Neel Bhavsar
Story telling class 1/2 I'm just copying and pasting with this program. What can go wrong? You can view source here. And connect with it using:
nc saturn.picoctf.net 51804
- Format Strings
After researching the format string attack, we learn it's possible to get a program to leak things off of the program stack. If we use %s we can get it to print strings off of the top of the stack. We don't know which position the string is at so we can write a program to bruteforce it. We can create a fake flag file (just flag.txt with any content inside, eg. "flag{test}") to test the program locally. Since the shell server is running the same program as the one given, theoretically a local exploit should work on the shell as well. python3 script.py > out.txt to log everything. After the program finishes running, we can look for where the flag should be:
$ cat out.txt | grep {
24 b"Tell me a story and then I'll tell you one >> Here's a story - \n{test}\n\n"
This means the 24th object on the stack will contain the flag so we can run it on the shell now:
$ nc saturn.picoctf.net 56127
Tell me a story and then I'll tell you one >> %24$s
Here's a story -
CTF{L34k1ng_Fl4g_0ff_St4ck_eb9b46a2}
picoCTF{L34k1ng_Fl4g_0ff_St4ck_eb9b46a2}