pwn/format_string_0

2024-09-03 19:59:34 +02:00 · 2024-09-03 19:59:34 +02:00 · 2fdd355b01
parent c56300256d
commit 2fdd355b01
3 changed files with 109 additions and 0 deletions
--- a/pwn/format_string_0/format-string-0
+++ b/pwn/format_string_0/format-string-0
--- a/pwn/format_string_0/format-string-0.c
+++ b/pwn/format_string_0/format-string-0.c
@ -0,0 +1,101 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+char flag[FLAGSIZE];
+
+void sigsegv_handler(int sig) {
+    printf("\n%s\n", flag);
+    fflush(stdout);
+    exit(1);
+}
+
+int on_menu(char *burger, char *menu[], int count) {
+    for (int i = 0; i < count; i++) {
+        if (strcmp(burger, menu[i]) == 0)
+            return 1;
+    }
+    return 0;
+}
+
+void serve_patrick();
+
+void serve_bob();
+
+
+int main(int argc, char **argv){
+    FILE *f = fopen("flag.txt", "r");
+    if (f == NULL) {
+        printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                        "own debugging flag.\n");
+        exit(0);
+    }
+
+    fgets(flag, FLAGSIZE, f);
+    signal(SIGSEGV, sigsegv_handler);
+
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+
+    serve_patrick();
+  
+    return 0;
+}
+
+void serve_patrick() {
+    printf("%s %s\n%s\n%s %s\n%s",
+            "Welcome to our newly-opened burger place Pico 'n Patty!",
+            "Can you help the picky customers find their favorite burger?",
+            "Here comes the first customer Patrick who wants a giant bite.",
+            "Please choose from the following burgers:",
+            "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
+            "Enter your recommendation: ");
+    fflush(stdout);
+
+    char choice1[BUFSIZE];
+    scanf("%s", choice1);
+    char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"};
+    if (!on_menu(choice1, menu1, 3)) {
+        printf("%s", "There is no such burger yet!\n");
+        fflush(stdout);
+    } else {
+        int count = printf(choice1);
+        if (count > 2 * BUFSIZE) {
+            serve_bob();
+        } else {
+            printf("%s\n%s\n",
+                    "Patrick is still hungry!",
+                    "Try to serve him something of larger size!");
+            fflush(stdout);
+        }
+    }
+}
+
+void serve_bob() {
+    printf("\n%s %s\n%s %s\n%s %s\n%s",
+            "Good job! Patrick is happy!",
+            "Now can you serve the second customer?",
+            "Sponge Bob wants something outrageous that would break the shop",
+            "(better be served quick before the shop owner kicks you out!)",
+            "Please choose from the following burgers:",
+            "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak",
+            "Enter your recommendation: ");
+    fflush(stdout);
+
+    char choice2[BUFSIZE];
+    scanf("%s", choice2);
+    char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"};
+    if (!on_menu(choice2, menu2, 3)) {
+        printf("%s", "There is no such burger yet!\n");
+        fflush(stdout);
+    } else {
+        printf(choice2);
+        fflush(stdout);
+    }
+}
--- a/pwn/format_string_0/output.txt
+++ b/pwn/format_string_0/output.txt
@ -0,0 +1,8 @@
+$ nc mimas.picoctf.net 60131
+Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
+Here comes the first customer Patrick who wants a giant bite.
+Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
+Enter your recommendation: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+There is no such burger yet!
+
+picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_ef312157}