Oh no! Something awfull happened and we let too many cooks cook up this challenge. I hope you can still get something edible out of it… Category: pwn Solver: computerdores, hack_the_kitty Flag: GPNCTF{4aahhh_th3_l33k_t4st3_0f_v1ct0ry!} Writeup The challenge binary presents you with a menu to select from. One can select a main dish and a desert. Welcome to our dining hall! Please select a dish: -[pizza] A nice and fresh pizza -[gulasch] It's GPN, it's night and I'm programming....
There’s this cool new forward compatible ISA. I created an online emulator so that you can try it out! Category: pwn Solver: t0b1 Flag: GPNCTF{Ar3_y0u_Re4dy_for_th3_re4l_Chal1eng3?_ee9d22353e82} Writeup In this challenge, we are provided with a Dockerfile, an app.py, a forw binary and an instruction_list.csv. It is primarily a warm-up challenge to play with the ForwardCom ecosystem. Overview We first look at the Dockerfile to find out more about the setup of the challenge:...
Now you have two problems. Category: pwn Solver: c0mpb4u3r, t0b1 Flag: GPNCTF{On3_d0es_Not_s1mply_Jump_int0_th3_m1ddle_of_4n_instruct1ion!!1} Introduction Imagine you want to allow users to execute their code on your server. There are a few reasonable options, like WebAssembly for instance. However, you could just write a Perl program that reads arbitrary bytes from stdin and tries to execute them directly on the host CPU. So let’s write some Perl… # Assume we have our code in $p # Mark memory as executable....
I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{you_re_lucky_that_i_scr4pped_one_arch_11dda4} Writeup Challenge Setup This is the hard version of polyrop-warmup. To summarize: It is a binary exploitation challenge. We get the source of the program to pwn composer....
I heard supply-chain security is all the rage now, after a weird XY problem. Not sure what they were up about, but I was probably not asking the correct questions… Undeterred, I went shopping in some poor PhD student’s lab and found this lovely contraption, ending this problem once and for all: As soon as evil code will be executed, your VM will be killed mercilessly. I even built a really cute application for cooking up your cyber recipes to try it out!...
Can you get this program to do what you want? Category: pwn Solver: jogius Flag: GPNCTF{G00d_n3w5!_1t_l00ks_l1ke_y0u_r3p41r3d_y0ur_disk...} This challenge provides us with four files: song_rater.c and a corresponding binary song_rater, as well as a run.sh script and the Dockerfile used for the server. Let’s take a look at the Dockerfile first. Dockerfile At first glance, this doesn’t really do anything interesting - the file simply defines two containers, one for compiling song_rater....
It would be a shame if you could exploit this sleepy binary. Category: pwn, misc Solver: rgw, abc013, Liekedaeler, MarDN Flag: GPNCTF{sh0rt_she11c0de_1s_c00l} Writeup We are given a compiled binary dream and its source code dream.c: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/mman.h> #include <string.h> #define ROTL(X, N) (((X) << (N)) | ((X) >> (8 * sizeof(X) - (N)))) #define ROTR(X, N) (((X) >> (N)) | ((X) << (8 * sizeof(X) - (N)))) unsigned long STATE; unsigned long CURRENT; char custom_random(){ STATE = ROTL(STATE,30) ^ ROTR(STATE,12) ^ ROTL(STATE,42) ^ ROTL(STATE,4) ^ ROTR(STATE,5); return STATE % 256; } void* experience(long origin){ char* ccol= mmap (0,1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); size_t k = 0; while(k<106){ *(ccol+k) = 0x90; //nop just in case; k++; } k=16; *((int*)ccol) = origin; while(k<100){ *(ccol+k)=custom_random(); k++; } return ccol; } void sleepy(void * dream){ int (*d)(void) = (void*)dream; d(); } void win(){ execv("/bin/sh",NULL); } void setup(){ setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } int main(){ setup(); long seed=0; printf("the win is yours at %p\n", win); scanf("%ld",&seed); STATE = seed; printf("what are you thinking about?...
