Writeups from Imaginary CTF 2021

Adding Dusoleil's writeups from Imaginary CTF 2021

Signed-off-by: dusoleil <howcansocksbereal@gmail.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/docs/writeups/ImaginaryCTF_2021/formatting.txt b/docs/writeups/ImaginaryCTF_2021/formatting.txt
new file mode 100644
index 0000000..62efda4
--- /dev/null
+++ b/docs/writeups/ImaginaryCTF_2021/formatting.txt
@@ -0,0 +1,23 @@
+The Problem
+-----------
+given a hint about format strings
+
+a python script using the new python3 "function-like" format strings
+
+in particular,
+
+    inp = input("> ")
+    inp.format(a=stonkgenerator())
+
+this allows us to use "{}" in the inp string to substitute for arguments passed into format().  In this case, we only have a single, named argument we can substitute for ("{a}").  Any instance of "{a}" will be substituted with whatever a= in format().
+
+Normally, you need some kind of object that is printable.  In this case, they are instantiating a class "stonkgenerator" which has a __str__() conversion.  The fact that an object is used here (and that we control the format string) is the exploitable bit.
+
+
+
+The Attack
+----------
+When you use these types of format strings to get an object, you can actually reference properties of that object in the format string as well.  For instance "{a.__str__()}" would actually work.  Python is notoriously bad about data encapsulation, so we now have access to pretty much the whole program's memory.
+
+There is a variable "flag" at the top of the program which reads the flag in from some file.  We want to print this out.  It is as easy as
+{a.__init__.__globals__[flag]}