challenge info  
Name: Equals
Category: Exploitation
Difficulty: Medium
Points: 100
Link: CyberHackathon

   

Description

We have a binary file and a remote instance available for connection. nc <machine_ip> 1337

Approach

By analyzing the binary code using Ghidra, we can clearly spot the presence of format string vulnerability.

Untitled

the content of local_78 is directly passed to the printf function without any format specifier. This can lead to format string vulnerability. if we provides a malicious format string. To print values from the stack in clear text we will use the %s format specifier. In this case the 13th value on the stack was the flag which we got using payload %13$s

Untitled

 

  flag   Flag{d393030523f14e81f97c2491c62dc8ada41e4a4a}