PWN – Ghost Diary

Ghost Diary – 500pt Challenge Try writing in this ghost diary. Hints None Solution WARNING: INSTRUMENT THE EXECUTABLE WITH GLIBC 2.27 OTHERWISE THIS WILL NOT WORK To instrument the executable, you can employ a program called change-glibc https://github.com/Ayrx/reutils/tree/master/bin You can use the libc.so.6 and ld-linux-x86-64.so.2 files contained in this folder. In the exploit, we referContinua a leggere “PWN – Ghost Diary”

PWN – slippery-shellcode

slippery-shellcode – 200pt Challenge LThis program is a little bit more tricky. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/slippery-shellcode_2_4061c12f5a4a9d8c1c3f45b25fbcb09a on the shell server. Hints Here we’ve no hints Solution We have an executable that asks a shellcode and, after that we’ve provided it,Continua a leggere “PWN – slippery-shellcode”

PWN – NewOverFlow1

NewOverFlow1 – 200pt Challenge Lets try moving to 64-bit, but don’t worry we’ll start easy. Overflow the buffer and change the return address to the flag function in this program. You can find it in /problems/newoverflow-1_0_f9bdea7a6553786707a6d560decc5d50 on the shell server. Hints Now that we’re in 64-bit, what used to be 4 bytes, now may beContinua a leggere “PWN – NewOverFlow1”

PWN – Overflow1

OverFlow1 – 150pt Challenge You beat the first overflow challenge. Now overflow the buffer and change the return address to the flag function in this program? You can find it in /problems/overflow-1_0_48b13c56d349b367a4d45d7d1aa31780 on the shell server. Hints Take control that return address. Make sure your address is in Little Endian. Solution In this case, asContinua a leggere “PWN – Overflow1”

PWN – OverFlow0

OverFlow0 – 100pt Challenge This should be easy. Overflow the correct buffer in this program and get a flag. Its also found in /problems/overflow-0_5_db665826dabb99c44758c97abfd8c4c6 on the shell server Hints Find a way to trigger the flag to printIf you try to do the math by hand, maybe try and add a few more characters. SometimesContinua a leggere “PWN – OverFlow0”

PWN – handy-shellcode

handy-shellcode – 50pt Challenge This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? You can find the program in /problems/handy-shellcode_4_037bd47611d842b565cfa1f378bfd8d9 on the shell server. Hints You might be able to find some good shellcode online. Solution We have a program that asks usContinua a leggere “PWN – handy-shellcode”

PWN – zero_to_hero

zero_to_hero – 500 points Challenge Now you’re really cooking. Can you pwn this service?. Connect with nc 2019shell1.picoctf.com 49928. libc.so.6 ld-2.29.so Hints Make sure to both files are in the same directory as the executable, and set LD_PRELOAD to the path of libc.so.6 Solution We are given the nc of a remote server, the binaryContinua a leggere “PWN – zero_to_hero”

PWN – sice_cream

sice_cream – 500 points Challenge Just pwn this program and get a flag. Connect with nc 2019shell1.picoctf.com 35993. libc.so.6 ld-2.23.so. Hints Make sure to both files are in the same directory as the executable, and set LD_PRELOAD to the path of libc.so.6 Solution The problem specification contains the nc of a remote server, the binaryContinua a leggere “PWN – sice_cream”