0

I'm doing a CTF exercise here:

https://c-wars.acnr.se/download/level2.tgz

There is a docker with the vulnerable service, which I need to found the value of a variable. I was able to do it by the following input:

== Login Service 1.0 ==
Username: %7$s
Password: a
Welcome: ACNR{_SERVICE_FLAG_}

My issue now is that the submission needs to call a function that is going to send this string by a socket, so I guess I need to escape it. I have tried %7$s, but didnt worked.

Submission format can be found at https://c-wars.acnr.se/download/MANUAL.pdf

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdint.h>
#include "gamelib.h"
uint32_t main(uint32_t argc, uint8_t ** argv)
{
svc_init();
svc_set(10000);
svc_writeln("gimme flag");
svc_readuntil('}');
return 0;
}
Improve this question
2
  • This depends on what actually svc_* functions do. If you can't use your own functions and must use the API, try using "%%7$s" as a string. A double percent string is printed as a single percent character, which would look like "%7$s" in this case. Commented May 16, 2020 at 8:39
  • How do you know you need to escape it? Commented May 22, 2020 at 0:21

1 Answer 1

Reset to default
0

The solution wasn't related to escaping.

Was required to read the buffer before sending the string.

Here is the full solution:

https://github.com/ramonmedeiros/c-wars/tree/master/level2

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.