diff --git a/README.md b/README.md index a1bfd80..7d74053 100644 --- a/README.md +++ b/README.md @@ -67,12 +67,16 @@ - [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md) - [六、题解篇](doc/6_writeup.md) - - [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - - [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) - - [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - - [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) - - [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) - - [6.6 re xhpctf2017 dont_panic](doc/6.6_re_xhpctf2017_dont_panic.md) + - pwn + - [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md) + - [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md) + - [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md) + - [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md) + - [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md) + - [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) + - [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) + - re + - [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) - [七、附录](doc/7_appendix.md) - [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) @@ -80,7 +84,7 @@ - [7.3 更多资源](doc/7.3_books&blogs.md) - [7.4 习题 write-up](doc/7.4_writeup.md) - [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md) - - [7.6 PPT](doc/7.6_ppt.md) + - [7.6 幻灯片](doc/7.6_slides.md) 合作和贡献 diff --git a/SUMMARY.md b/SUMMARY.md index 568cf14..9245a60 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -63,16 +63,20 @@ * [5.6 LLVM](doc/5.6_llvm.md) * [5.7 Capstone/Keystone](doc/5.7_cap-keystone.md) * [六、题解篇](doc/6_writeup.md) - * [6.1 pwn hctf2016 brop](doc/6.1_pwn_hctf2016_brop.md) - * [6.2 pwn njctf2017 pingme](doc/6.2_pwn_njctf2017_pingme.md) - * [6.3 pwn xdctf2015 pwn200](doc/6.3_pwn_xdctf2015_pwn200.md) - * [6.4 pwn njctf2017 233](doc/6.4_pwn_njctf2017_233.md) - * [6.5 pwn 0ctf2015 freenote](doc/6.5_pwn_0ctf2015_freenote.md) - * [6.6 re xhpctf2017 dont_panic](doc/6.6_re_xhpctf2017_dont_panic.md) + * pwn + * [6.1.1 pwn HCTF2016 brop](doc/6.1.1_pwn_hctf2016_brop.md) + * [6.1.2 pwn NJCTF2017 pingme](doc/6.1.2_pwn_njctf2017_pingme.md) + * [6.1.3 pwn XDCTF2015 pwn200](doc/6.1.3_pwn_xdctf2015_pwn200.md) + * [6.1.4 pwn BackdoorCTF2017 Fun-Signals](doc/6.1.4_pwn_backdoorctf2017_fun_signals.md) + * [6.1.5 pwn GreHackCTF2017 beerfighter](doc/6.1.5_pwn_grehackctf2017_beerfighter.md) + * [6.1.6 pwn DefconCTF2015 fuckup](doc/6.1.6_pwn_defconctf2015_fuckup.md) + * [6.1.7 pwn 0CTF2015 freenote](doc/6.1.7_pwn_0ctf2015_freenote.md) + * re + * [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md) * [七、附录](doc/7_appendix.md) * [7.1 更多 Linux 工具](doc/7.1_Linuxtools.md) * [7.2 更多 Windows 工具](doc/7.2_wintools.md) * [7.3 更多资源](doc/7.3_books&blogs.md) * [7.4 习题 write-up](doc/7.4_writeup.md) * [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md) - * [7.6 PPT](doc/7.6_ppt.md) + * [7.6 幻灯片](doc/7.6_slides.md) diff --git a/doc/6.1_pwn_hctf2016_brop.md b/doc/6.1.1_pwn_hctf2016_brop.md similarity index 99% rename from doc/6.1_pwn_hctf2016_brop.md rename to