Fall CTF 2024 Guide

Welcome to the Fall CTF 2024 Guide! Feel free to click around the categories as you solve challenges.

Hello Fall CTF Developers!!!!

A Primer on pwntools

Introduction

When developing exploits for various challenges, it might be beneficial to use scripts and automation to make your life easier. Especially when you want to deal with sending bytes and data that are not printable, or large numbers when dealing with cryptography.

Of course, one of the easiest scripting languages to use is Python. While you could manually set up connections, text piping, and the whole host of annoying debugging issues that come along with that, there's already a handy library to handle the plumbing for you.

pwntools is a Python library with lots of handy functions, classes, and scripts to help automate and streamline exploit development.

You can install pwntools through pip, Python's package manager:

pip3 install pwntools

python3 -m pip install pwntools

Mac/Linux pwntools installation help

If the above command does not work for you on MacOS or Linux, you may need some dependencies that are required to install pwntools. Specifically, pwntools expects you to have cmake and pkg-config. Try running:

brew install cmake
brew install pkg-config

sudo apt-get install cmake
sudo apt-get install pkg-config

Interacting with a process

pwntools uses the idea of "tubes" to handle data transfer/receive. You can make a connection with an actual network interface (like you would with netcat), or with a local process, and link standard in and standard out with pwntools.

Here's a few ways to make a connection:

from pwn import * # It's usually just better to import everything when using pwntools

# Start a process on your machine, locally
conn = process('./file')

# Start a process and simultaneously start gdb debugging it.
# You can provide an initial set of commands using the gdbscript parameter
conn2 = gdb.debug('./file', gdbscript="""
b main
continue
""")

# Pause a process running locally and attach gdb to it and start debugging
gdb.attach(conn)

# Connect to a server
port = 22
conn3 = remote('ip.or.domain', port)

With process, it just launches the file specified via the path. If you give it an array of strings, you can run a file with command line arguments, e.g. ['./file', '-t', 'data.txt']. You can also start a program locally with a debugger using gdb.debug() instead. You need to be using a terminal with support for paneling. So install and enter terminal multiplexer such as tmux before running a debugger with pwntools (Windows Terminal, oddly, supports this natively?). You can also attach gdb to an existing process with gdb.attach(). Finally, for communicating with networks (and in our case, challenge servers), you can use remote() to provide an ip/domain and port to connect to.

Once we have our connection, we can send or receive data from it. There are many functions to do this, but I'll show off a few:

from pwn import *
port = 9999
conn = remote('chal.sigpwny.com',port)

# Receive functions will return a bytestring of what it receives.

# Receive text until it encounters a new line character (e.g. \n)
line = conn.recvline()

# Receive text until it encounters the specified delimiter.
prompt = conn.recvuntil(b'>> ')

# Receive exactly n bytes.
resp = conn.recvn(8)

# Receive everything until End of File (EOF) is received from the pipe (i.e. they closed the connection)
everything = conn.recvall()

# Sends the string along with an new line ending
conn.sendline(b'my response\x05\x0f\xa0')

# Does NOT send a newline
conn.send(b'not a line yet')

# Does a recvuntil('delim') and sends the 2nd argument
conn.sendlineafter(b'>> ', b'1')

Note that strings in these functions are bytestrings b''. pwntools will warn you if you dont use bytestrings, and automatically convert to ASCII. That being said, this means its really easy to send non-printable characters over the wire using \x escape. It's also important to keep in mind that functions looking for a specific character (like a new line or delimiter), will block until it does. If your script is stuck, check to see whether or not you are actually getting the text you think you are. Running the script with the DEBUG argument will cause it to print a hex dump of any data it sends/receives: python3 exploit.py DEBUG

Note, pipes with processes and such are buffered. The OS maintains a 4kb buffer of any text received. If you call recvline(), and the program sent 3 lines in total, only the first line is retrieved, and the other 2 remain in the buffer. Keep this in mind when processing received data. If you want to retrieve anything that's in the buffer currently, recv() will empty it out.

