WACTF – Matt can see what you did to Francis, and raises you one (250)

At the WACTF event, I unfortunately didn’t get to complete this challenge within the time allowed. As I knew the author of the challenge, I asked if it would be alright if I could get the binary to try and knock this one off the list, as only 2 teams completed this one during the event.

Big thanks to Joel Tan (@joel_tja) for making this challenge and also giving me the binary so I could attempt this after the CTF had ended.

I had a brief play with this one at the event, and worked out that I’d need a format string vulnerability to obtain the flag. I ended up pursuing lower point & easier challenges to try and use my time better.

The description of the challenge can be found below.

To start with I tried a number of overflows seeing if I could crash the program. Then found that I could send a few different format strings and return what looked like sections of memory.

I ended up sending 9 “A”s and then “%p.” 10 times directly after and inspected the output.

[root:~]# python -c “print ‘A’ * 9 + ‘%p.’ * 10” | nc 4401

At the end of the returned string I could see the 9 x A’s I had injected. This left some memory to look at. Ignoring the A’s I copied the memory string into a python script and used pwntools to try and script out the password. The memory I was left with to look at was below. I ignored the bytes in brackets as they were nulls or a previously injected “A”






My script to obtain the password is shown below.

Running this gave me the output: 72uY58AZTnqzmMfz

I decided to try and use pwntools to attempt to learn how to do these CTF’s better. This was my first time attempting to use it so I’m sure there are a lot better ways to accomplish this.

Running this against the program, I could obtain the flag, WACTF{9411efc3b999efccf1210db392f46874} 🙂

Thanks again to Joel Tan for creating this challenge for WACTF and hooking me up with the binary so I could give it a shot!

Leave a comment