doc/6.1.1_pwn_hctf2016_brop.md index 4e44168..23c6b3d 100644 --- a/doc/6.1_pwn_hctf2016_brop.md +++ b/doc/6.1.1_pwn_hctf2016_brop.md @@ -1,4 +1,4 @@ -# 6.1 pwn hctf2016 brop +# 6.1.1 pwn HCTF2016 brop - [题目复现](#题目复现) - [BROP 原理及题目解析](#brop-原理及题目解析) @@ -368,7 +368,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1_pwn_hctf2016_brop)相应文件夹中: +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.1_pwn_hctf2016_brop)相应文件夹中: ```python from pwn import * diff --git a/doc/6.2_pwn_njctf2017_pingme.md b/doc/6.1.2_pwn_njctf2017_pingme.md similarity index 97% rename from doc/6.2_pwn_njctf2017_pingme.md rename to doc/6.1.2_pwn_njctf2017_pingme.md index d697bb4..7a095cc 100644 --- a/doc/6.2_pwn_njctf2017_pingme.md +++ b/doc/6.1.2_pwn_njctf2017_pingme.md @@ -1,4 +1,4 @@ -# 6.2 pwn njctf2017 pingme +# 6.1.2 pwn NJCTF2017 pingme - [题目复现](#题目复现) - [Blind fmt 原理及题目解析](#blind-fmt-原理及题目解析) @@ -7,7 +7,7 @@ ## 题目复现 -在 6.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。 +在 6.1.1 中我们看到了 blind ROP,这一节中则将看到 blind fmt。它们的共同点是都没有二进制文件,只提供 ip 和端口。 checksec 如下: ``` @@ -200,7 +200,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_njctf2017_pingme)相应文件夹中: +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.2_pwn_njctf2017_pingme)相应文件夹中: ```python from pwn import * diff --git a/doc/6.3_pwn_xdctf2015_pwn200.md b/doc/6.1.3_pwn_xdctf2015_pwn200.md similarity index 99% rename from doc/6.3_pwn_xdctf2015_pwn200.md rename to doc/6.1.3_pwn_xdctf2015_pwn200.md index d7bdb8f..acd73ea 100644 --- a/doc/6.3_pwn_xdctf2015_pwn200.md +++ b/doc/6.1.3_pwn_xdctf2015_pwn200.md @@ -1,4 +1,4 @@ -# 6.3 pwn xdctf2015 pwn200 +# 6.1.3 pwn XDCTF2015 pwn200 - [题目复现](#题目复现) - [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析) @@ -941,7 +941,7 @@ firmy ## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_xdctf2015_pwn200)相应文件夹中: +完整的 exp 如下,其他文件放在了[github](../src/writeup/6.1.3_pwn_xdctf2015_pwn200)相应文件夹中: ```python from pwn import * diff --git a/doc/6.4_pwn_njctf2017_233.md b/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md similarity index 75% rename from doc/6.4_pwn_njctf2017_233.md rename to doc/6.1.4_pwn_backdoorctf2017_fun_signals.md index 7176fd4..c7d96d1 100644 --- a/doc/6.4_pwn_njctf2017_233.md +++ b/doc/6.1.4_pwn_backdoorctf2017_fun_signals.md @@ -1,31 +1,13 @@ -# 6.4 pwn njctf2017 233 +# 6.1.4 pwn BackdoorCTF2017 Fun-Signals -- [题目复现](#题目复现) -- [SROP 原理及题目解析](#srop-原理及题目解析) +- [SROP 原理](#srop-原理) - [Linux 系统调用](#Linux 系统调用) - [signal 机制](#signal-机制) - - [BackdoorCTF2017 Fun Signals](#backdoorctf2017-fun-signals) - - [njctf2017 233](#233) -- [Exploit](#exploit) +- [BackdoorCTF2017 Fun Signals](#backdoorctf2017-fun-signals) - [参考资料](#参考资料) -## 题目复现 -在 6.1 中我们看到了 blind ROP,这一节中再来看一种 ROP 技术,Sigreturn Oriented Programming。 - -checksec 如下: -``` -$ checksec -f 233 -RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE -Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 2 233 -``` -把程序运行起来: -``` -$ socat tcp4-listen:10001,reuseaddr,fork exec:./233 & -``` - - -## SROP 原理及题目解析 +## SROP 原理 #### Linux 系统调用 在开始这一切之前,我想先将一下 Linux 的系统调用。