From 2fdd355b01c4bc7ed7c74dc12f64864573a641cc Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 19:59:34 +0200 Subject: [PATCH] pwn/format_string_0 --- pwn/format_string_0/format-string-0 | Bin 0 -> 16632 bytes pwn/format_string_0/format-string-0.c | 101 ++++++++++++++++++++++++++ pwn/format_string_0/output.txt | 8 ++ 3 files changed, 109 insertions(+) create mode 100755 pwn/format_string_0/format-string-0 create mode 100644 pwn/format_string_0/format-string-0.c create mode 100644 pwn/format_string_0/output.txt diff --git a/pwn/format_string_0/format-string-0 b/pwn/format_string_0/format-string-0 new file mode 100755 index 0000000000000000000000000000000000000000..a2905dfbdd61c30009a90bbf661fb0938f8e291f GIT binary patch literal 16632 zcmb<-^>JfjWMqH=CI&kO5O0E@16T+`GB8+Jg1KPAfx&`-m%)KSo%On}icP<1dG^?~hE0BL4mU{HYSgVG96eJ~nXA1G`D z^dR~K>>&DJbOAJ6EVwfBJ3vCgPfJojY*OtDfa+VJ3^Ij*VTCdzTwrtvM3@0a zgX{na1wJiF0fh^QO$>%ba}d-%T=DP$8lEs3%4N{c$xJdc(a%ZI&B@Fwtu6KObrk|%sh~s2m=E+-GkH@d+@fbU|YBM zZd-yH=bzOIK_`9*gVccB4blTr1F{HY9w<$K*dPpI^D!`h^C&z#7zG$WVjy`<*&bMy z0dX-fD0>KDh%zvkFfcG+6A#BBo`yplEs-5q-PFi8R?nA*~TUe z@$u=o`FT(W#e)KpiGdjjGD6ubU>cO3m>F^z7+}Q^gLq~pF9QP$LpfBeR4S7blzJPX z{4Eowu`w_(G4z6rW?*3WU=IlwP?`j#0jMy;4mV@@RzMO5kQfL%Ac=$Q28n^N2a-4^ zNC1ihki@y5VjwC4Nt_!b0L2MN;yh3>5S4)>&I=M4#iJoG8UmvsFd71*Aut*Oqai@! z5cte5_sgUC4TncJ>q~tG29MSQB~1S>cr+j3I1IM=zv&}=28K`nRUhj!F!0MWfYfJz zWInxo`2YX^31B{`!T0IqMK~YSaQpP~Ae;|suzh;D5zYrS)IPmj2G8|AfMNmcpTh|5gdLy`iia(TED_!TQUZ!n&ix>P{}0k8 z98N~Zq^673=AHf$6w6&_y7NXP#Sx2?%)6aNO}!CI%{8ebe2Bo483#Q^$*CmuT8sM z|9H&s=oL8%;(BzuKJZ|?;L$DM(e3)eqw^ZbJdJ<<|F<3}W#0iZ^R-~J>mSB$*FV;- zcWMrU?LT=K$qt3i+BYC8_VFq>Fzn}7aA0@=((lpf`op8S_6I|$@-7Jl2ZntHAn8=N z7nc0}|9?No1uvw)o^k!*(RpYesE@QC@BjZE%|`@0x>>7rAc1TQ66$rm;L&+(|2DWn zUy$f=*9|)r9T+^0yY4szp%2^y(Y?MKJbGO(>;h$PkIr+TppAzFt@Qq9iVh4f>i>Y_ zQ37hkg+KrQzxD%Z@ql@(_7BL*f0}FmIMnfg{q+LW(|)b7i$lqQVV|**1H*nFC784Q zA?BUXhB&$5&;S1uP{P3h90nN{%AkM%1%cy^2qg!Goimgi7y1#J|7c z0Z{}sRSRTEuj>QUfN%kc9(O%ZpbQR(6O9o1!Xyyg>wCbX*YyE%K!p7Tr!i(L^X;>Ltr!nMnhmU1V%$( zGz3ONU^E0qLx8*xUgs0|!Y*#4BSI93dQpig! z&#BY}P5z~(K$R&JiO z2KiMXzqCYAlYxODxFA0-JypReKM5L9NbV^uDN0OF%`XK-abk%=d46e5ib4`7VZqI1 z@XIe(NQTBG*Z~l!)a3lU6nJdfGq~sHrzm9QCnxsj4OU@d5coCHYCIIXU?{3M%=fB^l+ZNGaPnCsDOHGZ~b!Rf|=NOHvcF zG4wH@Yh%Esi-Cbrn%Nq(CIU3nRq^Kkf6)B6#oPb?4=^w=ym&Ab2qL8C(F z-u?f71C*!V|NsAmfq^0K{r~?Wj0_CIAO8P0VPs&C{`miY2x#nsfq?g17(wtAP}_unU0JCV{bgU;wQRx$zp} z76v{6H$Dk3e(rLP1_pa6D=lLcC6GFhJvj^v3B*bfu;fbwDP_JFDbwa-CJ znEn6$L;S-5RsSE#hlT40DE|f2e;~c|#ISYc=yn=F0I3CGd8jx8G+%(kKp3APh)Q4ka5M_X+e~=gmS3}K*#0Qp27U(E{vUAPpMimap9y>T zD}%-P88$)l1-PHiz`&r*1R6s?td|G55roa5>OqTHKzwk&oq>VD1}qK|LB)PJ#M8mz z{0xUhAn6(0e`jD|CUYEf!>W^qYsQG7{md~!~HUMgrSK}vpndQN^)VorQYNq$jrd}3(@Lvns@ zK~8E(YKoo#Lwr0I74d1Ad71HvMMa5~@u_(wMU@O`MTxno@hPRbxs?p@@kqS*%)HDJ zRHgYvxrrsZ#U(|VdFi?addUp&@oqtmzOM1EelGFx4Dl|JevZDL&J6MK?tY>1t{zZX z50@Z@cy}LvCr6)ne>b;a*O2%SM<*ZGc+3qE4zMi?#wHBKC7^u}a1qef1<;-d6oL5E zl*E!m2C%mf+aXYtKz2o-2!VHFpoqlBgUo?!gn(|!K#_-R&_EGF+dB~-pHiG3pOKiC zl9S31@97_3T#}NR7hhVOngZR$fvP(-FNGmKB`3ZpH77qgu_P5_cS&Y)d_iU^Y<~xe zhWxzv+|;~MhWPlT;$o2Eq7nx1783BL5fr7UyG7tq<_zE=&iJJKB!<+A%o4Z+C}iW~ zLwuc~@dz5OhpH`r423g*69Z_QN^xp>8Pu0W3=De3mANH}Nep_$B}EWA1IEe(4NMm> z=;h^?r0S*TmFg7~&g$xV~ptd|rKdk-!0;*pQsu1RWm^v6;$H2e<>KnlLu>JuD zR0E{efy5EWZkYR_#xj8RU4gpG&@ zQ2n5BeXv3(0TqVtPXomdC|p4911Wg`)&Bsh5P6OPBo7sa>j%jr>xZ>>CJ2I5GcfR> zIT)rNBFn(A4bAhN(w0j$sc}KP>(b`-&ktmO;}oga_%zz}O)A2%3J_ z{#n?