Problem

Use a format string to pwn this program and get a flag. Its also found in /problems/stringzz_2_a90e0d8339487632cecbad2e459c71c4 on the shell server. Source.

• Program

• Source

Solution

1. Even though the flag is loaded onto the heap, there’s still a pointer to it located on the stack:

char * buf = malloc(sizeof(char)*FLAG_BUFFER);
FILE *f = fopen("flag.txt","r");
fgets(buf,FLAG_BUFFER,f);

1. So if we do %XX$s with the correct offset, we can print out the flag. (I don't know why this is true. Taken from here.)

2. The commented out section of the script.py can find the offset

3. Run the script.py to get the flag on the shell server

Flag

picoCTF{str1nG_CH3353_166b95b4}