CTF/Solved

Hackappatoi CTF '23

1. go2win buffer overflow 문제. static compile 되어있어서 gdb가 제대로 disassemble 하지 못하는 이상한 문제가 있었음. (나중에 알고보니 golang이라 그런거였음.) - ~ file go2win go2win: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=48JPIwuiWHqAWxDMZivh/G6kBAN3TcK1YEUaef8ap/H_z3bCAF-A6sudbCtLHg/CWiJISSpnfio3_sfcTUd, not stripped 1번 문제이니 그냥 buffer overflow라고 가정하고, flag를 읽어주는 함수 주소를 찾아봤고, gef➤ info funct..

Dreamhack CTF Season 3 Round #4 (🌱Div2) - 모든 문제

보호되어 있는 글입니다.

TJCTF 2023 - pwn/formatter

1. intro 2. code 및 분석 2.1. code main int __cdecl main(int argc, const char **argv, const char **envp) { char s[268]; // [rsp+0h] [rbp-110h] BYREF int i; // [rsp+10Ch] [rbp-4h] setbuf(_bss_start, 0LL); xd = calloc(1uLL, 4uLL); printf("give me a string (or else): "); fgets(s, 256, stdin); printf(s); r1(s[0]); if ( win() ) { for ( i = 0; i

TJCTF 2023 - pwn/groppling-hook

1. intro 2. code 및 분석 2.1. code #include "stdio.h" #include void laugh() { printf("ROP detected and denied...\n"); exit(2); } void win() { FILE *fptr; char buf[28]; // Open a file in read mode fptr = fopen("flag.txt", "r"); fgets(buf, 28, fptr); puts(buf); } void pwnable() { char buffer[10]; printf(" > "); fflush(stdout); read(0, (char *)buffer, 56); /* Check ret */ __asm__ __volatile__("add $0x..

TJCTF 2023 - pwn/shelly

1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { char s[256]; // [rsp+0h] [rbp-100h] BYREF setbuf(stdout, 0LL); printf("0x%lx\n", s); fgets(s, 512, stdin); for ( i = 0; i checksec chall [*] '/home/wyv3rn/ctf/chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments 더불어 프로..

TJCTF 2023 - pwn/flip-out

1. intro 2. code 및 분석 2.1. code int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax int v4; // [rsp+4h] [rbp-BCh] FILE *stream; // [rsp+8h] [rbp-B8h] char nptr[48]; // [rsp+10h] [rbp-B0h] BYREF __int64 v7; // [rsp+40h] [rbp-80h] __int64 v8; // [rsp+48h] [rbp-78h] __int64 v9; // [rsp+50h] [rbp-70h] __int64 v10; // [rsp+58h] [rbp-68h] __int64 v11; // [rsp+60h] [rb..

TJCTF 2023 - pwn/teenage-game

1. intro 2. code 및 분석 2.1. code main int __cdecl main(int argc, const char **argv, const char **envp) { char v3; // al int v5[2]; // [rsp+8h] [rbp-A98h] BYREF char v6[2704]; // [rsp+10h] [rbp-A90h] BYREF setup_terminal(argc, argv, envp); setvbuf(stdout, stdout_buf, 0, 0x1000uLL); init_player(v5); init_map(v6, v5); print_map(v6); signal(2, sigint_handler); while ( v5[0] != 29 || v5[1] != 89 ) { v..

TAMUctf 2023 - Bank

1. intro 2. code 및 분석 2.1. code #include long accounts[100]; char exit_msg[] = "Have a nice day!"; void deposit() { int index = 0; long amount = 0; puts("Enter the number (0-100) of the account you want to deposit in: "); scanf("%d", &index); puts("Enter the amount you want to deposit: "); scanf("%ld", &amount); accounts[index] += amount; } int main() { setvbuf(stdout, NULL, _IONBF, 0); setvbuf(..

TAMUctf 2023 - Randomness

1. intro 2. code 및 분석 2.1. code #include #include #include void upkeep() { // Not related to the challenge, just some stuff so the remote works correctly setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } void win() { char* argv[] = {"/bin/cat", "flag.txt", NULL}; execve(argv[0], argv, NULL); } void foo() { unsigned long seed; puts("Enter a see..

TAMUctf 2023 - Pwnme

1. intro 2. code 및 분석 2.1. code 0000000000401195 : 401195: 55 push %rbp 401196: 48 89 e5 mov %rsp,%rbp 401199: 48 83 ec 18 sub $0x18,%rsp 40119d: b8 00 00 00 00 mov $0x0,%eax 4011a2: e8 89 fe ff ff call 401030 4011a7: 48 83 c4 18 add $0x18,%rsp 4011ab: b8 00 00 00 00 mov $0x0,%eax 4011b0: 5d pop %rbp 4011b1: c3 ret 4011b2: 48 29 f0 sub %rsi,%rax 4011b5: c3 ret 0000000000401030 : 401030: ff 25 e2..