TUCTF 2018: Timber
Are you a single lumberjack tired of striking out? Well not
with Timber! Our deep learning neural network is sure to find a perfect match
for you. Try Timber today!
`nc 18.104.22.168 12345`
The interesting functions in the target are `doStuff` which displays the
interface, and `date` which prints the flag.
By looking at the disassembly of `doStuff` we can see that the second call to
`printf` uses a user-controlled format string which we can exploit to read and
write arbitrary memory.
The binary is compiled with partial RELRO, which means that the GOT entries are
writable. The easiest way to get the flag is to overwrite the GOT entry for
`puts` with the address of `date`. This way the call to `puts` will instead
execute `date` and give us the flag.
Pwntools has a useful helper for generating format string exploits but it needs
to know which is the first format argument that we can control. The easiest way
to find out is to try `%s`, then `%x%s` and so on until the target crashes. In
this case `%x%s` crashes the target which means that we control the arguments
starting from the second.
$ python2 exploit.py
[+] Opening connection to 22.214.171.124 on port 12345: Done
[*] Closed connection to 126.96.36.199 port 12345