hello %s

Notes

  • format string in 0x13a2 printf(argv[0])

Writeup

  1. There is format string vulnerability on argv[0] which is filename.
  2. Challenge gives you ssh to remote machine that has challenge file with SUID to user with flag.
  3. Using format string, there was a pointer to heap where flag have been copied to on offset 10.
  4. Using %s, you can print out the string stored in the heap.

Solution

ln -s /challenge/challenge /tmp/%p,%p,%p,%p,%p,%p,%p,%p,%p,%s

Flag

H2G2{argv0_s0us_c0té}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s