64 位和 32 位的系统调用表分别在 `/usr/include/asm/unistd_64.h` 和 `/usr/include/asm/unistd_32.h` 中,另外还需要查看 `/usr/include/bits/syscall.h`。 @@ -112,8 +94,9 @@ $ ldd /usr/bin/ls ``` 32 位程序则会显示 `linux-gate.so.1`,都是一个意思。 -#### BackdoorCTF2017 Fun Signals -我们先来看一个简单的例子,一个 64 位静态链接的 srop,可以说是什么都没开。。。 + +## BackdoorCTF2017 Fun Signals +这是一个 64 位静态链接的 srop,可以说是什么都没开。。。 ``` $ checksec -f funsignals_player_bin RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE @@ -185,40 +168,9 @@ fake_flag_here_as_original_is_at_server\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ``` 如果连接的是远程服务器,`fake_flag_here_as_original_is_at_server` 会被替换成真正的 flag。 -#### njctf2017 233 -这是一个 32 位的程序。 -``` -gdb-peda$ disassemble main -Dump of assembler code for function main: - 0x0000063b <+0>: push ebp - 0x0000063c <+1>: mov ebp,esp - 0x0000063e <+3>: push ebx - 0x0000063f <+4>: and esp,0xfffffff0 - 0x00000642 <+7>: sub esp,0x20 - 0x00000645 <+10>: call 0x510 <__x86.get_pc_thunk.bx> - 0x0000064a <+15>: add ebx,0x197e - 0x00000650 <+21>: mov DWORD PTR [esp+0x8],0x400 - 0x00000658 <+29>: lea eax,[esp+0x16] - 0x0000065c <+33>: mov DWORD PTR [esp+0x4],eax - 0x00000660 <+37>: mov DWORD PTR [esp],0x0 - 0x00000667 <+44>: call 0x480 - 0x0000066c <+49>: lea eax,[esp+0x16] - 0x00000670 <+53>: mov DWORD PTR [esp],eax - 0x00000673 <+56>: call 0x4c0 - 0x00000678 <+61>: mov ebx,DWORD PTR [ebp-0x4] - 0x0000067b <+64>: leave - 0x0000067c <+65>: ret -End of assembler dump. -``` -这个程序看起来很简单,就是使用 read 函数读取 `0x400` 个字节到 `[esp+0x16]` 的地方,然后将其传给 atoi。很明显的栈溢出: -``` -gdb-peda$ pattern_offset 0x41284141 -1093157185 found at offset: 22 -``` +其他文件放在了[github](../src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals)相应文件夹中。 - -## Exploit -完整的 exp 如下,其他文件放在了[github](../src/writeup/6.4_pwn_njctf2017_233)相应文件夹中: +这一节我们详细介绍了 SROP 的原理,并展示了一个简单的例子,在后面的章节中,会展示其更复杂的运用,包扩结合 vDSO 的用法。 ## 参考资料 diff --git a/doc/6.1.5_pwn_grehackctf2017_beerfighter.md b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md new file mode 100644 index 0000000..b788561 --- /dev/null +++ b/doc/6.1.5_pwn_grehackctf2017_beerfighter.md @@ -0,0 +1,6 @@ +# 6.1.5 pwn GreHackCTF2017 beerfighter + +- [题目解析](#题目解析) + + +## 题目解析 diff --git a/doc/6.1.6_pwn_defconctf2015_fuckup.md b/doc/6.1.6_pwn_defconctf2015_fuckup.md new file mode 100644 index 0000000..6703914 --- /dev/null +++ b/doc/6.1.6_pwn_defconctf2015_fuckup.md @@ -0,0 +1,15 @@ +# 6.1.6 pwn DefconCTF2015 fuckup + +- [ret2vdso 原理](#ret2vdso-原理) +- [题目解析](#题目解析) +- [Exploit](#exploit) +- [参考资料](#参考资料) + + +## ret2vdso 原理 + +## 题目解析 + +## Exploit + +## 参考资料 diff --git a/doc/6.1.7_pwn_0ctf2015_freenote.md b/doc/6.1.7_pwn_0ctf2015_freenote.md new file mode 100644 index 0000000..272a3a9 --- /dev/null +++ b/doc/6.1.7_pwn_0ctf2015_freenote.md @@ -0,0 +1 @@ +# 6.1.7 pwn 0CTF2015 freenote diff --git a/doc/6.6_re_xhpctf2017_dont_panic.md b/doc/6.2.1_re_xhpctf2017_dont_panic.md similarity index 99% rename from doc/6.6_re_xhpctf2017_dont_panic.md rename to doc/6.2.1_re_xhpctf2017_dont_panic.md index 61dc3ed..10bbe38 100644 --- a/doc/6.6_re_xhpctf2017_dont_panic.md +++ b/doc/6.2.1_re_xhpctf2017_dont_panic.md @@ -1,4 +1,4 @@ -# 6.6 re xhpctf2017 dont_panic +# 6.2.1 re xhpctf2017 dont_panic - [题目解析](#题目解析) - [参考资料](#参考资料) @@ -419,7 +419,7 @@ print("".join(flag)) 在最后一篇参考资料里,介绍了怎样还原 Go 二进制文件的函数名,这将大大简化我们的分析。 -另外所有文件放在了[github](../src/writeup/6.6_re_xhpctf2017_dont_panic)相应文件夹中。 +另外所有文件放在了[github](../src/writeup/6.2.1_re_xhpctf2017_dont_panic)相应文件夹中。 ## 参考资料 diff --git a/doc/6.5_pwn_0ctf2015_freenote.md b/doc/6.5_pwn_0ctf2015_freenote.md deleted file mode 100644 index f220569..0000000 --- a/doc/6.5_pwn_0ctf2015_freenote.md +++ /dev/null @@ -1 +0,0 @@ -# 6.5 pwn 0ctf2015 freenote diff --git a/doc/6_writeup.md b/doc/6_writeup.md index a0266c1..6590c60 100644 --- a/doc/6_writeup.md +++ b/doc/6_writeup.md @@ -1,8 +1,12 @@ # 第六章 题解篇 -- [6.1 pwn hctf2016 brop](./6.1_pwn_hctf2016_brop.md) -- [6.2 pwn njctf2017 pingme](./6.2_pwn_njctf2017_pingme.md) -- [6.3 pwn xdctf2015 pwn200](./6.3_pwn_xdctf2015_pwn200.md) -- [6.4 pwn njctf2017 233](./6.4_pwn_njctf2017_233.md) -- [6.5 pwn 0ctf2015 freenote](./6.5_pwn_0ctf2015_freenote.md) -- [6.6 re xhpctf2017 dont_panic](./6.6_re_xhpctf2017_dont_panic.md) +- pwn + - [6.1.1 pwn HCTF2016 brop](./6.1.1_pwn_hctf2016_brop.md) + - [6.1.2 pwn NJCTF2017 pingme](./6.1.2_pwn_njctf2017_pingme.md) + - [6.1.3 pwn XDCTF2015 pwn200](./6.1.3_pwn_xdctf2015_pwn200.md) + - [6.1.4 pwn BackdoorCTF2017 Fun-Signals](./6.1.4_pwn_backdoorctf2017_fun_signals.md) + - [6.1.5 pwn GreHackCTF2017 beerfighter](./6.1.5_pwn_grehackctf2017_beerfighter.md) + - [6.1.6 pwn DefconCTF2015 fuckup](./6.1.6_pwn_defconctf2015_fuckup.md) + - [6.1.7 pwn 0CTF2015 freenote](./6.1.7_pwn_0ctf2015_freenote.md) +- re + - [6.2.1 re XHPCTF2017 dont_panic](./6.2.1_re_xhpctf2017_dont_panic.md) diff --git a/doc/7.6_ppt.md b/doc/7.6_slides.md similarity index 90% rename from doc/7.6_ppt.md rename to doc/7.6_slides.md index a221f67..13ac3d6 100644 --- a/doc/7.6_ppt.md +++ b/doc/7.6_slides.md @@ -1,4 +1,4 @@ -# 7.6 PPT +# 7.6 幻灯片 这些是我在 XDSEC 做分享的 PPT,主要内容取自 CTF-All-In-One,可作为辅助学习。 diff --git a/doc/7_appendix.md b/doc/7_appendix.md index 0280ee2..32aad18 100644 --- a/doc/7_appendix.md +++ b/doc/7_appendix.md @@ -5,4 +5,4 @@ - [7.3 更多资源](doc/7.3_books&blogs.md) - [7.4 习题 write-up](doc/7.4_writeup.md) - [7.5 Linux x86-64 系统调用表](doc/7.5_syscall.md) -- [7.6 PPT](doc/7.6_ppt.md) +- [7.6 幻灯片](doc/7.6_slides.md) diff --git a/slides/01_fight-with-linux.pdf b/slides/01_fight-with-linux.pdf new file mode 100644 index 0000000..8f25cfb Binary files /dev/null and b/slides/01_fight-with-linux.pdf differ diff --git a/src/writeup/6.1_pwn_hctf2016_brop/a.out b/src/writeup/6.1.1_pwn_hctf2016_brop/a.out similarity index 100% rename from src/writeup/6.1_pwn_hctf2016_brop/a.out rename to src/writeup/6.1.1_pwn_hctf2016_brop/a.out diff --git a/src/writeup/6.1_pwn_hctf2016_brop/code.bin b/src/writeup/6.1.1_pwn_hctf2016_brop/code.bin similarity index 100% rename from src/writeup/6.1_pwn_hctf2016_brop/code.bin rename to src/writeup/6.1.1_pwn_hctf2016_brop/code.bin diff --git a/src/writeup/6.1_pwn_hctf2016_brop/exp.py b/src/writeup/6.1.1_pwn_hctf2016_brop/exp.py