search
githubEdit

stringzz

hashtag
Problem

Use a format string to pwn this program and get a flag. Its also found in /problems/stringzz_2_a90e0d8339487632cecbad2e459c71c4 on the shell server. Source.

hashtag
Solution

  1. Even though the flag is loaded onto the heap, there’s still a pointer to it located on the stack:

char * buf = malloc(sizeof(char)*FLAG_BUFFER);
FILE *f = fopen("flag.txt","r");
fgets(buf,FLAG_BUFFER,f);

  1. So if we do %XX$s with the correct offset, we can print out the flag. (I don't know why this is true. Taken from herearrow-up-right.)

  2. The commented out section of the script.pyarrow-up-right can find the offset

  3. Run the script.pyarrow-up-right to get the flag on the shell server

hashtag
Flag

picoCTF{str1nG_CH3353_166b95b4}

PreviousSecondLifeNextCryptography

Last updated