diff --git a/.gitignore b/.gitignore index 28b4664b..ac0b9812 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ ghidra* hydra.restore .idea core +.gdb_history \ No newline at end of file diff --git a/Blockharbor/pwn/Web Server Woes/flag.txt b/Blockharbor/pwn/Web Server Woes/flag.txt new file mode 100644 index 00000000..1da937dc --- /dev/null +++ b/Blockharbor/pwn/Web Server Woes/flag.txt @@ -0,0 +1 @@ +FLAG diff --git a/Blockharbor/pwn/Web Server Woes/solve.py b/Blockharbor/pwn/Web Server Woes/solve.py new file mode 100644 index 00000000..11948b8a --- /dev/null +++ b/Blockharbor/pwn/Web Server Woes/solve.py @@ -0,0 +1,25 @@ +from pwn import * + +elf = ELF(os.getcwd() + "/web") + +gs = ''' +unset env LINES +unset env COLUMNS +set follow-fork-mode child +br *handle_conn+64 +continue +''' + +def start(): + if args.GDB: + return gdb.debug([elf.path], gs=gs) + else: + return process([elf.path]) + +io = start() +sender = remote("localhost", 5000) + +sender.send(cyclic(2000)) + +sender.interactive() +io.interactive() diff --git a/Blockharbor/pwn/Web Server Woes/web b/Blockharbor/pwn/Web Server Woes/web new file mode 100755 index 00000000..21181c1d Binary files /dev/null and b/Blockharbor/pwn/Web Server Woes/web differ diff --git a/Blockharbor/rev/Reversing #1/angr.py b/Blockharbor/rev/Reversing #1/angr.py deleted file mode 100644 index e69de29b..00000000 diff --git a/Blockharbor/rev/Reversing #1/angr_solve.py b/Blockharbor/rev/Reversing #1/angr_solve.py new file mode 100644 index 00000000..928381ee --- /dev/null +++ b/Blockharbor/rev/Reversing #1/angr_solve.py @@ -0,0 +1,38 @@ +import angr +import claripy +import logging +from pwn import * + +logging.getLogger('angr').setLevel('DEBUG') + +base = 0x00100000 + +input_len = 32 + +success = 0x001014a8 +fail = 0x0010150b + +proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base}) + +flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)] +flag = claripy.Concat( *flag_chars ) + +state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag) + +for k in flag_chars: + state.solver.add(k >= 0x00) + state.solver.add(k <= 0xff) + +simgr = proj.factory.simulation_manager(state) +simgr.explore(find=success) + +pass +if len(simgr.found) > 0: + for found in simgr.found: + print(found.posix.dumps(0)) + io = process("./chal") + io.send(found.posix.dumps(0)) + print(io.recvall()) + +else: + print(simgr) \ No newline at end of file diff --git a/Blockharbor/rev/Reversing #1/a.out b/Blockharbor/rev/Reversing #1/chal similarity index 59% rename from Blockharbor/rev/Reversing #1/a.out rename to Blockharbor/rev/Reversing #1/chal index 0244addb..9ea0e014 100755 Binary files a/Blockharbor/rev/Reversing #1/a.out and b/Blockharbor/rev/Reversing #1/chal differ diff --git a/Blockharbor/rev/Reversing #1/mod_source.c b/Blockharbor/rev/Reversing #1/mod_source.c index c50f948b..eb8f63a1 100644 --- a/Blockharbor/rev/Reversing #1/mod_source.c +++ b/Blockharbor/rev/Reversing #1/mod_source.c @@ -28,7 +28,7 @@ void setup() { } int check_pass(unsigned int start[]) { - printf("checking\n"); + //printf("checking\n"); unsigned int temp = 0; for (int i = 0; i < 4; ++i) { temp = start[i]; @@ -50,24 +50,26 @@ void main(){ memset(start, 0, 16); read(0, user_input, MAX_SIZE); + //printf("%X ",user_input); + //printf("\n"); for (int i = 0; i < 4; i++) { - + start[i] |= ((unsigned int)user_input[(i * 4)] << 24); start[i] |= ((unsigned int)user_input[(i * 4)+1] << 16); start[i] |= ((unsigned int)user_input[(i * 4)+2] << 8); start[i] |= ((unsigned int)user_input[(i * 4)+3] << 0); - printf("%X ",start[i]); + //printf("%X ",start[i]); } - printf("\n"); + //printf("\n"); if (check_pass(start) == 1) { - printf("Thats it!\r\nSubmit in the format FLAG{"); + //printf("Thats it!\r\nSubmit in the format FLAG{"); for (int i = 0; i < 4; i++) { - printf("%X",start[i]); + //printf("%X",start[i]); } - printf("}\n"); + //printf("}\n"); } // Failed, just spin