[CTF Wiki Pwn]Stackoverflow Lab007: ret2csu

1. Check protection mechanism Result of checksec: 2. Source code The source code of the program is: #undef _FORTIFY_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> void vulnerable_function() { char buf[128]; read(STDIN_FILENO, buf, 512); } int main(int argc, char** argv) { write(STDOUT_FILENO, " ...

Added by bender on Sat, 22 Jan 2022 11:21:57 +0200

Common python scripts and online websites of ctf

script Picture blasting width and height script in Knowledge points of ctf misc picture questions in Binary to QR code Before running, change the image side length, that is, the value of MAX. for example, the binary string length is 625 (25 * 25), which is changed to 25 here import PIL from PIL import Image MAX = 25 #Picture side lengt ...

Added by thoand on Wed, 12 Jan 2022 05:12:36 +0200

Stack migration of PWN questions

preface Vegetable chicken summary, if there is something wrong, I hope you can give advice in time to avoid harming people's children. 0x1: basic knowledge: Everyone must know the problem solved by stack migration technology - the overflow length is not enough and can only cover the return address. As for the length of the rop chain to ...

Added by suepahfly on Thu, 06 Jan 2022 02:49:00 +0200

CTFmisc image title (zsteg takes zip, recombines compressed packets, IDAT data steganography, LaTeX written by Markdown, zero width byte steganography)

1, Title Description The second BMZCTF network security open, sponsored by: white hat community · WHT team, white hat cup, January 1, 2022 misc Title: game script As a programmer, I can't call out 30 lives. I wrote it down in my notes. Game script hint: compressed package, pay attention to the logo, and then reorganize. Game script ...

Added by marcusb on Wed, 05 Jan 2022 04:46:27 +0200

Geek peak 2021 web opcode

preface After hitting the peak of geeks, talk about your feelings: it's really becoming more and more delicious?? They didn't sign in and didn't leave. They scored 0 directly, which was worse than when they first started There are two Pwns, one five or six libc + two executable files. They don't bother to decompress them. A malloc direc ...

Added by deezerd on Sun, 02 Jan 2022 04:11:18 +0200

Safety - Misc Mingchu love (Xiangyun cup 2021)

1, Title 2, WriteUp [1]. Get compressed package Directly modify the suffix of the document to zip or use binwalk -e [file name] in kalinux to obtain a compressed package The contents are as follows [2]. Tips In_ There is a key in rels Txt, said to move forward bravely, indicating that the flag is likely to be i ...

Added by Thivya on Mon, 20 Dec 2021 03:34:43 +0200

linux_kernal_pwn ciscn2017_babydriver

It's kernal pwn Three documents were given boot.sh: a script used to start the shell of the kernel. It uses qemu. The protection measures are related to different startup parameters of qemu bzImage: packaged kernel code. vmlinx is usually extracted through it. It is also here to find gadget s rootfs.cpio: file system image, that is, the file ...

Added by point86 on Sun, 19 Dec 2021 07:45:05 +0200

Kernel rop attack 2018QWBcore replay

Foreword: I just started the core problem recently, so I'll learn from ctfwiki here. Don't spray... The first step is classic... If the title is not given to vmlinux, it can be extracted through extract vmlinux. See start SH finds that kalsr randomization is enabled, and the base address needs to be leaked. This is very similar to the pwn pro ...

Added by turkman on Sat, 18 Dec 2021 20:57:35 +0200

CTFshow topic brushing Diary - WEB-PHP feature (Part I 89-115)

Part1 Bypass skills about intval() function web89 clude("flag.php"); highlight_file(__FILE__); if(isset($_GET['num'])){ $num = $_GET['num']; if(preg_match("/[0-9]/", $num)){ die("no no no!"); } if(intval($num)){ echo $flag; } } It can be recognized as a number by intval, excluding the numbers 0-9 After ...

Added by molave on Wed, 15 Dec 2021 15:56:51 +0200

On the exploitation of Phar deserialization vulnerability: N1CTF 2021 easyphp & an Xun cup 2021 EZ_TP

Phar What is Phar PHp ARchive, like a Java JAR, but for PHP. Phar (PHp ARchive) is a packaged file similar to JAR. PHP ≥ 5.3 supports phar suffix files by default. You can use it without any other installation. The phar extension provides a way to put an entire PHP application into a. Phar file for easy movement and installation The bigge ...

Added by phpjaco on Sun, 28 Nov 2021 08:12:23 +0200