picoCTF Solutions
picoCTF 2025Binary ExploitationMedium

Echo Valley picoCTF 2025 Solution

Published: April 2, 2025

Description

A PIE-enabled binary echoes whatever you shout into it using a bare printf(buf). Use that format string vulnerability to leak the binary base, locate print_flag, and overwrite the return address.

Read the technique guide

  • Buffer Overflow and Binary Exploitation for CTFA practical guide to binary exploitation techniques in CTF competitions: stack buffer overflows, ret2win, format string attacks, heap exploitation, and ASLR/PIE bypass - with picoCTF challenge links for each technique.

Setup

Grab the binary and source from the challenge page.

Inspect the source: echo_valley() calls printf(buf) directly, the textbook format string vulnerability.

Run checksec: PIE enabled + Full RELRO + no canary. Full RELRO blocks GOT overwrite, so the return address is the target. No canary means the overwrite is not detected at function exit.

Derive offsets locally with objdump so you don't hardcode someone else's numbers.

Probe the format-string position with %p chains to find which slot reflects your buffer (used as the offset argument to fmtstr_payload).

bash
nc verbal-sleep.picoctf.net <PORT_FROM_INSTANCE>
bash
checksec --file=valley
bash
objdump -D valley | grep -E '<print_flag>:|<main>:'
bash
# Probe format-string offset interactively, find which %N$p echoes 0x4141414141414141:
python
python3 -c "print('AAAAAAAA' + '.%p'*15)" | nc verbal-sleep.picoctf.net <PORT_FROM_INSTANCE>

Solution

Walk me through it
The Buffer Overflow and Binary Exploitation guide covers format string read and write techniques (used here) alongside stack overflows and heap exploitation.
  1. Step 1Leak the binary base and stack return address
    First find your format-string position: send AAAAAAAA.%1$p.%2$p...%15$p and look for the slot whose %N$p echoes 0x4141414141414141 - that N is your offset. Then send %20$p::%21$p. Slot 20 holds the saved return address pointing into the binary; slot 21 holds main's address. Derive main's static offset (0x13f2 here) by running objdump -D valley | grep '<main>:' and subtracting from the runtime leak to recover the PIE base. The return-address-location on the stack is leak[20] - 8. Always re-derive offsets locally; rebuilds shift them.
    bash
    p.sendlineafter(b'Shouting: ', b'%20$p::%21$p')
    bash
    p.recvuntil(b'You heard in the distance: ')
    bash
    line = p.recvline().decode().strip().split('::')
    python
    return_addr_location = int(line[0], 16) - 8
    python
    main_addr = int(line[1], 16)
    bash
    pie_base = main_addr - 0x13f2
    bash
    print_flag_addr = pie_base + 0xc48  # offset of print_flag in binary
    Learn more

    With Full RELRO enabled, the GOT (Global Offset Table) is marked read-only after the dynamic linker resolves symbols at startup. This prevents the classic technique of overwriting a GOT entry to redirect a library call to system(). The alternative is to target the saved return address on the stack inside the vulnerable function. When the function executes its ret instruction, it pops your supplied address into the instruction pointer.

    Stack position 20 in this binary holds the saved return address of the echo loop itself - a pointer back into the binary that reveals both the PIE base and the exact stack slot you need to overwrite. Position 21 holds main's address, which gives the PIE base for computing print_flag's absolute address. Both leaks come from a single printf call with the format string %20$p::%21$p.

    Use objdump -D valley | grep -E "<print_flag>:|<main>:" locally to obtain the static offsets, then verify them at runtime. Different builds of the binary may have different offsets, so always derive them from the actual challenge binary rather than hardcoding guesses.

  2. Step 2Build the format string write payload
    fmtstr_payload writes a value at an address using %n. The input buffer is 100 bytes, and a full 8-byte %n write requires a format string that itself overflows it - so split into three 2-byte (short) writes that fit comfortably. The three writes target consecutive offsets 0/+2/+4 covering the low 6 bytes (the top two are zero in user-space and already correct). Each iteration of the echo loop accepts one chunk; the function still hasn't returned, so partial writes accumulate safely.
    bash
    context.arch = 'amd64'
    bash
    chunks = [print_flag_addr & 0xFFFF,
    bash
              (print_flag_addr >> 16) & 0xFFFF,
    bash
              (print_flag_addr >> 32) & 0xFFFF]
    bash
    p.sendline(fmtstr_payload(6, {return_addr_location:     chunks[0]}, write_size='short'))
    bash
    p.sendline(fmtstr_payload(6, {return_addr_location + 2: chunks[1]}, write_size='short'))
    bash
    p.sendline(fmtstr_payload(6, {return_addr_location + 4: chunks[2]}, write_size='short'))
    Learn more

    The %n format specifier writes the count of characters printed so far to the memory address pointed to by the corresponding argument. By using %<width>c to print an exact number of characters first, an attacker can control what value gets written to an arbitrary address. fmtstr_payload() from pwntools automates this arithmetic, generating a format string that performs one or more memory writes in a single printf call.

    A 64-bit address is 8 bytes (6 significant bytes plus 2 zero bytes at the top for user-space addresses). Writing it in one shot would require a format string over 100 bytes long - larger than the buffer. The solution is to split the write into three 2-byte (short) writes targeting consecutive memory locations: return_addr_location, +2, and +4. Each write goes in a separate echo iteration. The function's return address is only read when the function executes ret, so all three partial writes complete safely before that happens.

    The offset 6 passed to fmtstr_payload is the format string's position in the printf argument list - the stack slot where the format string buffer itself begins. Finding this offset requires some probing: send AAAAAAAA.%1$p.%2$p... and find the slot that echoes 0x4141414141414141 (the hex encoding of 8 A's on x86_64). That position number is the offset to pass to fmtstr_payload. The Format String CTF guide walks through finding this offset and chaining %n writes step-by-step.

  3. Step 3Trigger the return and capture the flag
    The echo loop reads input and breaks on the literal string exit; on break, ret pops the (now-overwritten) saved RIP and execution jumps to print_flag, which reads and prints the flag file.
    bash
    p.sendline(b'exit')
    python
    print(p.recvall().decode())
    Learn more

    The three-write approach patches the return address one 16-bit chunk at a time while the function is still running. Sending exit triggers the function's exit path, executing the ret instruction which reads the now-overwritten return address. Execution jumps to print_flag, which calls system("cat flag.txt") or directly reads the flag file and prints it to stdout.

    This technique - overwriting a return address via format string %n writes - bypasses both PIE (defeated by the leak) and Full RELRO (defeated by targeting the stack instead of the GOT). The remaining defense, stack canaries, would protect against this attack if present: a random value placed between local variables and the return address, checked before ret executes. If checksec shows no canary, the return address overwrite proceeds unimpeded. The ASLR / PIE bypass guide details the leak-and-rebase pattern used here.

Flag

picoCTF{3ch0_v4ll3y_...}

Leak positions 20 and 21, compute print_flag's runtime address, overwrite the return address in three 16-bit chunks via fmtstr_payload, then send 'exit'.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Tools used in this challenge

Related reading

What to try next