$ cat writeup.md…
$ cat writeup.md…
pwn_spbctf
Task: NON-PIE x86-64 fmt service reads flag.txt into a fixed global (0x4040a0) then runs printf(out, password) where `out` is snprintf-built from the login. Solution: inject a positional format directive via the login (%38$s), plant the flag global address in the password (the printf vararg at slot 38), arbitrary-read dumps the flag.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar