[AUTO] $ mctf sync

Author: arch-err

README.md

@@ -13,7 +13,7 @@
 **Team:** none
 
 
-**Flags:** (18/47)
+**Flags:** (22/47)
 
 ![ ](assets/scoreboard.png)
 ![ ](assets/team-score.png)
@@ -23,8 +23,8 @@
 - [x] [Verify](challenges/Verify)
 - [x] [Scan_Surprise](challenges/Scan_Surprise)
 - [x] [Binary_Search](challenges/Binary_Search)
-- [ ] [heap_0](challenges/heap_0)
-- [ ] [format_string_0](challenges/format_string_0)
+- [x] [heap_0](challenges/heap_0)
+- [x] [format_string_0](challenges/format_string_0)
 - [x] [WebDecode](challenges/WebDecode)
 - [x] [Unminify](challenges/Unminify)
 - [x] [Time_Machine](challenges/Time_Machine)
@@ -44,10 +44,10 @@
 - [x] [Trickster](challenges/Trickster)
 - [ ] [No_Sql_Injection](challenges/No_Sql_Injection)
 - [ ] [heap_3](challenges/heap_3)
-- [ ] [heap_1](challenges/heap_1)
+- [x] [heap_1](challenges/heap_1)
 - [ ] [dont-you-love-banners](challenges/dont-you-love-banners)
 - [ ] [SansAlpha](challenges/SansAlpha)
-- [ ] [heap_2](challenges/heap_2)
+- [x] [heap_2](challenges/heap_2)
 - [ ] [format_string_1](challenges/format_string_1)
 - [ ] [Blast_from_the_past](challenges/Blast_from_the_past)
 - [ ] [WinAntiDbg0x300](challenges/WinAntiDbg0x300)

challenges/format_string_0/README.md

@@ -1,11 +1,9 @@
 # format_string_0
-*<++>*
+*Can you use your knowledge of format strings to make the customers happy?*
 
 ## Solution
-1. <++>
-2. `<++>`
-3. `./solve.sh`
+1. Just connect to the server and do what the program says...
 
 
 ## Flag
-**Flag:** `<++>`
+**Flag:** `picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_63191ce6}`

challenges/format_string_0/original_files/format-string-0

@@ -0,0 +1,101 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+char flag[FLAGSIZE];
+
+void sigsegv_handler(int sig) {
+    printf("\n%s\n", flag);
+    fflush(stdout);
+    exit(1);
+}
+
+int on_menu(char *burger, char *menu[], int count) {
+    for (int i = 0; i < count; i++) {
+        if (strcmp(burger, menu[i]) == 0)
+            return 1;
+    }
+    return 0;
+}
+
+void serve_patrick();
+
+void serve_bob();
+
+
+int main(int argc, char **argv){
+    FILE *f = fopen("flag.txt", "r");
+    if (f == NULL) {
+        printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                        "own debugging flag.\n");
+        exit(0);
+    }
+
+    fgets(flag, FLAGSIZE, f);
+    signal(SIGSEGV, sigsegv_handler);
+
+    gid_t gid = getegid();
+    setresgid(gid, gid, gid);
+
+    serve_patrick();
+  
+    return 0;
+}
+
+void serve_patrick() {
+    printf("%s %s\n%s\n%s %s\n%s",
+            "Welcome to our newly-opened burger place Pico 'n Patty!",
+            "Can you help the picky customers find their favorite burger?",
+            "Here comes the first customer Patrick who wants a giant bite.",
+            "Please choose from the following burgers:",
+            "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
+            "Enter your recommendation: ");
+    fflush(stdout);
+
+    char choice1[BUFSIZE];
+    scanf("%s", choice1);
+    char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"};
+    if (!on_menu(choice1, menu1, 3)) {
+        printf("%s", "There is no such burger yet!\n");
+        fflush(stdout);
+    } else {
+        int count = printf(choice1);
+        if (count > 2 * BUFSIZE) {
+            serve_bob();
+        } else {
+            printf("%s\n%s\n",
+                    "Patrick is still hungry!",
+                    "Try to serve him something of larger size!");
+            fflush(stdout);
+        }
+    }
+}
+
+void serve_bob() {
+    printf("\n%s %s\n%s %s\n%s %s\n%s",
+            "Good job! Patrick is happy!",
+            "Now can you serve the second customer?",
+            "Sponge Bob wants something outrageous that would break the shop",
+            "(better be served quick before the shop owner kicks you out!)",
+            "Please choose from the following burgers:",
+            "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak",
+            "Enter your recommendation: ");
+    fflush(stdout);
+
+    char choice2[BUFSIZE];
+    scanf("%s", choice2);
+    char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"};
+    if (!on_menu(choice2, menu2, 3)) {
+        printf("%s", "There is no such burger yet!\n");
+        fflush(stdout);
+    } else {
+        printf(choice2);
+        fflush(stdout);
+    }
+}

challenges/format_string_0/original_files/format-string-0.c

@@ -1,11 +1,10 @@
 # heap_0
-*<++>*
+*Are overflows just a stack concern?*
 
 ## Solution
-1. <++>
-2. `<++>`
-3. `./solve.sh`
+1. Uugh, binary... I hate this... Let's learn some basic binary exploitation I guess...
+2. So, I connect to a server that has a few options to interact with it. I can view the heap, get the flag (which won't work if a certain value on the heap is set) and I can write to "my own personal space" on the heap. I can be a naughty boy and write a huge string to the heap, which will overwrite this "secret value" that needs to be set to a particular value. Doing this will let me use the "get flag" functionality to get the flag.
 
