Nguyen Van Chung

Welcome to my blog. Today, I will write up for SHA2017 CTF. In here, I write for Pwn 200 This source file: FILE System is running Ubuntu 16.04, ASLR is disabled. nc megan35.stillhackinganyway.nl 3535 int __cdecl main(int a1) { const char *v1; // eax@1 int v2; // edx@1 char s; // [sp+0h] [bp-21Ch]@1 char dest; // [sp+100h] [bp-11Ch]@1 int v6; // [sp+200h] [bp-1Ch]@1 int *v7; // [sp+214h] [bp-8h]@1 v7 = &a1; v6 = *MK_FP(__GS__, 20); puts("Decrypt your text with the MEGAN-35 encryption."); fflush(stdout); fgets(&s, 0xFF, stdin); v1 = sub_804866B(&s, strlen(&s)); strcpy(&dest, v1); printf(&dest); v2 = *MK_FP(__GS__, 20) ^ v6; return 0; } In challenge input one megan-35 encode, program decode and print decoded text. We can leak in  printf(&dest);  by format string. First, I had source encode megan-35.py : import base64, sys megan35 = "3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABC...

Welcome to my blog. Today, I will write up for SHA2017 CTF. First, write for Crypto 200: The challenge give me source code: source If we want to get flag we must send to server signed of text start with ' ' ticket:admin|root|'  : if ticket.startswith('ticket:admin|root|'): self.request.sendall("Here you go!\n") self.request.sendall(flag + "\n") break else: self.request.sendall("Sorry that function is only available to admin user root\n") In the server provide 3 services: Welcome to the secure login server, make your choice from the following options: 1. Register yourself as a user. 2. Collect flag 3. Sign a message 4. Exit In the "Sign a message": We send to server one text in hex format, and server send to our sign of this text pading one more '\xff' in the beginning of text. We know  $a^d*b^d  =  (a*b)^d$ then i had a good idea: If we have some text start with '\xff' and multip...