247CTF — confused environment read writeup
this challenge is about exploiting a format string bug , the description says that the flag is hidden inside an environment variable.
there is no binary provided to us in this challenge , lets just connect to the remote host .
so the program types two lines and waits for input , so in the picture i send %x format strings and indeed it displayed a hex number for me , what that means is that the program should be vulnerable to format string exploits .
so our main goal is to reach the flag , we know it is hidden in an environment variable , so can we read environment variables using this format string bug or we should look for another bug?
the answer is yes we can, why is that ? because environment variables are located on the stack and with this format string bug we can read as many values as we want form the stack .
so lets craft an exploit using python and automate this .
‘ the %s format strings is responsible for displaying strings’
this is the exploit that we will be using to read strings from the stack , lets study the code now
the firs 4 lines we import the pwnlib , which is a strong library for solving pwn challenges , and we just specify the host and port for the challenge
at line 5 we start a for loop so we can send multiple requests ,
the line 8 is really the essence of the exploit , at line 8 we tell send % + i(which is our counter number) + $s
why we do that ? , because when the program receives a %s format sting it treats it as a pointer to a value and in our case the program will go to the stack and see if our number of %s is pointing to some strings , the program will show it , if not it will just crash.
so the idea here is at every time we send a number of %s and just see if the returned value has the ‘247CTF’ string in it if not we just close the connection and connect again to send a different number of %s.
note that ‘%s %s %s %s’ is the same as ‘%4$s’.
the exploit can be found at the repository.
