PicoCTF - RPS

Background

strstr() in C/C++

In C++, std::strstr() is a predefined function used for string handling. string.h is the header file required for string functions. This function takes two strings s1 and s2 as an argument and finds the first occurrence of the sub-string s2 in the string s1. The process of matching does not include the terminating null-characters(‘\0’), but function stops there. Syntax:

1 2 3 4 5

char *strstr (const char *s1, const char *s2); Parameters: s1: This is the main string to be examined. s2: This is the sub-string to be searched in s1 string.

Return Value: This function returns a pointer points to the first character of the found s2 in s1 otherwise a null pointer if s2 is not present in s1. If s2 points to an empty string, s1 is returned.

Source code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

#include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <string.h> #include <time.h> #include <unistd.h> #include <sys/time.h> #include <sys/types.h> #define WAIT 60 static const char* flag = "[REDACTED]"; char* hands[3] = {"rock", "paper", "scissors"}; char* loses[3] = {"paper", "scissors", "rock"}; int wins = 0; int tgetinput(char *input, unsigned int l) { fd_set input_set; struct timeval timeout; int ready_for_reading = 0; int read_bytes = 0; if( l <= 0 ) { printf("'l' for tgetinput must be greater than 0\n"); return -2; } /* Empty the FD Set */ FD_ZERO(&input_set ); /* Listen to the input descriptor */ FD_SET(STDIN_FILENO, &input_set); /* Waiting for some seconds */ timeout.tv_sec = WAIT; // WAIT seconds timeout.tv_usec = 0; // 0 milliseconds /* Listening for input stream for any activity */ ready_for_reading = select(1, &input_set, NULL, NULL, &timeout); /* Here, first parameter is number of FDs in the set, * second is our FD set for reading, * third is the FD set in which any write activity needs to updated, * which is not required in this case. * Fourth is timeout */ if (ready_for_reading == -1) { /* Some error has occured in input */ printf("Unable to read your input\n"); return -1; } if (ready_for_reading) { read_bytes = read(0, input, l-1); if(input[read_bytes-1]=='\n'){ --read_bytes; input[read_bytes]='\0'; } if(read_bytes==0){ printf("No data given.\n"); return -4; } else { return 0; } } else { printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n"); return -3; } return 0; } bool play () { char player_turn[100]; srand(time(0)); int r; printf("Please make your selection (rock/paper/scissors):\n"); r = tgetinput(player_turn, 100); // Timeout on user input if(r == -3) { printf("Goodbye!\n"); exit(0); } int computer_turn = rand() % 3; printf("You played: %s\n", player_turn); printf("The computer played: %s\n", hands[computer_turn]); if (strstr(player_turn, loses[computer_turn])) { puts("You win! Play again?"); return true; } else { puts("Seems like you didn't win this time. Play again?"); return false; } } int main () { char input[3] = {'\0'}; int command; int r; puts("Welcome challenger to the game of Rock, Paper, Scissors"); puts("For anyone that beats me 5 times in a row, I will offer up a flag I found"); puts("Are you ready?"); while (true) { puts("Type '1' to play a game"); puts("Type '2' to exit the program"); r = tgetinput(input, 3); // Timeout on user input if(r == -3) { printf("Goodbye!\n"); exit(0); } if ((command = strtol(input, NULL, 10)) == 0) { puts("Please put in a valid number"); } else if (command == 1) { printf("\n\n"); if (play()) { wins++; } else { wins = 0; } if (wins >= 5) { puts("Congrats, here's the flag!"); puts(flag); } } else if (command == 2) { return 0; } else { puts("Please type either 1 or 2"); } } return 0; }

Recon

這一題有reverse的感覺，主要是利用strstr()這個function拿到win++，在第100行的地方是利用strstr()搜索字串達到判斷勝利的功能，但是如果我們把三種結果結合在一起，則這一段結果就一定會試true

Exploit

Payload: paperscissorsrock

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

$ nc saturn.picoctf.net 51418 Welcome challenger to the game of Rock, Paper, Scissors For anyone that beats me 5 times in a row, I will offer up a flag I found Are you ready? Type '1' to play a game Type '2' to exit the program 1 1 Please make your selection (rock/paper/scissors): paperscissorsrock paperscissorsrock You played: paperscissorsrock The computer played: scissors You win! Play again? Type '1' to play a game Type '2' to exit the program 1 1 Please make your selection (rock/paper/scissors): paperscissorsrock paperscissorsrock You played: paperscissorsrock The computer played: rock You win! Play again? Type '1' to play a game Type '2' to exit the program 1 1 Please make your selection (rock/paper/scissors): paperscissorsrock paperscissorsrock You played: paperscissorsrock The computer played: scissors You win! Play again? Type '1' to play a game Type '2' to exit the program 1 1 Please make your selection (rock/paper/scissors): paperscissorsrock paperscissorsrock You played: paperscissorsrock The computer played: paper You win! Play again? Type '1' to play a game Type '2' to exit the program 1 1 Please make your selection (rock/paper/scissors): paperscissorsrock paperscissorsrock You played: paperscissorsrock The computer played: rock You win! Play again? Congrats, here's the flag! picoCTF{50M3_3X7R3M3_1UCK_58F0F41B} Type '1' to play a game Type '2' to exit the program

Flag: picoCTF{50M3_3X7R3M3_1UCK_58F0F41B}

Reference

picoCTF 2022: binary-exploitation – RPS