Finally, if you want to regain control of the process input/output, simply call:

conn.interactive()

You'll want this to read the final printout of a program after running your exploit, or to use a shell, etc.

Using shellcode

For some of our challenges, you will need to use pwntools asm function. This requires a binutils installation for the architecture that our machines are running on, in this case, amd64. If you are on an M1/M2 mac, you'll need to run the following commands somewhere to generate assembly for our servers:

wget https://raw.githubusercontent.com/Gallopsled/pwntools-binutils/master/macos/binutils-amd64.rb
brew install binutils-amd64.rb

Misc

The miscellaneous category contains challenges not found in the other usual categories. Common types of challenges are jails and various programming/algorithm problems. Jails are programs that give the user some degree of control, with the goal to break out of the particular restrictions of the jail.

Pyjail

One common challenge format is the Python jail, or "pyjail" for short. These are Python programs that take input form the user and executes it directly as Python code in some form. Often times there will be restrictions on the Python code that is executed. See here for some ideas.

Other file formats

As a general tip, running the file command on challenge files can tell you a lot of useful information. One file format in many misc challenges is the .wav format, which stores audio data with pulse-code modulation. In this format, audio waveforms are sampled at discrete intervals and are stored as a series of integers.

Web

We have run two web meeting this semester:

Web 1, covering HTML, CSS, and Javascript
Web 2, covering SQLi and XSS

Website Structure

Websites use three main languages: HTML, CSS, and Javascript. HTML is the skeleton of the website, and organizes each of the different elements onto the user's screen. CSS is how you edit and develop the styles on a website. The most important and widely used language within the web is Javascript. Javascript allows you to dynamically change elements within your site, have something happen when a button is pressed, or make a requests to other computers.

Client-Server Model

When you click on a link within your browser, your computer makes a request to a server located at the address of the link you clicked. This request is then processed on the server's side, and the server sends back the webpage you want to load. This is the Client-Server Model. By manipulating processes within this model's process, you can access extra content on either the server or client side!

When content is sent between your computer and the server, it includes additional metadata called "Headers". Some of this data remains in your browser, either as cookies or local storage (technically more kinds).

Cookies are saved per website, and are sent in each request. They can be changed by Javascript or a request header.
Local Storage is saved per website, but are not sent in each request. They can be changed by Javascript in your browser.

Devtools

Developer tools is how you view additional website about an information. For our challenges, we reccommend you download Chrome or Firefox, and not use Safari.

To open devtools, hit Ctrl + Shift + C (windows) or Command + Shift + C (mac). Alternatively, right click and hit inspect.

Chrome Devtools is a suite of software developer information for web development. During challenges, you will be able to poke around different tabs. Here are some helpful tabs to lookout for:

Console (you can run your own javascript in this tab)

Pro Tip: You can use breakpoints within the console by clicking next to the line number. This can allow you to stop at certain lines before the run and check variables

Network

The network tab shows all information transmitted to/from your computer to the server (website).

Sources

The sources tab shows a listing of all files on the server that were requested.

Application

The application tab shows the saved cookies, local storage, and other information stored in your browser.

This is not an exhaustive list, but just a few useful tabs within Devtools.

Encodings you should know about:

base64 - Looks like this

url encoding - Looks like this

You can use CyberChef to decode.

SQL Injections

More in-depth explanations can be found in the Web 2 slides about SQL.

SQL, or Structured Query Language is a language for fetching information from a server.

For example,

SELECT netid, firstname FROM students WHERE lastname = "Tables"

Alt text

If code is written incorrectly, you can modify an SQL Statement as shown above.

More details on SQL: https://portswigger.net/web-security/sql-injection Resource on SQL Union Attack: https://portswigger.net/web-security/sql-injection/union-attacks

Command Injections

Command Injection lets you execute multiple linux commands at the same time. It is very similar to SQL Injection, except instead of changing a database query, you are changing commands executed in the command line.

