summaryrefslogtreecommitdiffstats
path: root/docs/writeups/ImaginaryCTF_2021/formatting.txt
diff options
context:
space:
mode:
authorMalfurious <m@lfurio.us>2021-08-03 19:53:26 -0400
committerMalfurious <m@lfurio.us>2021-08-03 19:53:26 -0400
commit5970194d1303e16364ff1405f974c995de46203b (patch)
treed3f748eeb0112205bb7784bd353b22376ee827ae /docs/writeups/ImaginaryCTF_2021/formatting.txt
parentef6e3a502bf8498a8f641eb3dad11d3065359bbb (diff)
parentaa9da0f6f27759f5f3201bafb0e52f41367f08ef (diff)
downloadlib-des-gnux-5970194d1303e16364ff1405f974c995de46203b.tar.gz
lib-des-gnux-5970194d1303e16364ff1405f974c995de46203b.zip
Merge tag 'pull-duso-imaginary-writeups' of https://github.com/Dusoleil/lib-des-gnux
Writeups and other tools/docs from ImaginaryCTF from Dusoleil. * tag 'pull-duso-imaginary-writeups' of https://github.com/Dusoleil/lib-des-gnux: Adding Initial Commit of the Sploit Tool Adding Various Docs Adding Various Small Tools Git Ignore __pycache__ for All Tools Writeups from Imaginary CTF 2021
Diffstat (limited to 'docs/writeups/ImaginaryCTF_2021/formatting.txt')
-rw-r--r--docs/writeups/ImaginaryCTF_2021/formatting.txt23
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/writeups/ImaginaryCTF_2021/formatting.txt b/docs/writeups/ImaginaryCTF_2021/formatting.txt
new file mode 100644
index 0000000..62efda4
--- /dev/null
+++ b/docs/writeups/ImaginaryCTF_2021/formatting.txt
@@ -0,0 +1,23 @@
+The Problem
+-----------
+given a hint about format strings
+
+a python script using the new python3 "function-like" format strings
+
+in particular,
+
+ inp = input("> ")
+ inp.format(a=stonkgenerator())
+
+this allows us to use "{}" in the inp string to substitute for arguments passed into format(). In this case, we only have a single, named argument we can substitute for ("{a}"). Any instance of "{a}" will be substituted with whatever a= in format().
+
+Normally, you need some kind of object that is printable. In this case, they are instantiating a class "stonkgenerator" which has a __str__() conversion. The fact that an object is used here (and that we control the format string) is the exploitable bit.
+
+
+
+The Attack
+----------
+When you use these types of format strings to get an object, you can actually reference properties of that object in the format string as well. For instance "{a.__str__()}" would actually work. Python is notoriously bad about data encapsulation, so we now have access to pretty much the whole program's memory.
+
+There is a variable "flag" at the top of the program which reads the flag in from some file. We want to print this out. It is as easy as
+{a.__init__.__globals__[flag]}