reborn

altm4n · Jun 10, 2021 · d28d078 · d28d078
1 parent 49a163f
commit d28d078
Show file tree

Hide file tree

Showing 327 changed files with 18,650 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/0CTF/2017/Quals/README.md b/0CTF/2017/Quals/README.md
@@ -0,0 +1 @@
+[CTFtime Page](https://ctftime.org/event/402)
diff --git a/0CTF/2017/Quals/pwn/babyheap/babyheap b/0CTF/2017/Quals/pwn/babyheap/babyheap
diff --git a/0CTF/2017/Quals/pwn/babyheap/libc-2.23.so b/0CTF/2017/Quals/pwn/babyheap/libc-2.23.so
diff --git a/0CTF/2018/Finals/README.md b/0CTF/2018/Finals/README.md
@@ -0,0 +1 @@
+[CTFtime Page](https://ctftime.org/event/558)
diff --git a/0CTF/2018/Finals/pwn/JSCustom.tar.gz b/0CTF/2018/Finals/pwn/JSCustom.tar.gz
diff --git a/0CTF/2018/Finals/pwn/baby/baby.ko b/0CTF/2018/Finals/pwn/baby/baby.ko
diff --git a/0CTF/2018/Finals/pwn/blackhole2/blackhole2 b/0CTF/2018/Finals/pwn/blackhole2/blackhole2
diff --git a/0CTF/2018/Finals/pwn/blackhole2/libc.so.6 b/0CTF/2018/Finals/pwn/blackhole2/libc.so.6
diff --git a/0CTF/2018/Finals/pwn/blackhole2/pow.py b/0CTF/2018/Finals/pwn/blackhole2/pow.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python -u
+# encoding: utf-8
+
+import random, string, subprocess, os, sys
+from hashlib import sha256
+
+os.chdir(os.path.dirname(os.path.realpath(__file__)))
+
+def proof_of_work():
+    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
+    print chal
+    sol = sys.stdin.read(4)
+    if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('0000'):
+        exit()
+
+def exec_serv(name, payload):
+    p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
+    p.stdin.write(payload)
+    p.wait()
+
+if __name__ == '__main__':
+    proof_of_work()
+    payload = sys.stdin.read(0x1000)
+    exec_serv('./blackhole2', payload)
diff --git a/0CTF/2018/Finals/pwn/freenote2018/freenote2018 b/0CTF/2018/Finals/pwn/freenote2018/freenote2018
diff --git a/0CTF/2018/Finals/pwn/freenote2018/libc-2.23.so b/0CTF/2018/Finals/pwn/freenote2018/libc-2.23.so
diff --git a/0CTF/2018/Finals/pwn/keen_of_glory b/0CTF/2018/Finals/pwn/keen_of_glory
diff --git a/0CTF/2018/Finals/pwn/pemu/binary/main b/0CTF/2018/Finals/pwn/pemu/binary/main
diff --git a/0CTF/2018/Finals/pwn/pemu/binary/main.c b/0CTF/2018/Finals/pwn/pemu/binary/main.c
@@ -0,0 +1,240 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+
+#define MAX_FILENAME_LENGTH 64
+#define MAX_FILENAME_COUNT 16
+
+char global_filename_list[MAX_FILENAME_COUNT][MAX_FILENAME_LENGTH];
+int global_filename_count;
+
+char temp_filename[MAX_FILENAME_LENGTH];
+const char * read_filename()
+{
+    memset(temp_filename, 0, MAX_FILENAME_LENGTH);
+    int l = 0;
+    int c = getchar();
+    while ((
+            (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') ||(c >= 'a' && c <= 'z')) &&
+            l < MAX_FILENAME_LENGTH-1)
+    {
+        temp_filename[l++] = c;
+        c = getchar();
+    }
+    temp_filename[l] = '\0';
+
+
+    return temp_filename;
+}
+
+
+char temp_meta_path[MAX_FILENAME_LENGTH + 64];
+const char * get_meta_path(const char * path)
+{
+	memset(temp_meta_path, 0, sizeof(temp_meta_path));
+    strncpy(temp_meta_path, path, MAX_FILENAME_LENGTH-1);
+    strcat(temp_meta_path, ".meta");
+    return temp_meta_path;
+}
+
+int update_meta(const char * filename)
+{
+    const char * meta_path = get_meta_path(filename);
+    FILE * meta_fp = fopen(meta_path, "wb+");
+    if (!meta_fp) {
+        puts("Error!");
+        exit(-1);
+    }
