ctfs | Writeups and solutions to CTF tasks | Hacking library

I am beginning to solve programming CTFs in Python when I came accross a challenge for automating math calculations to get the flag.

The source code of the welcoming page looks like this:

begin TLDR;

I want to write a python3 script to scan through the memory of a running windows process and find strings.

end TLDR;

This is for a CTF binary. It's a typical Windows x86 PE file. The goal is simply to get a flag from the processes memory as it runs. This is easy with ProcessHacker you can search through the strings in the memory of the running application and find the flag with a regex. Now because I'm a masochistic geek I strive to script out solutions for CTFs (for everything really). Specifically I want to use python3, C# is also an option but would really like to keep all of the solution scripts in python.

Thought this would be a very simple task. You know... pip install some library written by someone that's already solved the problem and use it. Couldn't find anything that would let me do what I need for this task. Here are the libraries I tried out already.

• ctypes - This was the first one I used, specifically ReadProcessMemory. Kept getting 299 errors which was because the buffer I was passing in was larger than that section of memory so I made a recursive function that would catch that exception, divide the buffer length by 2 until it got something THEN would read one byte at a time until it hit a 299 error. May have been on the right track there but I wasn't able to get the flag. I WAS able to find the flag only if I knew the exact address of the flag (which I'd get from process hacker). I may make a separate question on SO to address that, this one is really just me asking the community if something already exists before diving into this.

• pymem - A nice wrapper for ctypes but had the same issues as above.

• winappdbg - python2.x only. I don't want to use python 2.x.

• haystack - Looks like this depends on winappdbg which depends on python 2.x.

• angr - This is a possibility, Only scratched the surface with it so far. Looks complicated and it's on the to learn list but don't want to dive into something right now that's not going to solve the issue.

• volatility - Looks like this is meant for working with full RAM dumps not for hooking into currently running processes and reading the memory.

My plan at the moment is to dive a bit more into angr to see if that will work, go back to pymem/ctypes and try more things. If all else fails ProcessHacker IS opensource. I'm not fluent in C so it'll take time to figure out how they're doing it. Really hoping there's some python3 library I'm missing or maybe I'm going about this the wrong way.

Im having issues parsing out each child node within an xml file. The number of nodes can change per Instrument_Root. For instance, Instrument_Watch is NULL here, but will be populated in other instances after this. My goal is to have each child node parsed individually (Instrument_Ratings, Instrument_Attribute_Ratings, Instrument_Organization, Instrument_Supports, etc.)

I tried doing the following, but it just returned the first intance repeatedly - there are 3700 Instrument_Root in the file, and Instrument_Rating for this one Instrument_Root was repeated 3700 times. I also ran into errors with etree due to the namespace.

I'm planning to use GitHub pages to create a blog, including writeups of CTFs. Due to the terms of these, the writeups cannot be released until a specific date. I'm planning to have a master branch that is the one published on the site, but I'd also like an offline branch containing unpublished writeups, which should never touch the remote until merged into master. Is there a way to do this using Git/GitHub?

So I'm trying to get into CTFs and the first one I'm doing is the picoCTF 2019. I used gawk and strtonum() to solve one of the problems. Basically, I had to look at this output:

Pwn - I know that this is a category in CTFs in which you exploit a server to find the flag.

there is a library called pwntools, it's a CTF framework and exploit development library in python.

What I can't understand is why is it called "PWN" and is it an abbreviation?

pwn is also owning/dominating someone, but does this definition fit?

Thanks for helping ^^

I'm doing one of overthewire's CTFs, this challenge requires sending some characters that are hard to copy and paste into the process narnia0. Inside that process, a system call to /bin/sh is made, but because the standard output of xxd is redirected to the standard input of narnia0, I'm not able to make use of the shell.

How do I get around this? How do I reattach narnia0 standard input to my terminal's standard output after the standard output of xxd is consumed (or the process ends)?

This is the shell code:

echo 3030303030303030303030303030303030303030efbeadde | xxd -r -p | ./narnia0

Edit

Here's a quick example:

Example.c

I have the following make file:

I'm trying trying to do a pwn challenge, where you connect with nc to the remote server and this execute a vulnerable ELF file (With a buffer overflow). The problem that I'm having is that I only receive the output from the server side and the input from the client side with the following code: nc -l | ./script

Also I tried: ncat -l --exec "./script" In this last case when I do the Buffer Overflow, It doesn't give me any response.

And, other problem with both codes is that when my script for example prints "Give me a word", this print is showed when the execution of the script was finished. I put the word and then the script shows all the prints of the program.

Best regards.

PD: An example of what I'm trying to do - hxxps://github.com/ctfs/write-ups-2015/tree/master/csaw-ctf-2015/pwn/precision-100