For example, in your terminal, you are able to execute multiple commands using the ; ability

$> echo "command 1"; echo "command 2"
command 1
command 2

If you are able to "inject" something directly into the command you are executing, you can make it do additional things.

$> echo "YOUR INPUT"

If I had set YOUR INPUT to -HI"; ls ; "BYE-

then the command would look like

echo "-HI"; ls; "BYE-"

Some useful commands are:

ls - list files
cat x.txt - output the contents of the file x.txt

If you want more resources on learning the linux command line...

Review our Setup/Terminal Meeting Slides

Cross-Site Scripting (XSS)

Cross-Site Scripting is a vulnerability that allows an attacker to execute malicious scripts on a website. This can be used to steal cookies, redirect users to malicious websites, or deface the website.

I like to think of XSS as as another type of injection attack, but instead of injecting into a database or command line, you're injecting into the website's HTML.

For example, let's say you have a website that displays a user's name on the page. If the website includes the input directly into the HTML, you can put your own HTML code in the input and have it execute on the page.

<p>Welcome, <span id="username">USER INPUT</span></p>

If I had set USER INPUT to <script>alert("Hello!")</script>, then the website would display a popup saying "Hello!".

<p>Welcome, <span id="username"><script>alert("Hello!")</script></span></p>

More details on XSS: https://portswigger.net/web-security/cross-site-scripting

A useful resource for receiving requests is webhook.site. For example, if you need to extract some data from a website, you can have your XSS payload send a request to your webhook.site URL with the data you need.

Be careful when exfiltrating data to make sure the data on the page you are trying to extract is actually loaded. Also, make sure to go to edit and enable Add CORS Headers to allow the admin's browser to make requests to the site.

window.addEventListener('load', () => {
    // ... your code here
});

Reverse Engineering

Crypto

"never roll your own crypto"

Crypto concepts and terms

Wikipedia has relatively good resources and definitions on both encoding and cryptographic schemes, so any time you come across an unfamiliar encryption, I highly recommend checking them out.

Encoding: to convert something from one system of communication to another

[!IMPORTANT]
encoding is not intended to be secure against unauthorized access but rather to ensure data compatibility across different systems

Encryption: a process that transforms data (plaintext) into an unreadable format (ciphertext) using a key.
Cipher: an algorithm for performing encryption or decryption.
Ciphertext: The encrypted message (usually looks like gobbledegook)
Key: part of the input into a cryptographic function that modifies the function’s operations while creating ciphertext in such a way that you have to have the key to get the plaintext from a decryption function
Symmetric Cipher: The same key is used to encrypt and decrypt the message. For example, ROT13.
Asymmetric Cipher: Two distinct yet related keys (public and private) are used to encrypt and decrypt the message. For example, RSA.

Classical Ciphers

In the old old days of crypto (2000+ years ago! 😮) we had the Caesarean Cipher.

The Caesarian Shift cipher, or Caesar cipher is a substitution method that involves rotating an alphabet by key n and substituting the rotated letters for the plaintext letters

For instance, if n=4, then we have our original alphabet and shifted alphabet below:

ABCDEFGHIJKLMNOPQRSTUVWXYZ EFGHIJKLMNOPQRSTUVWXYZABCD

So A gets mapped to E, B -> F, and so on. A simple message like sigpwny becomes wmktarc

So if the shift is 4, how do we get back the plaintext?

