JerseyCTF - 2024
x4 Rev
Rev - hummble beggninings strings
Rev - Password manager
Set breakpoint in pwndbg with ghidra help
Rev - searching-through-vines
Shell escape
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(){
char commandStr[32];
scanf("%s", commandStr);
int i;
const char * bTexts[6] = {"ls", "cat", "cd", "pwd", "less"};
int bTexts_size = (sizeof(bTexts) - 1) / sizeof(bTexts[0]);
printf("%d",bTexts_size);
if (strlen(commandStr) <= 5){
for(i = 0; i < bTexts_size; i++){
if(strstr(commandStr, (char*)(bTexts[i])) != 0){
printf("Terminating... a violation occured!\n");
exit(1);
}
}
system(commandStr);
}
else{
printf("Terminating... a violation occured!\n");
exit(2);
}
return 0;
}By popping an sh shell we can use whatever command
Rev - MathTest
reverse math test
#include <stdio.h>
#include <stdlib.h>
void printflag(){
FILE *f;
f = fopen("flag.txt", "r");
char flag[64];
fread(flag, sizeof(char), 64, f);
printf("%s\n", flag);
}
int vuln() {
printf("Welcome to your Math Test. Perfect Score gets a Flag!\n");
printf("Enter Name:\n");
char name[100];
if(scanf("%s", name) < 1){
printf("You need a name\n");
return 0;
}
long mult1 = 0x9000;
long ans1;
printf("%ld*x < 0. What is x\n", mult1);
scanf("%ld", &ans1);
if(ans1 < 0) {
printf("No Negatives!\n");
return 0;
}
if(mult1*ans1 > 0) {
printf("Incorrect, try again\n");
return 0;
}
printf("Next Question\n");
long mult2 = 0xdeadbeef;
long ans2;
printf("%ld * y = 0. What is y\n", mult2);
scanf("%ld", &ans2);
if(ans2 >= 0) {
printf("Now Only Negatives!\n");
return 0;
}
if((mult2*ans2) == 0) {
printf("%ld\n", mult2*ans2);
printf("Incorrect, try again\n");
return 0;
}
printf("Final Quesiton\n");
char mult3 = 'O';
char ans3;
printf("Good\n");
printf("%c * z = 'A'. What is z?\n", mult3);
scanf("\n%c", &ans3);
if((char)(ans3*mult3) != 'A') {
printf("Incorrect, try again\n");
return 0;
}
printf("Final Question: ans1 + ans2 + ans3 = name\n");
long *n = (long *)name;
printf("%d", n);
if(ans1 + ans2 + ans3 == *n) {
printf("Congratulations! Here is your flag!!!!\n");
printflag();
}
else {
printf("If only you had a better name :(\n");
return 0;
}
}
int main() {
setvbuf(stdin, 0, _IONBF, 0);
setvbuf(stdout, 0, _IONBF, 0);
setvbuf(stderr, 0, _IONBF, 0);
First values are predicable, 0 and -1 After I wrote this to get the value 'o'
#include <stdio.h>
int main() {
printf("Final Question\n");
char mult3 = 'O';
char ans3;
printf("Good\n");
printf("%c * z = 'A'. What is z?\n", mult3);
// Loop through all ASCII characters to brute force the value of z
for (int i = 0; i <= 127; i++) {
char z = (char)i;
if((char)(z * mult3) == 'A') {
printf("Correct! The value of z is: %c\n", z);
return 0;
}
}
printf("Unable to find the correct value of z.\n");
return 0;
}And lastly I wrote this to brute force the name:
#include <stdio.h>
// Function to print the flag
void printflag() {
printf("Flag: FLAG{your_flag_here}\n");
}
int main() {
printf("Final Question: ans1 + ans2 + ans3 = name\n");
char mult3 = 'O';
char ans3 = 'o';
int ans1 = 0;
int ans2 = -1;
printf("Good\n");
// Brute force the value of name
for (int name = -128; name <= 127; name++) {
if (ans1 + ans2 + ans3 == name) {
// Check if the condition is satisfied
printf("Congratulations! Here is your flag!!!!\n");
printf("%d",name);
printflag();
return 0;
}
}
printf("Unable to find the correct value of name.\n");
return 0;
}
Last updated