writeups

Multimaster Writeup As usual we start the enumeration with a nmap scan to find open ports and services running on them. # Nmap 7.80 scan initiated Fri Sep 18 14:47:46 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.

Oouch Writeup Starting the recon with a nmap scan to scan for ports and services running on them PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.

Cascade Writeup We start with a nmap scan on the ip to scan tcp ports and the services running on them. # Nmap 7.80 scan initiated Wed Apr 1 11:48:58 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.

Challenge info ret2win is the first challenge from rop emporium’s series of challenges of learning ROP. The objection of the challenge is to Locate a method within the binary that you want to call and do so by overwriting a saved return address on the stack

Fuzzing and exploiting vulnserver TRUN command It’s been a long time since I wrote a post now since the lockdown keeps extending so I decided to polish my skills of exploit development on windows.

Luke Recon Nmap Scan We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities. nmap -sC -sV -oA nmap/tcpInitial -vv 10.10.10.137 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.

Heap 2 Source code The following is the source code for Heap 2 Challenge #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> struct auth { char name[32]; int auth; }; struct auth *auth; char *service; int main(int argc, char **argv) { char line[128]; while(1) { printf("[ auth = %p, service = %p ]\n", auth, service); if(fgets(line, sizeof(line), stdin) == NULL) break; if(strncmp(line, "auth ", 5) == 0) { auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { strcpy(auth->name, line + 5); } } if(strncmp(line, "reset", 5) == 0) { free(auth); } if(strncmp(line, "service", 6) == 0) { service = strdup(line + 7); } if(strncmp(line, "login", 5) == 0) { if(auth->auth) { printf("you have logged in already!

heap 1 Source code The following is the source code for Heap 1 Challenge #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct internet { int priority; char *name; }; void winner() { printf("and we have a winner @ %d\n", time(NULL)); } int main(int argc, char **argv) { struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); printf("and that's a wrap folks!

Heap 0 Source code The following is the source code for Heap 0 Challenge #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } Challenge In this challenge we need to modify the f-fp pointer to call winner function on running the program it outputs two address one is of data struct and other is of f struct clearly we can exploit this challenge using buffer overflow

Format 4 Source code The following is the source code for Format 4 Challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } Challenge In this challenge we need to execute hello() function we can do this by modifying our GLOBAL_OFFSET_TABLE we can do that by using arbitary memory write using format string vulnerabilty so first we need to find the address of exit() in global offset table