pwn/format_string_0

2024-09-03 19:59:34 +02:00 · 2024-09-03 19:59:34 +02:00 · 2fdd355b01
parent c56300256d
commit 2fdd355b01
3 changed files with 109 additions and 0 deletions
--- a/pwn/format_string_0/format-string-0
+++ b/pwn/format_string_0/format-string-0
--- a/pwn/format_string_0/format-string-0.c
+++ b/pwn/format_string_0/format-string-0.c
@ -0,0 +1,101 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
 #include <unistd.h>
 #include <sys/types.h>
 #define BUFSIZE 32
 #define FLAGSIZE 64
 char flag[FLAGSIZE];
 void sigsegv_handler(int sig) {
    printf("\n%s\n", flag);
    fflush(stdout);
    exit(1);
 }
 int on_menu(char *burger, char *menu[], int count) {
    for (int i = 0; i < count; i++) {
        if (strcmp(burger, menu[i]) == 0)
            return 1;
    }
    return 0;
 }
 void serve_patrick();
 void serve_bob();
 int main(int argc, char **argv){
    FILE *f = fopen("flag.txt", "r");
    if (f == NULL) {
        printf("%s %s", "Please create 'flag.txt' in this directory with your",
                        "own debugging flag.\n");
        exit(0);
    }
    fgets(flag, FLAGSIZE, f);
    signal(SIGSEGV, sigsegv_handler);
    gid_t gid = getegid();
    setresgid(gid, gid, gid);
    serve_patrick();
    return 0;
 }
 void serve_patrick() {
    printf("%s %s\n%s\n%s %s\n%s",
            "Welcome to our newly-opened burger place Pico 'n Patty!",
            "Can you help the picky customers find their favorite burger?",
            "Here comes the first customer Patrick who wants a giant bite.",
            "Please choose from the following burgers:",
            "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
            "Enter your recommendation: ");
    fflush(stdout);
    char choice1[BUFSIZE];
    scanf("%s", choice1);
    char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"};
    if (!on_menu(choice1, menu1, 3)) {
        printf("%s", "There is no such burger yet!\n");
        fflush(stdout);
    } else {
        int count = printf(choice1);
        if (count > 2 * BUFSIZE) {
            serve_bob();
        } else {
            printf("%s\n%s\n",
                    "Patrick is still hungry!",
                    "Try to serve him something of larger size!");
            fflush(stdout);
        }
    }
 }
 void serve_bob() {
    printf("\n%s %s\n%s %s\n%s %s\n%s",
            "Good job! Patrick is happy!",
            "Now can you serve the second customer?",
            "Sponge Bob wants something outrageous that would break the shop",
            "(better be served quick before the shop owner kicks you out!)",
            "Please choose from the following burgers:",
            "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak",
            "Enter your recommendation: ");
    fflush(stdout);
    char choice2[BUFSIZE];
    scanf("%s", choice2);
    char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"};
    if (!on_menu(choice2, menu2, 3)) {
        printf("%s", "There is no such burger yet!\n");
        fflush(stdout);
    } else {
        printf(choice2);
        fflush(stdout);
    }
 }
--- a/pwn/format_string_0/output.txt
+++ b/pwn/format_string_0/output.txt
@ -0,0 +1,8 @@
 $ nc mimas.picoctf.net 60131
 Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
 Here comes the first customer Patrick who wants a giant bite.
 Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
 Enter your recommendation: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 There is no such burger yet!
 picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_ef312157}