PicoCTF: format string 0

Cody
Dec 6, 2024
2 min read

Challenge Name: format string 0

Category: Binary Exploitation

Difficulty: Easy

Description: Walkthrough and learning

Challenge: Exploit this burger place program with format strings exploitation.

First thing I do is utilize NetCat to begin a session with "Pico 'n Patty!" burger place on port 58656. From reading the welcome statement, we appear to have the ability to recommend the "Breakf@st_Burger", "Gr%114d_Cheese", and the "Bac0n_D3luxe". On first glance, outside of being a burger joint for hackers, it appears to accept special characters. Could this be a command injection problem where user input is not validated?

The challenge asks, "can you use your knowledge of format strings to make the customers happy?" In the challenge tags, there is "format_string" as well.

Here is the provided source code of the program. If f=null, it says to print the flag. Null byte maybe? Will need to research format string vulnerabilities.

Something I notice in here after some research on format string attacks from OWASP, below are some format parameters they list:

My initial idea of command execution appears to be on the right track. If you look at the food options, only one of the three original options "Breakf@st_Burger", "Gr%114d_Cheese", and the "Bac0n_D3luxe" contains an embedded command inside it.

Gr%114d_Cheese contains %114d which is treated differently in the code

My guess is that it is referencing somewhere in the the memory when it receives that command to initiate the next step. Choosing it, you are moved to the second part of the program as Patrick is now happy. Now we must figure out how to make Sponge Bob happy. Returning to the earlier section of the code to learn about the conditions that will have it print the flag, we see the following. In particular, I'm paying attention to the %s %s