We have a binary file and a remote instance available for connection.
nc <machine_ip> 1337
By analyzing the binary code using Ghidra, we can clearly spot the presence of format string vulnerability.
the content of
local_78 is directly passed to the
printf function without any format specifier. This can lead to format string vulnerability. if we provides a malicious format string. To print values from the stack in clear text we will use the
%s format specifier. In this case the 13th value on the stack was the flag which we got using payload