+
+    struct stat st;
+    if (0 != lstat(filename, &st))
+	{
+		printf("Error!");
+		exit(-1);
+	}
+    fwrite(&st, sizeof(st), 1, meta_fp);
+    fclose(meta_fp);
+	return 0;
+}
+int dump_file(const char * filename)
+{
+	FILE * fp = fopen(filename, "rb");
+	if (!fp)
+	{
+		puts("Error!");
+		exit(-1);
+	}
+
+	char c;
+	while (fread(&c, 1, 1, fp) == 1)
+	{
+		write(1, &c, 1);
+	}
+	fclose(fp);
+	return 0;
+}
+int read_int()
+{
+    int l = 0;
+    char buf[16];
+    int c = getchar();
+    while (((c >= '0' && c <= '9') || (c == '-')) && l < 15)
+    {
+        buf[l++] = c;
+        c = getchar();
+    }
+    buf[l] = '\0';
+    return atoi(buf);
+
+}
+int create()
+{
+    char buf[1024];
+	if (global_filename_count > MAX_FILENAME_COUNT)
+	{
+		printf("you cannot create more file...sorry...");
+		exit(-1);
+	}
+    printf("filename:");
+    const char * filename = read_filename();
+
+	int i;
+	int exist = 0;
+
+	for (i = 0; i < global_filename_count; i++)
+	{
+		if (strcmp(&global_filename_list[i][0], filename) == 0)
+		{
+			exist = 1;
+		}
+	}
+
+    printf("data:");
+    int l = 0;
+    int c = getchar();
+    while (c != '\n' && c >= 0 && c <= 255)
+    {
+        buf[l++] = c;
+        c = getchar();
+    }
+
+    FILE * fp = fopen(filename, "a+b");
+    if (!fp) {
+        puts("Error!");
+        exit(-1);
+    }
+    fwrite(buf, l, 1, fp);
+    fclose(fp);
+
+	update_meta(filename);
+	if (!exist)
+	{
+		strncpy(&global_filename_list[global_filename_count][0], filename, MAX_FILENAME_LENGTH-1);
+		global_filename_count += 1;
+	}
+}
+
+int show()
+{
+    printf("filename:");
+    const char * filename = read_filename();
+    const char * meta_file = get_meta_path(filename);
+
+    FILE * meta_fp = fopen(meta_file, "rb");
+    if (!meta_fp) {
+        puts("Error!");
+        exit(-1);
+    }
+
+    struct stat st;
+    fread(&st, sizeof(st), 1, meta_fp);
+    fclose(meta_fp);
+
+    printf("access time:%lx\n", st.st_atime);
+    printf("modify time:%lx\n", st.st_mtime);
+    printf("create time:%lx\n", st.st_ctime);
+
+    printf("data:");
+
+	dump_file(filename);
+}
+int list()
+{
+	int i;
+	for (i = 0; i < global_filename_count; i++)
+	{
+		printf("%s\n", &global_filename_list[i][0]);
+	}
+}
+int dump()
+{
+	write(1, &global_filename_count, sizeof(global_filename_count));
+
+	int i;
+	for (i = 0; i < global_filename_count; i++)
+	{
+		write(1, &global_filename_list[i][0], MAX_FILENAME_LENGTH);
+		const char * filename = &global_filename_list[i][0];
+		const char * meta_filename = get_meta_path(filename);
+		write(1, "$$$$", 4);
+		dump_file(filename);
+		write(1, "$$$$", 4);
+		dump_file(meta_filename);
+		write(1, "$$$$", 4);
+	}
+	return 0;
+}
+int load()
+{
+    printf("not implemented\n");
+	return 0;
+}
+int menu()
+{
+    printf("\n");
+    printf("=========menu=======\n");
+    printf("1. create/append file\n");
+    printf("2. show file\n");
+    printf("3. list\n");
+    printf("4. dump file system\n");
+    printf("5. load file system\n");
+    printf("6. exit\n");
+    printf("your choice:");
+    int option = read_int();
+    if (option > 6 || option < 1) return menu();
+    else return option;
+}
+int main()
+{
+	global_filename_count = 0;
+	memset(global_filename_list, 0, sizeof(global_filename_list));
+
+	alarm(20);
+    setbuf(stdin, NULL);
+    setbuf(stdout, NULL);
+    setbuf(stderr, NULL);
+    while (1)
+    {
+        int option = menu();
+        switch(option)
+        {
