Floor Mat Store

Format String Vulnerability

---

---

Solution

Given an ELF 64-bit file

with some protections

When looking at the program, it it pretty straight forward where the vulnerable is.

User need to choose a floor mat and then enter their shipping address. The Please enter your shipping address: is vulnerable to Format String Attack because it use printf() to display the shipping address at Your floor mat will be shipped to:. I spammed %p until i get the leaked memory. I notice that when we choose floor mat number 1-5, the memory leaked is just nothing. 😢

Need trial and error for the leaked memory for floor mat number 1-5

There is a hidden number which is 6, its memory leaked contains the flag.

So, put the hex in CyberChef and let it cook 👨‍🍳

Just play a little bit with the binary and word length byte

Btw, it is good challenge tho. At first, I didn't even notice the program accept the number 6 🤣

---

Flag

INTIGRITI{50_7h475_why_7h3y_w4rn_4b0u7_pr1n7f}