format string 0 (picoCTF 11)

Challenge Author: CHENG ZHANG

Difficulty: Easy

Description

Can you use your knowledge of format strings to make the customers happy?

Process / Notes

  1. In the source code file, I see that BUFFSIZE 32, FLAGSIZE 64
  2. It looks like we’ll first be presented with a menu, then serving Patrick, then serving Sponge Bob
  3. With Patrick it looks like choosing the breakfast burger will result in the script returning that that item is unavailable
  4. If the item is greater than 2, maybe meaning the third option? No it’s 2x the buffer size, then we’ll go on to serving Sponge Bob, otherwise Patrick will still be hungry
  5. Neo Vim has syntax-highlighted the %114d in the second option - the Grilled Cheese. I think that that indicates the program will detect the format specifier (like the %s littered everywhere seem to be format specifiers) and that will affect the buffer size, exceed it, and allow us to move on to working with Sponge Bob.
  6. It says Sponge Bob is super hungry and wants something that will “break the shop.” In the third option, there are three %s, which may get the string read three times, but it doesn’t seem large enough to exceed the buffer size
  7. The %to that’s in the “Pesto Portobello” option may indicate that it will go to some undefined end
  8. Before actually running things, I believe the answer will be to get Patrick the “Grilled Cheese’ option that contains the %114d format string, which will allow us to work with Sponge Bob, I believe getting Sponge Bob the “Pesto Portobello” option that contains the %to will be the option that “breaks the shop” and then get use the flag. We’ll see in a moment!
  9. Use nc to start the challenge instance
  10. When entering the “Grilled Cheese” option, it displayed a huge number of blank spaces. This was likely due to the %114d. If the last challenge was about exceeding buffer size, and this is similar, then the huge amount of blank spaces would definitely exceed the buffer size of 32 (or the doubled size of 64)
  11. The Pesto Portobello option kicked me out of the challenge instance, so I think it’s the last option
  12. After reconnecting, I chose the option with three %s for Sponge Bob
  13. I’m not quite sure what that option did, but it returned the flag. Clearly there’s more to learn!

36 minutes 20 seconds to complete

Hints

  1. This is an introduction of format string vulnerabilities. Look up “format specifiers” if you have never see them before
  2. Just try out the different options

Core Lessons

  1. Understanding buffer size in the source code and what each “success condition” was
  2. Understanding what format string specifiers do and how they behave