+            case 1:
+                create(); break;
+            case 2:
+                show(); break;
+            case 3:
+                list(); break;
+            case 4:
+                dump(); break;
+            case 5:
+                load(); break;
+            case 6:
+                exit(0);
+        }
+    }
+
+}
diff --git a/0CTF/2018/Finals/pwn/pemu/binary/makefile b/0CTF/2018/Finals/pwn/pemu/binary/makefile
@@ -0,0 +1,2 @@
+main: main.c
+	mipsel-linux-gnu-gcc main.c -fstack-protector-all -o main
diff --git a/0CTF/2018/Finals/pwn/pemu/pemu/loader b/0CTF/2018/Finals/pwn/pemu/pemu/loader
diff --git a/0CTF/2018/Finals/pwn/pemu/wrapper.py b/0CTF/2018/Finals/pwn/pemu/wrapper.py
@@ -0,0 +1,12 @@
+#!/usr/bin/python -u
+import os
+import time
+from backports import tempfile
+time.sleep(1)
+dirname = os.path.abspath(os.path.dirname(__file__))
+pemu = os.path.join(dirname, "pemu", "loader")
+bin = os.path.join(dirname, "binary", "main")
+with tempfile.TemporaryDirectory() as tmp:
+    os.chdir(tmp)
+    os.system("%s %s" % (pemu, bin))
+
diff --git a/0CTF/2018/Finals/pwn/vtp/libc-2.23.so b/0CTF/2018/Finals/pwn/vtp/libc-2.23.so
diff --git a/0CTF/2018/Finals/pwn/vtp/vtp b/0CTF/2018/Finals/pwn/vtp/vtp
diff --git a/0CTF/2018/Quals/README.md b/0CTF/2018/Quals/README.md
@@ -0,0 +1 @@
+[CTFtime Page](https://ctftime.org/event/557)
diff --git a/0CTF/2018/Quals/pwn/BabyHeap/babyheap b/0CTF/2018/Quals/pwn/BabyHeap/babyheap
diff --git a/0CTF/2018/Quals/pwn/BabyHeap/libc.so.6 b/0CTF/2018/Quals/pwn/BabyHeap/libc.so.6
diff --git a/0CTF/2018/Quals/pwn/BabyStack/babystack b/0CTF/2018/Quals/pwn/BabyStack/babystack
diff --git a/0CTF/2018/Quals/pwn/BabyStack/coll.py b/0CTF/2018/Quals/pwn/BabyStack/coll.py
@@ -0,0 +1,7 @@
+import random, string, subprocess, os, sys
+from hashlib import sha256
+
+random_str=''
+for i in xrange (0,1000000000):
+	if (sha256(random_stra + str(i)).digest().startswith('\0\0\0')):
+		print "Index is = ",i,"Result is =", sha256(random_str + str(i)).hexdigest()
diff --git a/0CTF/2018/Quals/pwn/BabyStack/pow.py b/0CTF/2018/Quals/pwn/BabyStack/pow.py
@@ -0,0 +1,25 @@
+#!/usr/bin/python -u
+# encoding: utf-8
+
+import random, string, subprocess, os, sys
+from hashlib import sha256
+
+os.chdir(os.path.dirname(os.path.realpath(__file__)))
+
+def proof_of_work():
+    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
+    print chal
+    sol = sys.stdin.read(4)
+    if len(sol) != 4 or not sha256(chal + sol).digest().startswith('\0\0\0'):
+        exit()
+
+
+def exec_serv(name, payload):
+    p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
+    p.stdin.write(payload)
+    p.wait()
+
+if __name__ == '__main__':
+    proof_of_work()
+    payload = sys.stdin.read(0x100)
+    exec_serv('./babystack', payload)
diff --git a/0CTF/2018/Quals/pwn/BlackHoleTheory/blackhole b/0CTF/2018/Quals/pwn/BlackHoleTheory/blackhole
diff --git a/0CTF/2018/Quals/pwn/BlackHoleTheory/libc.so.6 b/0CTF/2018/Quals/pwn/BlackHoleTheory/libc.so.6
diff --git a/0CTF/2018/Quals/pwn/BlackHoleTheory/pow.py b/0CTF/2018/Quals/pwn/BlackHoleTheory/pow.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python -u
+# encoding: utf-8
+
+import random, string, subprocess, os, sys
+from hashlib import sha256
+
+os.chdir(os.path.dirname(os.path.realpath(__file__)))
+
+def proof_of_work():
+    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
+    print chal
+    sol = sys.stdin.read(4)