 
 ## Flag
-**Flag:** `<++>`
+**Flag:** `picoCTF{my_first_heap_overflow_76775c7c}`

challenges/heap_0/README.md

@@ -0,0 +1,127 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define FLAGSIZE_MAX 64
+// amount of memory allocated for input_data
+#define INPUT_DATA_SIZE 5
+// amount of memory allocated for safe_var
+#define SAFE_VAR_SIZE 5
+
+int num_allocs;
+char *safe_var;
+char *input_data;
+
+void check_win() {
+    if (strcmp(safe_var, "bico") != 0) {
+        printf("\nYOU WIN\n");
+
+        // Print flag
+        char buf[FLAGSIZE_MAX];
+        FILE *fd = fopen("flag.txt", "r");
+        fgets(buf, FLAGSIZE_MAX, fd);
+        printf("%s\n", buf);
+        fflush(stdout);
+
+        exit(0);
+    } else {
+        printf("Looks like everything is still secure!\n");
+        printf("\nNo flage for you :(\n");
+        fflush(stdout);
+    }
+}
+
+void print_menu() {
+    printf("\n1. Print Heap:\t\t(print the current state of the heap)"
+           "\n2. Write to buffer:\t(write to your own personal block of data "
+           "on the heap)"
+           "\n3. Print safe_var:\t(I'll even let you look at my variable on "
+           "the heap, "
+           "I'm confident it can't be modified)"
+           "\n4. Print Flag:\t\t(Try to print the flag, good luck)"
+           "\n5. Exit\n\nEnter your choice: ");
+    fflush(stdout);
+}
+
+void init() {
+    printf("\nWelcome to heap0!\n");
+    printf(
+        "I put my data on the heap so it should be safe from any tampering.\n");
+    printf("Since my data isn't on the stack I'll even let you write whatever "
+           "info you want to the heap, I already took care of using malloc for "
+           "you.\n\n");
+    fflush(stdout);
+    input_data = malloc(INPUT_DATA_SIZE);
+    strncpy(input_data, "pico", INPUT_DATA_SIZE);
+    safe_var = malloc(SAFE_VAR_SIZE);
+    strncpy(safe_var, "bico", SAFE_VAR_SIZE);
+}
+
+void write_buffer() {
+    printf("Data for buffer: ");
+    fflush(stdout);
+    scanf("%s", input_data);
+}
+
+void print_heap() {
+    printf("Heap State:\n");
+    printf("+-------------+----------------+\n");
+    printf("[*] Address   ->   Heap Data   \n");
+    printf("+-------------+----------------+\n");
+    printf("[*]   %p  ->   %s\n", input_data, input_data);
+    printf("+-------------+----------------+\n");
+    printf("[*]   %p  ->   %s\n", safe_var, safe_var);
+    printf("+-------------+----------------+\n");
+    fflush(stdout);
+}
+
+int main(void) {
+
+    // Setup
+    init();
+    print_heap();
+
+    int choice;
+
+    while (1) {
+        print_menu();
+	int rval = scanf("%d", &choice);
+	if (rval == EOF){
+	    exit(0);
+	}
+        if (rval != 1) {
+            //printf("Invalid input. Please enter a valid choice.\n");
+            //fflush(stdout);
+            // Clear input buffer
+            //while (getchar() != '\n');
+            //continue;
+	    exit(0);
+        }
+
+        switch (choice) {
+        case 1:
+            // print heap
+            print_heap();
+            break;
+        case 2:
+            write_buffer();
+            break;
+        case 3:
+            // print safe_var
+            printf("\n\nTake a look at my variable: safe_var = %s\n\n",
+                   safe_var);
+            fflush(stdout);
+            break;
+        case 4:
+            // Check for win condition
+            check_win();
+            break;
+        case 5:
+            // exit
+            return 0;
+        default:
+            printf("Invalid choice\n");
+            fflush(stdout);
+        }
+    }
+}

challenges/heap_0/original_files/chall

@@ -1,11 +1,9 @@
 # heap_1
-*<++>*
+*Can you control your overflow?*
 
 ## Solution
-1. <++>
-2. `<++>`
-3. `./solve.sh`
+1. We just gotta overwrite the "secret key" with something, I just correctly guessed that we should set it to `pico`, this can be done by inserting `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaapico` into our writeable buffer. This will overflow our buffer and write over the "secret key".
 
 
 ## Flag
-**Flag:** `<++>`
+**Flag:** `picoCTF{starting_to_get_the_hang_b9064d7c}`