pwnable-writeups
pwnable-writeups copied to clipboard
Macmod
Pwnable tips & writeups.
Pwnable Writeups
My personal writeups for pwnable.kr.
Only Toddler's Bottle challenges are included ~~because I didn't solve the others yet~~ out of respect for Rule 3:
3. Challenges in Toddler's Bottle are allowed to freely post the solutions online. However, please refrain from posting solution for challenges in other categories. But if you insist, post easy ones (solved by many people) and do not spoil too much details for the sake of fun.
Disclaimer
All examples using python refer to versions 2.* of the language. Python 3.* won't work out-of-the-box because of the way it handles encoding with utf-8.
Todo
- Do
unlinkand its writeup. - Translate to portuguese.
Tips
Suppose you are stuck but don't want to spoil all the fun.
Here are some quick tips that may help you along the way:
fd
Read wikipedia's article on file descriptors.
collision
Find values that result in the hash after being summed up. Remember to input the result as little endian.
bof
Read about buffer overflows in the classic Smashing the Stack for Fun and Profit. Also, LiveOverflow's playlists are awesome.
flag
You can't reverse a packed binary.
passcode
Read about the Procedure Linkage Table (PLT) and the Global Offset Table (GOT).
This article and this entry on exploit-db are also very enlightening.
random
Random values need proper seeding, otherwise they become predictable.
input
Read about command substitution, I/O redirection and netcat.
leg
Learn a bit about ARM to figure out the return values. Here's a great manual.
mistake
As the site says, read about C operator's precedence to find out the mistake.
shellshock
Read wikipedia's article on shellshock.
coin1
Read about binary search (for the problem) and sockets (to programatically interact with the game).
blackjack
It's nothing fancy, just a common logic mistake. Try to trick the game.
lotto
It's nothing fancy, just a common logic mistake. Some very simple bruteforcing is needed (less than 50 tries).
cmd1
Read wikipedia's article on $PATH.
cmd2
Be creative with bash. There's more than one solution.
uaf
Read this beginner's guide on Use-After-Free and this whitepaper on Dangling Pointers.
codemap
Read about daehee's codemap plugin for IDA.
memcpy
Read about the MOVNTPS instruction and Alignment in C.
asm
Read about shellcode creation. If you feel you don't quite get the SmashTheStack article yet, read this newbie-friendly guide:
Writing 64-Bit Shellcode (Part 1) & Writing 64-Bit Shellcode (Part 2)
unlink
Watch LiveOverflow's videos on malloc()/free() & unlink() exploitation and read Exploiting the Heap.
Once upon a free() is also very informative.
Thanks
Special thanks to Ingrid Spangler for introducing me to this great hobby.
Macmod