문제 I made a simple brain-fuck language emulation program written in C. The commands are not implemented yet. However the rest functionality seems working fine. Find a bug and exploit it to get a shell. Download : http://pwnable.kr/bin/bf Download : http://pwnable.kr/bin/bf_libc.so Running at : nc pwnable.kr 9001 풀이 문제를 해석해보면, 간단한 brain-fuck 언어 에뮬레이션 프로그램을 C언어로 작성하였는데, [ ]안에 들어갈 명령어를 아직 구현하지 못했다고..
문제 Voldemort concealed his splitted soul inside 7 horcruxes. Find all horcruxes, and ROP it! author: jiwon choi ssh horcruxes@pwnable.kr -p2222 (pw:guest) 풀이 ROP 문제라고 대 놓고 문제에서 알려주네요 우선 바이너리를 가져와 IDA로 열어봅시다. int __cdecl main(int argc, const char **argv, const char **envp) { int v3; // ST18_4@1 setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); alarm(0x3Cu); hint(); init_ABCDEFG(); v3 = seccomp_i..
문제 Sometimes, pwnable is strange... hint: if this challenge is hard, you are a skilled player. ssh blukat@pwnable.kr -p2222 (pw: guest) 풀이 blukat@ubuntu:~$ ls blukat blukat.c password blukat@ubuntu:~$ cat password cat: password: Permission denied blukat@ubuntu:~$ cat: password: Permission denied.....? 뭔가 이상합니다. 그대로 입력해볼까요? blukat@ubuntu:~$ ./blukat guess the password! cat: password: Permission d..
문제 Daddy! how can I exploit unlink corruption? ssh unlink@pwnable.kr -p2222 (pw: guest) 풀이 unlink@ubuntu:~$ ls flag intended_solution.txt unlink unlink.c unlink@ubuntu:~$ cat intended_solution.txt cat: intended_solution.txt: Permission denied #include #include #include typedef struct tagOBJ{ struct tagOBJ* fd; struct tagOBJ* bk; char buf[8]; }OBJ; void shell(){ system("/bin/sh"); } void unlink(O..
문제 Mommy! I think I know how to make shellcodes ssh asm@pwnable.kr -p2222 (pw: guest) 풀이 asm@pwnable:~$ ls -al total 48 drwxr-x--- 5 root asm 4096 Jan 2 2017 . drwxr-xr-x 116 root root 4096 Nov 11 2021 .. -rwxr-xr-x 1 root root 13704 Nov 29 2016 asm -rw-r--r-- 1 root root 1793 Nov 29 2016 asm.c d--------- 2 root root 4096 Nov 19 2016 .bash_history dr-xr-xr-x 2 root root 4096 Nov 25 2016 .irssi d..
문제 Are you tired of hacking?, take some rest here. Just help me out with my small experiment regarding memcpy performance. after that, flag is yours. http://pwnable.kr/bin/memcpy.c ssh memcpy@pwnable.kr -p2222 (pw:guest) 풀이 // compiled with : gcc -o memcpy memcpy.c -m32 -lm #include #include #include #include #include #include #include unsigned long long rdtsc(){ asm("rdtsc"); } char* slow_memcp..
문제 Mommy, what is Use After Free bug? ssh uaf@pwnable.kr -p2222 (pw:guest) 풀이 #include #include #include #include #include using namespace std; class Human{ private: virtual void give_shell(){ system("/bin/sh"); } protected: int age; string name; public: virtual void introduce(){ cout
문제 Daddy bought me a system command shell. but he put some filters to prevent me from playing with it without his permission... but I wanna play anytime I want! ssh cmd2@pwnable.kr -p2222 (pw:flag of cmd1) 풀이 #include int filter(char* cmd){ int r=0; r += strstr(cmd, "=")!=0; r += strstr(cmd, "PATH")!=0; r += strstr(cmd, "export")!=0; r += strstr(cmd, "/")!=0; r += strstr(cmd, "`")!=0; r += strst..
문제 Mommy! what is PATH environment in Linux? ssh cmd1@pwnable.kr -p2222 (pw:guest) 풀이 #include #include int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, "tmp")!=0; return r; } int main(int argc, char* argv[], char** envp){ putenv("PATH=/thankyouverymuch"); if(filter(argv[1])) return 0; system( argv[1] ); return 0; } strstr 함수를 사용하여 flag, sh..
문제 Mommy! I made a lotto program for my homework. do you want to play? ssh lotto@pwnable.kr -p2222 (pw:guest) 풀이 ```c #include #include #include #include unsigned char submit[6]; void play() { int i; printf("Submit your 6 lotto bytes : "); fflush(stdout); int r; r = read(0, submit, 6); printf("Lotto Start!\n"); // sleep(1); // generate lotto numbers int fd = open("/dev/urandom", O_RDONLY); if (f..