Mod arithmetic primer

Modular arithmetic is arithmetic with remainders. We fix some modulus n throughout. Every time we add and multiply two numbers x and y, we will divide by n and keep the remainder. This is written as x + y (mod 26)

This info allows us to write a quick caesar encoding program:

message = 'sigpwny'
shift = 4
ciphertext = ''
for c in message:
  x = ord(c) - 97 #Get the integer code for each ASCII character in the message
  x = (x + shift) % 26 #shift to the right by 4 and mod 26
  ciphertext += chr(x + 97) #convert back to character and add it to the ciphertext
print(ciphertext) #prints 'wmktarc'

And similarly, decryption is

ciphertext = "wmktarc"
shift = 4
message = ''
for c in ciphertext:
  x = ord(c) - 97 
  x = (x - shift) % 26 #essentially "shift back"
  message += chr(x + 97)
print(message) #prints 'sigpwny'

Nowadays, you can see why this is very insecure. There are only 26 possible shifts, 0 through 25. So given some ciphertext that we know came from an English word, we can just bruteforce all possible shifts and just keep the one that looks like English. For example, you know that the flags must contain the word “sigpwny” at the start! This is why classical ciphers are no longer used. Because computer are really, really fast at bruteforcing small combinations, classical ciphers are essentially useless.

XOR and One-Time-Pads

One of the most basic modern cryptographic tools is the Exclusive-Or operation, also called XOR. In math it gets denoted by x ⊕ y, while in code we use x ^ y. If x and y are 2 bits (0 or 1), x ^ y is defined to be one if and only if one of x or y is 1, but not both. Another way to think about it is that the XOR returns 1 if the bits are different:

x	y	x^y
0	0	0
0	1	1
1	0	1
1	1	0

To apply this to whole messages m with some key k, we convert the message to a bunch of bits in some method and just do this bit by bit. So for instance, 0101 ^ 1110 = 1010

The relevant properties of the XOR operation is that:

(x ^ y) ^ z = x ^ (y ^ z)
x ^ x = 0
x ^ 0 = x
x ^ y = y ^ x
x ^ y = z ==> x = y ^ z

Modern Ciphers

Modular arithmetic is much more useful than what was previously advertised when talking about classical ciphers. A major theme of cryptography is the idea of a trapdoor: something that is easy to enter one way but hard to escape from the other way. Prime numbers give us this trapdoor. It is incredibly easy for us (or rather, our computers) to multiply two numbers, even if those numbers are 512 bits long or even 1024 bits long. However, factoring numbers into primes is computationally difficult. This trapdoor will be the basis of the RSA cryptosystem, named after Rivest, Shamir, and Adleman.

Interestingly enough, RSA is an assymetric encryption instead of a symmetric one. This means the sender of a message does not have to know the secret key to be able to successfully encrypt a message. The math almost magically seems to work out! The goal of challenges like this will be to try to identify some, or all, of the secret information to be able decrypt the flag.

The first step is that two large (and i mean large) primes p and q are chosen. Then, a value n = pq is computed. Everyone in the world is allowed to know this n, but p, q are kept secret. Furthermore, the world is given access to an exponent, e. For many reasons (most of which are unimportant for now), usually we select e = 2**(16) + 1 = 65537. Another secret value φ = (p-1)(q-1) is completed, and d such that ed == 1 mod φ. In python, you can easily calculate this with d = pow(e, -1, φ). Afterwards, the ciphertext c can be computed with our public information: $$c = m^e \mod n$$ And decryption is done with d, so $$m = c^d \mod n$$ So in short, the secrets are d, p, q and the publically released values are n, e.

Using PyCryptodome, it is possible to convert text data into large integers, which are used for RSA. Since d is kept secret, and p, q, n are sufficiently large enough, it would in theory be too hard to factor p, q.

But if the values were safely chosen, this wouldn't be a CTF now would it?

General Advice

Every challenge author has their own way of converting between messages and numbers and bytes and other data formats. Read the source code and make sure you know how these are being done and what objects you are working with. Whatever they are doing to convert the flag into workable data, doing the reverse of that should be part of your decryption.
Get out scratch paper. A lot of crypto relies on math. Math is not a spectator sport. You will need to get your hands dirty, and perhaps use a python interpreter to test your math.
Google: A huge number of ctf challenges including the hardest ones will make use of an obscure idea or encryption scheme that has been shown to be vulnerable before. Google is your best friend for this.