+    if len(sol) != 4 or not sha256(chal + sol).hexdigest().startswith('00000'):
+        exit()
+
+def exec_serv(name, payload):
+    p = subprocess.Popen(name, stdin=subprocess.PIPE, stdout=file('/dev/null','w'), stderr=subprocess.STDOUT)
+    p.stdin.write(payload)
+    p.wait()
+
+if __name__ == '__main__':
+    proof_of_work()
+    payload = sys.stdin.read(0x800)
+    exec_serv('./blackhole', payload)
diff --git a/0CTF/2018/Quals/pwn/HeapStormII/heapstorm2 b/0CTF/2018/Quals/pwn/HeapStormII/heapstorm2
diff --git a/0CTF/2018/Quals/pwn/HeapStormII/libc.so.6 b/0CTF/2018/Quals/pwn/HeapStormII/libc.so.6
diff --git a/0CTF/2018/Quals/pwn/HeapStormII/pow.py b/0CTF/2018/Quals/pwn/HeapStormII/pow.py
@@ -0,0 +1,18 @@
+#!/usr/bin/python -u
+# encoding: utf-8
+
+import random, string, os, sys
+from hashlib import sha256
+
+os.chdir(os.path.dirname(os.path.realpath(__file__)))
+
+def proof_of_work():
+    chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
+    print chal
+    sol = sys.stdin.read(4)
+    if len(sol) != 4 or not sha256(chal + sol).digest().startswith('\0\0\0'):
+        exit()
+
+if __name__ == '__main__':
+    proof_of_work()
+    os.execv('./heapstorm2', ['./heapstorm2'])
diff --git a/0CTF/2018/Quals/pwn/MathGame/subtraction b/0CTF/2018/Quals/pwn/MathGame/subtraction
diff --git a/0CTF/2018/Quals/pwn/MightyDragon/balong b/0CTF/2018/Quals/pwn/MightyDragon/balong
diff --git a/0CTF/2018/Quals/pwn/MightyDragon/ld-linux-armhf.so.3 b/0CTF/2018/Quals/pwn/MightyDragon/ld-linux-armhf.so.3
diff --git a/0CTF/2018/Quals/pwn/MightyDragon/libc.so.6 b/0CTF/2018/Quals/pwn/MightyDragon/libc.so.6
diff --git a/0CTF/2018/Quals/pwn/Zer0FS/bzImage b/0CTF/2018/Quals/pwn/Zer0FS/bzImage
diff --git a/0CTF/2018/Quals/pwn/Zer0FS/rootfs.cpio b/0CTF/2018/Quals/pwn/Zer0FS/rootfs.cpio
diff --git a/0CTF/2018/Quals/pwn/Zer0FS/run.sh b/0CTF/2018/Quals/pwn/Zer0FS/run.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+stty intr ^]
+
+qemu-system-x86_64 -enable-kvm -cpu kvm64,+smep,+smap -m 64M -kernel ./bzImage -initrd ./rootfs.cpio -append "root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr" -monitor /dev/null -nographic 2>/dev/null
diff --git a/0CTF/2018/Quals/pwn/Zer0FS/zerofs.ko b/0CTF/2018/Quals/pwn/Zer0FS/zerofs.ko
diff --git a/0CTF/2019/Quals/README.md b/0CTF/2019/Quals/README.md
@@ -0,0 +1 @@
+[CTFtime Page](https://ctftime.org/event/736)
diff --git a/0CTF/2019/Quals/pwn/BabyHeap/babyheap b/0CTF/2019/Quals/pwn/BabyHeap/babyheap
diff --git a/0CTF/2019/Quals/pwn/BabyHeap/ld-2.28.so b/0CTF/2019/Quals/pwn/BabyHeap/ld-2.28.so
diff --git a/0CTF/2019/Quals/pwn/BabyHeap/libc-2.28.so b/0CTF/2019/Quals/pwn/BabyHeap/libc-2.28.so
diff --git a/0CTF/2019/Quals/pwn/If_on_a_winters_night_a_traveler/Dockerfile b/0CTF/2019/Quals/pwn/If_on_a_winters_night_a_traveler/Dockerfile
@@ -0,0 +1,22 @@
+FROM ubuntu:18.04
+
+RUN apt-get -y update
+RUN apt-get -y upgrade
+RUN apt-get install -y python xinetd
+RUN chmod 1733 /tmp /var/tmp /dev/shm
+
+RUN useradd -m calvino
+COPY vim /home/calvino/
+RUN chown root:calvino /home/calvino/vim
+RUN chmod 750 /home/calvino/vim
+COPY service.py /home/calvino/
+RUN chown root:calvino /home/calvino/service.py
+RUN chmod 750 /home/calvino/service.py
+COPY flag /flag
+COPY xinetd /etc/xinetd.d/xinetd
+RUN chown root:calvino /flag
+RUN chmod 440 /flag
+
+RUN service xinetd restart
+
+CMD ["/usr/sbin/xinetd", "-dontfork"]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		main: main.c
		mipsel-linux-gnu-gcc main.c -fstack-protector-all -o main