CTF
Hackappatoi CTF '23
1. go2win buffer overflow 문제. static compile 되어있어서 gdb가 제대로 disassemble 하지 못하는 이상한 문제가 있었음. (나중에 알고보니 golang이라 그런거였음.) - ~ file go2win go2win: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=48JPIwuiWHqAWxDMZivh/G6kBAN3TcK1YEUaef8ap/H_z3bCAF-A6sudbCtLHg/CWiJISSpnfio3_sfcTUd, not stripped 1번 문제이니 그냥 buffer overflow라고 가정하고, flag를 읽어주는 함수 주소를 찾아봤고, gef➤ info funct..
DEFCON 31 - Live CTF - what-a-maze-meant
1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { unsigned int v3; // eax unsigned int v4; // eax char v6; // [rsp+Bh] [rbp-3A5h] BYREF int i; // [rsp+Ch] [rbp-3A4h] int j; // [rsp+10h] [rbp-3A0h] unsigned int v9; // [rsp+14h] [rbp-39Ch] unsigned int v10; // [rsp+18h] [rbp-398h] int v11; // [rsp+1Ch] [rbp-394h] char v12[904]; // [rsp+20h] [rbp-390..
TJCTF 2023 - pwn/formatter
1. intro 2. code 및 분석 2.1. code main int __cdecl main(int argc, const char **argv, const char **envp) { char s[268]; // [rsp+0h] [rbp-110h] BYREF int i; // [rsp+10Ch] [rbp-4h] setbuf(_bss_start, 0LL); xd = calloc(1uLL, 4uLL); printf("give me a string (or else): "); fgets(s, 256, stdin); printf(s); r1(s[0]); if ( win() ) { for ( i = 0; i
TJCTF 2023 - pwn/groppling-hook
1. intro 2. code 및 분석 2.1. code #include "stdio.h" #include void laugh() { printf("ROP detected and denied...\n"); exit(2); } void win() { FILE *fptr; char buf[28]; // Open a file in read mode fptr = fopen("flag.txt", "r"); fgets(buf, 28, fptr); puts(buf); } void pwnable() { char buffer[10]; printf(" > "); fflush(stdout); read(0, (char *)buffer, 56); /* Check ret */ __asm__ __volatile__("add $0x..
TJCTF 2023 - pwn/shelly
1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { char s[256]; // [rsp+0h] [rbp-100h] BYREF setbuf(stdout, 0LL); printf("0x%lx\n", s); fgets(s, 512, stdin); for ( i = 0; i checksec chall [*] '/home/wyv3rn/ctf/chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments 더불어 프로..
TJCTF 2023 - pwn/flip-out
1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax int v4; // [rsp+4h] [rbp-BCh] FILE *stream; // [rsp+8h] [rbp-B8h] char nptr[48]; // [rsp+10h] [rbp-B0h] BYREF __int64 v7; // [rsp+40h] [rbp-80h] __int64 v8; // [rsp+48h] [rbp-78h] __int64 v9; // [rsp+50h] [rbp-70h] __int64 v10; // [rsp+58h] [rbp-68h] __int64 v11; // [rsp+60h] [rb..
TJCTF 2023 - pwn/teenage-game
1. intro 2. code 및 분석 2.1. code main int __cdecl main(int argc, const char **argv, const char **envp) { char v3; // al int v5[2]; // [rsp+8h] [rbp-A98h] BYREF char v6[2704]; // [rsp+10h] [rbp-A90h] BYREF setup_terminal(argc, argv, envp); setvbuf(stdout, stdout_buf, 0, 0x1000uLL); init_player(v5); init_map(v6, v5); print_map(v6); signal(2, sigint_handler); while ( v5[0] != 29 || v5[1] != 89 ) { v..
TAMUctf 2023 - Bank
1. intro 2. code 및 분석 2.1. code #include long accounts[100]; char exit_msg[] = "Have a nice day!"; void deposit() { int index = 0; long amount = 0; puts("Enter the number (0-100) of the account you want to deposit in: "); scanf("%d", &index); puts("Enter the amount you want to deposit: "); scanf("%ld", &amount); accounts[index] += amount; } int main() { setvbuf(stdout, NULL, _IONBF, 0); setvbuf(..
TAMUctf 2023 - Randomness
1. intro 2. code 및 분석 2.1. code #include #include #include void upkeep() { // Not related to the challenge, just some stuff so the remote works correctly setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } void win() { char* argv[] = {"/bin/cat", "flag.txt", NULL}; execve(argv[0], argv, NULL); } void foo() { unsigned long seed; puts("Enter a see..