PicoCTF-2022 Writeup
Search…
PicoCTF-2022 Writeup
README
Binary Exploitation
buffer overflow 1
buffer overflow 2
buffer overflow 3
flag leak
function overwrite
ropfu
stack cache
x-sixty-what
Cryptography
basic-mod1
basic-mod2
diffie-hellman
morse-code
NSA Backdoor
Sequences
substitution
Sum-O-Primes
Very Smooth
Forensics
Operation Oni
Operation Orchid
SideChannel
St3g0
Torrent Analyze
Reverse Engineering
Bbbbloat
Keygenme
unpackme
Wizardlike
Web Exploitation
Forbidden Paths
noted
Roboto Sans
SQLiLite
Powered By GitBook
flag leak

Challenge

Story telling class 1/2 I'm just copying and pasting with this program. What can go wrong? You can view source here. And connect with it using: nc saturn.picoctf.net 65402

Solution

Below solution is from this writeup. This challenge is almost identical to the one discussed in the aforementioned writeup. However, in this challenge, we cannot search for the string picoCTF since we will only get the first part of the flag (picoCTF{L34k1ng_Fl4g_0ff_St4ck_). So instead, we search for CTF{ and simply prepend the pico part when we display the flag. This was figured out by simply printing the output each iteration of the loop and seeing the flag appear twice in the output.
The flag is somewhere in the heap, but there's a pointer to it on the stack. So, if we locate it and send it to printf as a string (%s), we'll get the flag. We just have to go far enough down the stack.
We'll use the "format string direct access" syntax to access the nth variable on the stack and cast it to a string pointer.
The syntax starts with %, then an index, then $ and then the format specifier. So, %17$x would jump to the seventeenth member of the stack and print the value in hex format.

Flag

picoCTF{L34k1ng_Fl4g_0ff_St4ck_0551082c}
Binary Exploitation - Previous
buffer overflow 3
Next - Binary Exploitation
function overwrite
Last modified 4mo ago
Copy link
Edit on GitHub
Outline
Challenge
Solution
Flag