similarity index 100% rename from src/writeup/6.1_pwn_hctf2016_brop/exp.py rename to src/writeup/6.1.1_pwn_hctf2016_brop/exp.py diff --git a/src/writeup/6.1_pwn_hctf2016_brop/main.c b/src/writeup/6.1.1_pwn_hctf2016_brop/main.c similarity index 100% rename from src/writeup/6.1_pwn_hctf2016_brop/main.c rename to src/writeup/6.1.1_pwn_hctf2016_brop/main.c diff --git a/src/writeup/6.1_pwn_hctf2016_brop/run.sh b/src/writeup/6.1.1_pwn_hctf2016_brop/run.sh similarity index 100% rename from src/writeup/6.1_pwn_hctf2016_brop/run.sh rename to src/writeup/6.1.1_pwn_hctf2016_brop/run.sh diff --git a/src/writeup/6.2_pwn_njctf2017_pingme/code.bin b/src/writeup/6.1.2_pwn_njctf2017_pingme/code.bin similarity index 100% rename from src/writeup/6.2_pwn_njctf2017_pingme/code.bin rename to src/writeup/6.1.2_pwn_njctf2017_pingme/code.bin diff --git a/src/writeup/6.2_pwn_njctf2017_pingme/exp.py b/src/writeup/6.1.2_pwn_njctf2017_pingme/exp.py similarity index 100% rename from src/writeup/6.2_pwn_njctf2017_pingme/exp.py rename to src/writeup/6.1.2_pwn_njctf2017_pingme/exp.py diff --git a/src/writeup/6.2_pwn_njctf2017_pingme/pingme b/src/writeup/6.1.2_pwn_njctf2017_pingme/pingme similarity index 100% rename from src/writeup/6.2_pwn_njctf2017_pingme/pingme rename to src/writeup/6.1.2_pwn_njctf2017_pingme/pingme diff --git a/src/writeup/6.2_pwn_njctf2017_pingme/run.sh b/src/writeup/6.1.2_pwn_njctf2017_pingme/run.sh similarity index 100% rename from src/writeup/6.2_pwn_njctf2017_pingme/run.sh rename to src/writeup/6.1.2_pwn_njctf2017_pingme/run.sh diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/a.out b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/a.out similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/a.out rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/a.out diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/exp_use_dynelf.py b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/exp_use_dynelf.py similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/exp_use_dynelf.py rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/exp_use_dynelf.py diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/exp_use_ret2dl-resolve.py b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/exp_use_ret2dl-resolve.py similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/exp_use_ret2dl-resolve.py rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/exp_use_ret2dl-resolve.py diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/pwn200 b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/pwn200 similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/pwn200 rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/pwn200 diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/pwn200.c b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/pwn200.c similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/pwn200.c rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/pwn200.c diff --git a/src/writeup/6.3_pwn_xdctf2015_pwn200/run.sh b/src/writeup/6.1.3_pwn_xdctf2015_pwn200/run.sh similarity index 100% rename