A gift from the king. Category: pwn Solver: t0b1, c0mpb4u3r, nh1729 Flag: GPNCTF{new_stuff_and_constraints_a29kd33} Writeup Challenge setup The challenge consists of an x86_64 assembly file gift.s and supporting Makefile and Dockerfile. We have access to the input and output of the compiled assembly via TCP, the flag is in the file /app/flag.txt The challenge binary has only two functions and no linked libraries: .section .text .global _start read_input: # Read 314 bytes + 16 free bytes from stdin to the stack sub $314, %rsp # Make room for the input mov $0, %rax # System call number for read mov $0, %rdi # File descriptor for stdin mov %rsp, %rsi # Address of the stack mov $330, %rdx # Number of bytes to read syscall # Call the kernel add $314, %rsp # Restore the stack pointer ret _start: # Print the message to stdout mov $1, %rax # System call number for write mov $1, %rdi # File descriptor for stdout mov $message, %rsi # Address of the message string mov $message_len, %rdx # Length of the message string syscall # Call the kernel call read_input # Exit the program mov $60, %rax # System call number for exit xor %rdi, %rdi # Exit status 0 xor %rsi, %rsi # I like it clean xor %rdx, %rdx # I like it clean syscall # Call the kernel message: ....
I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{line_breaks_in_addresses_make_me_sad_a39d9} Writeup Challenge Setup This is a binary exploitation challenge. We get the source of the program to pwn composer.c and a python wrapper composer....
In order to automate our procedures, we have created this data collector steam robot that will go out and ask questions on random citizens and store the data in his memory. Our only problem is that we do not have a template of questions to insert to the robot and begin our test. Prepare some questions and we are good to go! Category: pwn Solver: t0b1 Flag: HTB{r0b0fl0w_tc4ch3_p01s0n} Writeup Libc given, 2....
I see you are new in town adventurer! Here you can pick whatever you want to continue your journey. Need a pet companion? Our arachnoids are the best. Ready to fight? Our pistols are here for you. Lost in time? Our watch will definately save you! Category: pwn Solver: t0b1, s3rp3ntL0v3r Flag: HTB{00b_4nd_p1v0t_2_th3_st34m_w0rld!} Writeup See solve script below. Solver from pwn import * LOCAL = False HOST = '167.172.52.221' PORT = 30371 CHALLENGE = '....
In the steam world, you need some trustworthy companions to help you continue your journey. What’s better than a handmade, top-tier, state of the art arachnoid machine?! Exactly, nothing! Come to Arachnoid Heaven and craft yours as soon as possible? Category: pwn Solver: t0b1, linaScience Flag: HTB{l3t_th3_4r4chn01ds_fr3333} Writeup In this pwn challenge, we receive a binary called arachnoid_heaven. TL;DR: The craft_arachnoid function allocates 96 bytes of memory but leaks the first 16 bytes....
You’re being interrogated in the enemy’s headquarters. Fake it and get out of there alive, without telling them anything! Category: pwn Solver: t0b1, Pandoron Flag: HTB{m0ms_sp4gh3tt1_1s_f4k3!} Writeup The first thing we do is running the checksec tool to get any clues where this challenge might be heading. It outputs the following. [*] '/home/user/htb-unictf-2020/finals/pwn/reality_check/reality_check' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) We extract the following information:...
When you set the rules, everything is under control! Or not? Category: Pwn Solver: Pandoron, t0bi First let’s run checksec kindergarten. [*] '/home/user/htb-unictf-2020/kindergarten/kindergarten' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments This is good! No stack canary, no position independent code. This must be easy, right? main function undefined8 main(void) { size_t sVar1; setup(); sec(); sVar1 = strlen(&kids_must_follow); write(1,&kids_must_follow,sVar1); read(0,ans,0x60); kinder(); sVar1 = strlen("Have a nice day!...
You found an ol’ dirty mirror inside an abandoned house. This magic mirror reflects your most hidden desires! Use it to reveal the things you want the most in life! Don’t say too much though.. Category: Pwn Solver: t0b1 Writeup We start by using the checksec tool, to check what security measures are enabled on the binary. $ checksec mirror [*] '/home/user/htb-unictf-2020/mirror/mirror' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled We see that no canary is found, which means that we will most likely have to exploit a stack based buffer overflow to overwrite some values on the stack....