin/python -u
2+
# encoding: utf-8
3+
4+
import random, string, os, sys
5+
from hashlib import sha256
6+
7+
os.chdir(os.path.dirname(os.path.realpath(__file__)))
8+
9+
def proof_of_work():
10+
chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
11+
print chal
12+
sol = sys.stdin.read(4)
13+
if len(sol) != 4 or not sha256(chal + sol).digest().startswith('\0\0\0'):
14+
exit()
15+
16+
if __name__ == '__main__':
17+
proof_of_work()
18+
os.execv('./heapstorm2', ['./heapstorm2'])

0CTF/2018/Quals/MathGame/.DS_Store

6 KB
Binary file not shown.

0CTF/2018/Quals/MathGame/subtraction

9.35 KB
Binary file not shown.

0CTF/2018/Quals/MightyDragon/balong

9.52 KB
Binary file not shown.
99.3 KB
Binary file not shown.
874 KB
Binary file not shown.

0CTF/2018/Quals/Zer0FS/bzImage

6.84 MB
Binary file not shown.

0CTF/2018/Quals/Zer0FS/rootfs.cpio

3.08 MB
Binary file not shown.

0CTF/2018/Quals/Zer0FS/run.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
#!/bin/sh
2+
3+
stty intr ^]
4+
5+
qemu-system-x86_64 -enable-kvm -cpu kvm64,+smep,+smap -m 64M -kernel ./bzImage -initrd ./rootfs.cpio -append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr" -monitor /dev/null -nographic 2>/dev/null

0CTF/2018/Quals/Zer0FS/zerofs.ko

319 KB
Binary file not shown.

0CTF/2019/.DS_Store

6 KB
Binary file not shown.

0CTF/2019/Quals/.DS_Store

6 KB
Binary file not shown.

0CTF/2019/Quals/BabyHeap/babyheap

14 KB
Binary file not shown.

0CTF/2019/Quals/BabyHeap/ld-2.28.so

171 KB
Binary file not shown.

0CTF/2019/Quals/BabyHeap/libc-2.28.so

1.9 MB
Binary file not shown.
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
FROM ubuntu:18.04
2+
3+
RUN apt-get -y update
4+
RUN apt-get -y upgrade
5+
RUN apt-get install -y python xinetd
6+
RUN chmod 1733 /tmp /var/tmp /dev/shm
7+
8+
RUN useradd -m calvino
9+
COPY vim /home/calvino/
10+
RUN chown root:calvino /home/calvino/vim
11+
RUN chmod 750 /home/calvino/vim
12+
COPY service.py /home/calvino/
13+
RUN chown root:calvino /home/calvino/service.py
14+
RUN chmod 750 /home/calvino/service.py
15+
COPY flag /flag
16+
COPY xinetd /etc/xinetd.d/xinetd
17+
RUN chown root:calvino /flag
18+
RUN chmod 440 /flag
19+
20+
RUN service xinetd restart
21+
22+
CMD ["/usr/sbin/xinetd", "-dontfork"]
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
flag{}

0 commit comments

Comments
 (0)