Description
Can you use your knowledge of format strings to make the customers happy?
Setup
Remote menu
Connect to mimas.picoctf.net <PORT_FROM_INSTANCE> via netcat.
Observe the menu items in each round and look for strings containing %.
nc mimas.picoctf.net <PORT_FROM_INSTANCE>
Solution
This is the introductory format string challenge. Once you understand how format specifiers leak data here, progress to format string 1 for stack leaking and format string 2 for memory overwrites.
- Step 1Round 1Choose Gr%114d_Cheese. The %11 leaks memory instead of printing a literal name, which is the intended foothold.Gr%114d_Cheese
- Step 2Round 2Select Cla%sic_Che%s%steak so printf interprets each %s and prints arbitrary stack entries, eventually revealing picoCTF{...}.Cla%sic_Che%s%steak
Flag
picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_dc...}
Ordering the format-string specials leaks the flag directly in the connection output.