*T2Ma&qz;DB?Z1SkpFsth;-DE%0Tehe%}D)sn9v>2ybLrCfy7|_6WBgmSb71; zfiR2@qhEm9lt}tv{UHg^BrF#DVESM*XkH5x_po4s^;2N`ra|pwkiDS%529iEVDb1D z>VKGi*#5;2`XJSywkw2&kud!*nu!s#XA-m{5~>2$zJ?aOp!qnc448uHgVEe*`eFTu z0;qnNJHeWpa~Atp9b|wVg81dADl>W57r1J5=?1jjJ`i@9p4-;fyU=X)} LaOBZ6pm7-h*ldZy literal 0 HcmV?d00001 diff --git a/pwn/format_string_0/format-string-0.c b/pwn/format_string_0/format-string-0.c new file mode 100644 index 0000000..4fa327c --- /dev/null +++ b/pwn/format_string_0/format-string-0.c @@ -0,0 +1,101 @@ +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 32 +#define FLAGSIZE 64 + +char flag[FLAGSIZE]; + +void sigsegv_handler(int sig) { + printf("\n%s\n", flag); + fflush(stdout); + exit(1); +} + +int on_menu(char *burger, char *menu[], int count) { + for (int i = 0; i < count; i++) { + if (strcmp(burger, menu[i]) == 0) + return 1; + } + return 0; +} + +void serve_patrick(); + +void serve_bob(); + + +int main(int argc, char **argv){ + FILE *f = fopen("flag.txt", "r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(flag, FLAGSIZE, f); + signal(SIGSEGV, sigsegv_handler); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + serve_patrick(); + + return 0; +} + +void serve_patrick() { + printf("%s %s\n%s\n%s %s\n%s", + "Welcome to our newly-opened burger place Pico 'n Patty!", + "Can you help the picky customers find their favorite burger?", + "Here comes the first customer Patrick who wants a giant bite.", + "Please choose from the following burgers:", + "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe", + "Enter your recommendation: "); + fflush(stdout); + + char choice1[BUFSIZE]; + scanf("%s", choice1); + char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"}; + if (!on_menu(choice1, menu1, 3)) { + printf("%s", "There is no such burger yet!\n"); + fflush(stdout); + } else { + int count = printf(choice1); + if (count > 2 * BUFSIZE) { + serve_bob(); + } else { + printf("%s\n%s\n", + "Patrick is still hungry!", + "Try to serve him something of larger size!"); + fflush(stdout); + } + } +} + +void serve_bob() { + printf("\n%s %s\n%s %s\n%s %s\n%s", + "Good job! Patrick is happy!", + "Now can you serve the second customer?", + "Sponge Bob wants something outrageous that would break the shop", + "(better be served quick before the shop owner kicks you out!)", + "Please choose from the following burgers:", + "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak", + "Enter your recommendation: "); + fflush(stdout); + + char choice2[BUFSIZE]; + scanf("%s", choice2); + char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"}; + if (!on_menu(choice2, menu2, 3)) { + printf("%s", "There is no such burger yet!\n"); + fflush(stdout); + } else { + printf(choice2); + fflush(stdout); + } +} diff --git a/pwn/format_string_0/output.txt b/pwn/format_string_0/output.txt new file mode 100644 index 0000000..8cf3b6c --- /dev/null +++ b/pwn/format_string_0/output.txt @@ -0,0 +1,8 @@ +$ nc mimas.picoctf.net 60131 +Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger? +Here comes the first customer Patrick who wants a giant bite. +Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe +Enter your recommendation: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +There is no such burger yet! + +picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_ef312157}