Tools of the Trade

SageMath: An open source math software system that has many tools to help solve mathematically complex problems. These include methods of breaking encryption schemes.

CyberChef: For Text manipulation, processing, ciphers, encoding, and even basic cracking

FeatherDuster: For Cipher identification, this is your "Crypto Recon" tool.

dCode: Has a lot of readily available encryption/decryption solutions

A Guide to OSINT

Introduction

OSINT, short for Open Source Intelligence, focuses on gathering and analyzing publicly available information from various online sources. This information may range from personal identifiable information (PII) to social media profiles, public records, or even metadata. While OSINT can be a powerful tool, it is important to approach it with caution to ensure that ethical boundaries and privacy laws are respected.

This guide explores various OSINT tools, techniques, and methodologies that will assist you in solving Fall CTF OSINT challenges.

Types of Data Sources

Information gathered from OSINT can be found in the form of online and offline sources. Online sources refer to publicly accessible information through the internet. Examples include social media, blogs, public web pages, forums, etc. Offline sources refer to data that may not be directly accessible online (ex: downloaded files).

OSINT Techniques

1. Context Clues in Photos

Photos can reveal critical information if you know where to look. By analyzing clues such as signs, geographical features, architecture, etc., you can determine the location of the photo or gain context about a person/event. For example, kanji characters on a sign may indicate Japan. Unique architecture/objects and street signs can also point you in the right direction.

2. Using Social Media

Social media is a treasure trove of information. Individuals often share an abundance of personal information, including their location, photos, and connections to other people. Some starting points:

Cross-platform investigation: Individuals who are often active on one platform can be found another (ex: Instagram and X). In particular, Sherlock is a popular tool for finding social media platforms that a particular username is on.
Tags: A user might inadvertently disclose their location or interesting information through the use of hashtags.
Interactions: Interactions can include comments, likes, etc. Keep an eye out for any interactions, especially ones that may look out of place.

3. Utilizing Search Engines

Search engines are incredibly important in OSINT. They enable you to search for websites, keywords, and even specific file types. Optimizing your search engine input will allow you to refine your results and find what you are looking for substantially quicker. Starting points include:

Keyword Search: Using relevant keywords or specific quotes can help locate information more precisely. You can also combine keywords with Boolean operators such as "AND", "OR", and "NOT".
Site-Specific Search: If you know the site you are interested in finding information on, you can use the site operator.

Example: site:github.com "Username"
Image Search: You can upload an image to image search engines to see if an image has been posted online before (ex: TinEye, Google Lens).

4. Metadata and File Analysis

Metadata refers to the hidden information embedded within files, such as images, documents, and videos. Metadata can provide insights about a file that are not immediately obvious, making it valuable in OSINT.

Metadata can reveal:

File Name
File Type
Camera Information (for images)
Date and Time of file creation
GPS Location
Author of file
And more!

In the context of images, a specific type of metadata known as term EXIF (Exchangeable Image Format) is often included. EXIF data can reveal information about the camera/smartphone used to capture the image, the alias of the author, GPS coordinates, and more.

There are tools online that can be used to read this data and edit it. ExifTool is a commonly used, powerful command-line application for reading, writing, and extracting metadata information.

5. Geolocation Services

Geolocation is the process of determining the physical location of an object. In Fall CTF, the object will typically be a photograph. This can be very tricky, so it is helpful to combine different techniques in order to verify your findings and reduce false positives.

Common techniques used in geolocation include:

Image analysis: Identify landmarks, street signs, or other recognizable features in the image.
Satellite and map data: Make use of maps (ex: Google Maps) and satellite imagery to match locations. Overpass Turbo is a tool that queries OpenStreetMap (OSM) data, allowing you to search for specific types of geographical data (ex: road signs, buildings) and visualize them on the map.

For example, the following Overpass Turbo query will retrieve nodes (points) in OSM that are tagged as drinking water locations:
```
node
    [amenity=drinking_water]
    ({{bbox}});
out;
```
There are many different queries you can construct! Play around with the "Load" and "Query Wizard" features on the OverPass Turbo website.

