Phantom

Look at MeSourceSolveLook at MeSource➜ pwnable git:(master) ✗ file lookatme lookatme: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=d2a1b10d006e4d6c4e84305383b4dc86481d87da, not stripped ➜ pwnable git:(master) ✗ checksec --file lookatme [*] '/home/ubuntu/CTF/hackctf/pwnable/lookatme' Arch: i386-32-little RELRO: Partial RELRO..

RTL_coreSourceSolveRTL_coreSource➜ RTLcore git:(master) ✗ checksec --file rtlcore [*] '/home/ubuntu/CTF/hackctf/pwnable/RTLcore/rtlcore' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)ssize_t core() { int buf; // [esp+Ah] [ebp-3Eh] BYREF int v2; // [esp+Eh] [ebp-3Ah] BYREF int v3; // [esp+38h] [ebp-10h] void *v4; // [esp+3Ch] [ebp-Ch] buf =..

rtl_worldSourceSolvertl_worldSourceint Get_Money() { int result; // eax int v1; // [esp+8h] [ebp-Ch] int v2; // [esp+Ch] [ebp-8h] int v3; // [esp+10h] [ebp-4h] puts("\nThis world is F*cking JabonJui"); puts("1) Farming..."); puts("2) Item selling..."); puts("3) Hunting..."); v3 = 0; v2 = rand(); printf("(Job)>>> "); __isoc99_scanf("%d", &v1); result = v1; if ( v1 == 2 ) { puts("\nItem selling.....

yes_or_noSourceSolveyes_or_noSourceint __cdecl main(int argc, const char **argv, const char **envp) { int v3; // eax int v4; // eax int v5; // ecx int v6; // eax int v7; // eax char s[10]; // [rsp+Eh] [rbp-12h] int v10; // [rsp+18h] [rbp-8h] int v11; // [rsp+1Ch] [rbp-4h] setvbuf(stdout, 0LL, 2, 0LL); v11 = 5; puts("Show me your number~!"); fgets(s, 10, stdin); v10 = atoi(s); if ( (v11 - 10) >> ..

OffsetSourceSolveOffsetSourceint print_flag() { char i; // al FILE *fp; // [esp+Ch] [ebp-Ch] puts("This function is still under development."); fp = fopen("flag.txt", "r"); for ( i = _IO_getc(fp); i != -1; i = _IO_getc(fp) ) putchar(i); return putchar(10); } int two() { return puts("This is function two!"); } int one() { return puts("This is function one!"); } int __cdecl select_func(char *src) ..

bof_pieSourceSolvebof_pieSourcevoid j0n9hyun() { char s; // [esp+4h] [ebp-34h] FILE *stream; // [esp+2Ch] [ebp-Ch] puts("ha-wi"); stream = fopen("flag", "r"); if ( stream ) { fgets(&s, 40, stream); fclose(stream); puts(&s); } else { perror("flag"); } } int welcome() { char v1[12]; // [esp+6h] [ebp-12h] setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); puts("Hello, Do you know j0n9hyun?"); print..

x64 Buffer OverflowSourceSolvex64 Buffer OverflowSourceint __cdecl main(int argc, const char **argv, const char **envp) { char s[268]; // [rsp+10h] [rbp-110h] int v5; // [rsp+11Ch] [rbp-4h] _isoc99_scanf("%s", s, envp); v5 = strlen(s); printf("Hello %s\n", s); return 0; }Solvefrom pwn import * #context.log_level = 'DEBUG' e = ELF("./64bof_basic") #p = process("./64bof_basic") r = remote("ctf.j0n..

Simple_overflow_ver_2SourceSolveSimple_overflow_ver_2Sourceint __cdecl main(int argc, const char **argv, const char **envp) { size_t v3; // ebx char v5; // [esp+13h] [ebp-89h] char s[128]; // [esp+14h] [ebp-88h] int i; // [esp+94h] [ebp-8h] setvbuf(stdout, 0, 2, 0); v5 = 'y'; do { printf("Data : "); if ( __isoc99_scanf(" %[^\n]s", s) ) { for ( i = 0; ; ++i ) { v3 = i; if ( v3 >= strlen(s) ) brea..

x64 Simple_size_BOFSourceSolvex64 Simple_size_BOFSourceint __cdecl main(int argc, const char **argv, const char **envp) { char v4[27952]; // [rsp+0h] [rbp-6D30h] setvbuf(_bss_start, 0LL, 2, 0LL); puts(s); printf("buf: %p\n", v4); gets(v4); return 0; }Solvefrom pwn import * #context.log_level = 'DEBUG' context.arch = 'amd64' e = ELF("./Simple_size_bof") p = process("./Simple_size_bof") #r = remot..

내 버퍼가 흘러넘친다!!!SourceSolve내 버퍼가 흘러넘친다!!!Sourcechar name[50]; int __cdecl main(int argc, const char **argv, const char **envp) { char s[20]; // [esp+0h] [ebp-14h] setvbuf(stdout, 0, 2, 0); printf("Name : "); read(0, &name, 50u); printf("input : "); gets(s); return 0; }Solvefrom pwn import * #context.log_level = 'DEBUG' e = ELF("./prob1") #p = process("./prob1") r = remote("ctf.j0n9hyun.xyz", 3003)..