from src/writeup/6.3_pwn_xdctf2015_pwn200/run.sh rename to src/writeup/6.1.3_pwn_xdctf2015_pwn200/run.sh diff --git a/src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py b/src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals/exp.py similarity index 100% rename from src/writeup/6.4_pwn_njctf2017_233/exp_funsignals.py rename to src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals/exp.py diff --git a/src/writeup/6.4_pwn_njctf2017_233/funsignals_player_bin b/src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals/funsignals_player_bin similarity index 100% rename from src/writeup/6.4_pwn_njctf2017_233/funsignals_player_bin rename to src/writeup/6.1.4_pwn_backdoorctf2017_fun_signals/funsignals_player_bin diff --git a/src/writeup/6.1.6_pwn_defconctf2015_fuckup/fuckup b/src/writeup/6.1.6_pwn_defconctf2015_fuckup/fuckup new file mode 100644 index 0000000..cce4d58 Binary files /dev/null and b/src/writeup/6.1.6_pwn_defconctf2015_fuckup/fuckup differ diff --git a/src/writeup/6.1.7_pwn_0ctf2015_freenote/freenote b/src/writeup/6.1.7_pwn_0ctf2015_freenote/freenote new file mode 100755 index 0000000..dc42037 Binary files /dev/null and b/src/writeup/6.1.7_pwn_0ctf2015_freenote/freenote differ diff --git a/src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1 b/src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1 new file mode 100755 index 0000000..224f17b Binary files /dev/null and b/src/writeup/6.1.7_pwn_0ctf2015_freenote/libc.so.6_1 differ diff --git a/src/writeup/6.6_re_xhpctf2017_dont_panic/dont_panic b/src/writeup/6.2.1_re_xhpctf2017_dont_panic/dont_panic similarity index 100% rename from src/writeup/6.6_re_xhpctf2017_dont_panic/dont_panic rename to src/writeup/6.2.1_re_xhpctf2017_dont_panic/dont_panic diff --git a/src/writeup/6.6_re_xhpctf2017_dont_panic/dont_panic.cpp b/src/writeup/6.2.1_re_xhpctf2017_dont_panic/dont_panic.cpp similarity index 100% rename from src/writeup/6.6_re_xhpctf2017_dont_panic/dont_panic.cpp rename to src/writeup/6.2.1_re_xhpctf2017_dont_panic/dont_panic.cpp diff --git a/src/writeup/6.6_re_xhpctf2017_dont_panic/exp_gdb.py b/src/writeup/6.2.1_re_xhpctf2017_dont_panic/exp_gdb.py similarity index 100% rename from src/writeup/6.6_re_xhpctf2017_dont_panic/exp_gdb.py rename to src/writeup/6.2.1_re_xhpctf2017_dont_panic/exp_gdb.py diff --git a/src/writeup/6.6_re_xhpctf2017_dont_panic/exp_pin.py b/src/writeup/6.2.1_re_xhpctf2017_dont_panic/exp_pin.py similarity index 100% rename from src/writeup/6.6_re_xhpctf2017_dont_panic/exp_pin.py rename to src/writeup/6.2.1_re_xhpctf2017_dont_panic/exp_pin.py diff --git a/src/writeup/6.4_pwn_njctf2017_233/233 b/src/writeup/6.4_pwn_njctf2017_233/233 deleted file mode 100755 index 5a039dd..0000000 Binary files a/src/writeup/6.4_pwn_njctf2017_233/233 and /dev/null differ diff --git a/src/writeup/6.4_pwn_njctf2017_233/run.sh b/src/writeup/6.4_pwn_njctf2017_233/run.sh deleted file mode 100755 index 1cf8b02..0000000 --- a/src/writeup/6.4_pwn_njctf2017_233/run.sh +++ /dev/null @@ -1 +0,0 @@ -socat tcp4-listen:10001,reuseaddr,fork exec:./233 &