Press "Enter" to skip to content

Category: Uncategories

Uncategories

[HKUSpaceCTF] Official Reverse Write-up

Hello – 100 You can easily find that there has variable call flag Go to hex view   Hidden password – 100 After type whatever password you like, you can use cheat engine to search the process Answer is? – 100 Same with previous question   Shield – 150   HelloRevenge – 200 Just a simple memory search skills. Input Please give me the flag , and search 1 in cheat engine. keep increase the solved times, and search the value in cheat engine. Finally, we got HelloRevenge.vmp.exe+1F2E0 save the solved times. We can change the value to 13333337, and input Please give me the flag one more times, and you will get the flag.   Unbreakable shell – 225 We can see that the program are protected by UPX. But it is such a weak protection. You can download the tools to unpack : https://mega.nz/#F!OAx0wL7K!gLPZh7pkMv7d8as5serOmg!XdphxZiS After unpack, you can see the real entry point is in 0x00401280, so, we can set a break point in that address, and run the program. After that, we can unpack the shell. And you are able to search strings now. After have some analysis, i think that 0x40138e is the main comparison point. So, i decide to try patch jnz to jz. And set a break point here to see the effect.

Leave a Comment

[HKUSpaceCTF] Official Web Write-up

Web Sanity Check – 25

Easy Black Flag (index page) – 50 The wired JavaScript can decrypt by https://tool.lu/js/ After decrypt, we got:

You can paste this to the chrome console and call getFlag_10571305(), you will get the flag. C00k13s 4 you – 50

NotHere – 50

Web3 – 75 View source, you will find that the website contains one image. Access the folder of that image. And you will find that there has an image which named dnRjdGZ7ZjB.jpg. This is the flag image. m4TH – 100 All you need to do is answer the question 100 times. After that the website will give you the flag.

L0gic4l – 125 Hint:Oh forgot to say, backup is very important, so i zipped my website and put it in everywhere~ based on the hint, you may guess the whole website are zipped with name web125.zip in root of the website. After have some review on the code, you may found that it use == to compare two md5 hash. So, based on the weak comparison  on php, we can use 240610708 and QNKCDZO as the password and super-secure-password. Rough – 150 Just brute force the 4 digital number.

Null – 200 Just use union select to make a fake row to bypass the authentication.

Simple PHP Jail – 500 View source, you will find that

So, you can view the source code here: http://web1.polyu.work/spaceCTF/web300/terminal.php?code

You will found that the source will receive variable cmd and…

Leave a Comment

ROP Notes

system: p system 4008a8 6008a8 bin/sh gdb binary > start > find sh or elf.get_section_by_name(‘.dynsym’).header[‘sh_addr’] pop rdi ret ROPgadget –binary ./pwn150 –only “pop|ret” 0x400883 Reference: basic ROP: http://www.cnblogs.com/0xJDchen/p/6175651.html ROP x64: http://yunnigu.dropsec.xyz/2016/11/21/pwn%E5%AD%A6%E4%B9%A0rop%E4%B9%8Bx64%E7%AF%87/ Main point: payload = “\x00″*136 + p64(pop_pop_call_addr) + p64(system_addr) + p64(binsh_addr) pop rdi; ret POP POP POP , WRITE .BSS: http://yunnigu.dropsec.xyz/2016/11/19/pwn%E5%AD%A6%E4%B9%A0%E4%B9%8BDynELF%E7%9A%84%E4%BD%BF%E7%94%A8/ return to dl (bypass aslr+dep): https://zhuanlan.zhihu.com/p/23255727 x64 provide libc: http://bobao.360.cn/learning/detail/3300.html

Leave a Comment