Stonks
I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.cnc mercury.picoctf.net 16439
- 1.We can compile the c source code using
gcc -g -m32 vuln.c -o vuln
and then we can generate apwntools
template usingpwn template --host mercury.picoctf.net --port 16439 vuln
. - 2.This is a standard format string vulnerability. It even tells us that the program is vulnerable to a format string attack when we compile it.
- 3.Resources to learn about format string attacks: Syracuse University Lecture Notes / OWASP / LiveOverflow on YouTube / John Hammond PicoCTF 2017 'I've Got a Secret' on YouTube / PicoCTF 2018 'echooo' Writeup
- 4.
- 5.Essentially, the solution script works by sending a string of repeating
%p
to the format string function in the program. The program replaces these%p
s with values from the stack. Eventually, we work our way up the stack far enough to get to theapi_buf
and print that out in little endian hexadecimal. We can not use the looping'%{}$s'.format(i)
trick from this PicoCTF 2018 'echooo' Writeup because the program is in little endian adn thus the flag would not be displayed correctly. - 6.Once we dump the stack, we convert the hexadecimal into ascii by converting it to a byte array, reversing the array, and then filtering out bad ascii characters. Then, we simply print the flag.
picoCTF{I_l05t_4ll_my_m0n3y_c7cb6cae}