BCACTF · mud-ali · Aug 27, 2023 · Aug 22, 2023 · Aug 26, 2023 · Aug 26, 2023
diff --git a/anagrams/Dockerfile b/anagrams/Dockerfile
@@ -1,16 +1,16 @@
 FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build
 
-RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
+RUN apt-get install -y && apt-get update -y && \
+  apt-get upgrade -y && apt-get install -y gcc wget unzip && rm -rf /var/lib/apt/lists/*
 
 COPY main.c .
 RUN gcc -o anagrams main.c
 
-RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
+RUN wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
   && gcc -o ynetd ynetd.c \
   && rm -f /tmp/ynetd.zip
 
-
-FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9
+FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS deploy
 
 RUN useradd -m -d /home/ctf -u 12345 ctf
 WORKDIR /home/ctf

diff --git a/anagrams/chall.yaml b/anagrams/chall.yaml
@@ -5,10 +5,10 @@ value: 100
 flag: camp{7o0_m@nY_ch@RacteR5_buf349nrf}
 description: |-
   My friend sent this game to me, but he said the code isn't quite finished yet.
-  He also said to be careful because “The cardinality of one of the buffer constructs is delimited 
-  by a determinate measure." and "not to exceed the moral constructs of the space in this world 
-  thou hath been given". I don't really know what that means, but maybe you'll enjoy the game.
+  He also said to be careful because of limited memory and stuff, but I know I
+  can just download more RAM. Can you beat the game?
 hints:
+  - What marks the end of a string?
   - Have you heard of a buffer overflow?
 files:
   - src: /home/ctf/anagrams

diff --git a/anagrams/main.c b/anagrams/main.c
@@ -3,17 +3,19 @@
 #include <string.h>
 #include <time.h>
 
-#define FLAG_SIZE 37
-#define SPACE 12
+#define FLAG_SIZE 37 // with null terminator
+#define SPACE 12 // a little extra space
 
 int isAnagramOfSize(char* word, int n) {
     if (strlen(word) != n) {
+        printf("Your word is not the right length!\n");
         return 0;
     }
     else {
         // check if word is an anagram by looping over it and checking if each character is at the end of the word
         for (int i = 0; i < n; i++) {
             if (!(word[i] == word[n - i - 1])) {
+                printf("%c != %c", word[i], word[n - i - 1]);
                 return 0;
             }
         }
@@ -23,26 +25,39 @@ int isAnagramOfSize(char* word, int n) {
 
 int main(int argv, char **argc) {
 
+    // netcat config (don't worry about this)
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+
+
     printf("Welcome to bofed!\n");
     printf("The game is simple: I'll tell you a number, and you have to tell me an anagram of that length.\n");
     printf("Let's see how far you can get!\n");
 
     int count = 0;
-    char* flagCopy;
+    char flagCopy[FLAG_SIZE+1];
 
-    while (count < 100000) {    
-        srand(time(NULL));
-        int n = rand() % 7 + 1;
-        char word_flag[FLAG_SIZE+12+SPACE];
+    while (count < 100000) {   
+
+        srand(time(NULL)); //seed the random number generator with the time 
+        int n = rand() % 7 + 1; //random number between 1 and 7
+        char word_flag[FLAG_SIZE+SPACE+n+1]; //space for the flag and the anagram
+
+        //reset word_flag to an empty string
+        for (int i = 0; i < FLAG_SIZE+SPACE+n+1; i++) {
+            word_flag[i] = 32;
+        }
 
+        // Load the flag into the string word_flag, and also into flagCopy (for ✨redundancy✨)
         FILE* f = fopen("flag.txt", "r");
         fgets(word_flag+n+1+SPACE, FLAG_SIZE, f);
+        fseek(f, 0, SEEK_SET);
+        fgets(flagCopy, FLAG_SIZE, f);
         fclose(f);
 
-        strcpy(flagCopy, word_flag+n+1+SPACE);
         // We already know where the string will end, so we can place a null terminator there
-        *(word_flag + n+1) = '\0';
-
+        word_flag[n+SPACE] = '\0';
         printf("Give me an anagram of length %d: ", n);
 
         //load the input into the string word
@@ -55,7 +70,7 @@ int main(int argv, char **argc) {
         printf("Checking the validity of the anagram... %s\n", word_flag);
 
         int correct = isAnagramOfSize(word_flag, n);
-
+        
         if (correct) {
             printf("Correct!\n");
             count++;

diff --git a/anagrams/solve.md b/anagrams/solve.md
@@ -18,8 +18,8 @@ With the right length string, we can overwrite the `\0` (null terminator) and re
 Welcome to bofed!
 The game is simple: I'll tell you a number, and you have to tell me an anagram of that length.
 Let's see how far you can get!
-Give me an anagram of length 3: aaaaaaaaaaaaaaaa
-Checking the validity of the anagram... aaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf}
+Give me an anagram of length 5: aaaaaaaaaaaaaaaaaa
+Checking the validity of the anagram... aaaaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf}
 Incorrect!
 You got 0 correct!
 ```