secret_v2 — format string without %n

spbctf

Task: format-string bug with a filter that bans the byte 'n' (so no %n) but still allows %s; secret is stored in BSS at a fixed No-PIE address and later compared against user input. Solution: plant the secret's address on the stack by placing it inside the input buffer and dereference it with %11$s to leak the secret, then echo the secret back to retrieve the flag.

filter_bypass format_string no_pie amd64 bss_leak

format_string_s_readstack_pointer_plantingprintf_leak_at_fixed_address

$ ls tags/ techniques/

filter_bypass format_string no_pie amd64 bss_leak

format_string_s_readstack_pointer_plantingprintf_leak_at_fixed_address

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]secret— pwn_spbctf
[pwn][Pro]rbp2— pwn_spbctf
[pwn][Pro]Говори - и будет исполнено (ask_and_you_shall_receive)— hackerlab
[pwn][Pro]rbp— spbctf
[pwn][Pro]Canary leak + ret2win (string_leak)— spbctf