angr solved

.gitignore

@@ -2,3 +2,4 @@ ghidra*
 hydra.restore
 .idea
 core
+.gdb_history

Blockharbor/pwn/Web Server Woes/flag.txt

@@ -0,0 +1 @@
+FLAG

Blockharbor/pwn/Web Server Woes/solve.py

@@ -0,0 +1,25 @@
+from pwn import *
+
+elf = ELF(os.getcwd() + "/web")
+
+gs = '''
+unset env LINES
+unset env COLUMNS
+set follow-fork-mode child
+br *handle_conn+64
+continue
+'''
+
+def start():
+    if args.GDB:
+        return gdb.debug([elf.path], gs=gs)
+    else:
+        return process([elf.path])
+
+io = start()
+sender = remote("localhost", 5000)
+
+sender.send(cyclic(2000))
+
+sender.interactive()
+io.interactive()

Blockharbor/rev/Reversing #1/angr_solve.py

@@ -0,0 +1,38 @@
+import angr
+import claripy
+import logging
+from pwn import *
+
+logging.getLogger('angr').setLevel('DEBUG')
+
+base = 0x00100000
+
+input_len = 32
+
+success = 0x001014a8
+fail = 0x0010150b
+
+proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base})
+
+flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)]
+flag = claripy.Concat( *flag_chars )
+
+state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag)
+
+for k in flag_chars:
+    state.solver.add(k >= 0x00)
+    state.solver.add(k <= 0xff)
+
+simgr = proj.factory.simulation_manager(state)
+simgr.explore(find=success)
+
+pass
+if len(simgr.found) > 0:
+    for found in simgr.found:
+        print(found.posix.dumps(0))
+        io = process("./chal")
+        io.send(found.posix.dumps(0))
+        print(io.recvall())
+
+else:
+    print(simgr)

Blockharbor/rev/Reversing #1/mod_source.c

@@ -28,7 +28,7 @@ void setup() {
 }
 
 int check_pass(unsigned int start[]) {
-    printf("checking\n");
+    //printf("checking\n");
     unsigned int temp = 0;
     for (int i = 0; i < 4; ++i) {
       temp = start[i];
@@ -50,6 +50,8 @@ void main(){
   memset(start, 0, 16);
   read(0, user_input, MAX_SIZE);
 
+  //printf("%X ",user_input);
+  //printf("\n");
   for (int i = 0; i < 4; i++) {
 
     start[i] |= ((unsigned int)user_input[(i * 4)]   << 24);
@@ -57,17 +59,17 @@ void main(){
     start[i] |= ((unsigned int)user_input[(i * 4)+2] << 8);
     start[i] |= ((unsigned int)user_input[(i * 4)+3] << 0);
 
-    printf("%X ",start[i]);
+    //printf("%X ",start[i]);
   }
 
-  printf("\n");
+  //printf("\n");
 
   if (check_pass(start) == 1) {
-    printf("Thats it!\r\nSubmit in the format FLAG{");
+    //printf("Thats it!\r\nSubmit in the format FLAG{");
     for (int i = 0; i < 4; i++) {
-          printf("%X",start[i]);
+          //printf("%X",start[i]);
     }
-    printf("}\n");
+    //printf("}\n");
   }
 
   // Failed, just spin