flag leak
Below solution is from this writeup. This challenge is almost identical to the one discussed in the aforementioned writeup. However, in this challenge, we cannot search for the string
picoCTF since we will only get the first part of the flag (picoCTF{L34k1ng_Fl4g_0ff_St4ck_). So instead, we search for CTF{ and simply prepend the pico part when we display the flag. This was figured out by simply printing the output each iteration of the loop and seeing the flag appear twice in the output.The flag is somewhere in the heap, but there's a pointer to it on the stack. So, if we locate it and send it to
printf as a string (%s), we'll get the flag. We just have to go far enough down the stack.We'll use the "format string direct access" syntax to access the nth variable on the stack and cast it to a string pointer.
The syntax starts with
%, then an index, then $ and then the format specifier. So, %17$x would jump to the seventeenth member of the stack and print the value in hex format.picoCTF{L34k1ng_Fl4g_0ff_St4ck_0551082c}