6. Web Archive/History

The internet is constantly evolving, with websites and users frequently updating the content they display. For example, content may not always be displayed on the main page of a website. Therefore, it may be helpful to check if the "Archive" page (if it exists) of a website contains anything of interest.

Additionally, examples of commonly used web archiving tools that allow you to examine snapshots of a website include Wayback Machine and archive.today.

General Advice

OSINT requires patience, precision and creativity. Remember that even minor details can hold importance - pay attention to these clues so you can piece together the bigger picture. Experiment with different tools (metadata extraction, social media platforms, search engine filters) for different tasks so you can uncover new insights. Good luck!

Binary Exploitation (pwn)

Introduction

When we run a program, we expect it to take input data, whether it be through files, user input, or internet connections, and produce meaningful output. The underlying code of the program handles all the logic and control flow within the program. However, either from quirks of the language used, or oversights from the programmer themselves, it's possible to introduce bugs that allow end users of a program to take control of the program in unintended ways.

This is the core goal of binary exploitation: Take a binary executable, provide it with input data to take control of the control flow or corrupt internal structures, and have it do something unintended (and usually unsafe). Executables often interact with files on the host computer, or run other programs (through functions like system or exec). If a user only has an exposed text interface over the network of a running program, it is intended that they are only ever interacting with the program as written. If they provide malicious input causes the program to read secure files, or open a shell session on the host machine, it suddenly becomes a major security vulnerability for the host machine.

Fall CTF

We have provided a series of challenges designed to explore and teach the fundamentals of how program handle data and control flow, and how unsafe programming practices allow a user to take control of these programs without having access to the host machine, yet able to access the host's filesystem and programs.

Pwn is hard. To begin, you need to be fairly comfortable with programming (or at least understanding code) in a lower level language (like C or C++). This post will attempt to explain underlying structures when running a program, but if you still feel stuck, feel free to ask for help from sigpwny members, or googling around about C functions and syntax. man pages are your friend. We want you to engage with these challenge as much as possible, so there are several hints and annotations within the code to help you get started.

As you read this guide, try each of the challenges. We give the executables and Makefiles for you to run, build, and debug locally. You can build with just make. If you get stuck, or unsure how to proceed in any challenge, return here and read each of the following sections carefully. Relevant sections will mention challenges that should be solvable after reading said section, although some additional googling/debugging/trial and error will be necessary.

What is a Stack?

The stack is how programs manage memory per function call. Whenever you define a variable within a function, it's stored on the stack:

int square(int x){
    int result = x*x;
    return result;
}
int main(){
    return square(7);
}

Calling square will store three things on the stack:

The return pointer
The base pointer
The result variable

When square returns, it will pop everything off the stack. This is why you often hear the stack as automatic memory management. We will discuss what base and return pointers are in the next section. For right now, understand that a call to a function stores some bookkeeping for control flow, then all the user defined variables.

`gets`

gets is a function that requests user input, and saves it to a character buffer. Here's an example:

int main(){
    int result = 15
    char buf[8];
    gets(buf);
    return result;
}

gets has a massive security flaw, it does not restrict the number of bytes read. gets doesn't return until you send a terminating character (e.g. newline), thus it'll read over any predefined buffer that you make. Consider the structure of the stack:

If we read more than 8 bytes (characters), what would happen to result? What about the saved base or return pointers?

We can set the value of these via a Buffer Overflow. If we read more than we have stack storage for, then we'll just continue reading into other saved values. When those saved values get referenced, they'll have values that we control.

Fall CTF

Try to solve Bug Bounty 1 and 2. If you get stuck on Bug Bounty 3, continue on.

How do Functions Return?

We're going to scope down a bit, and look at a bit of assembly for a function:

// function code omitted...
leave
ret

This is what the end of a function will look like in assembly. Regardless of whether you are returning a value or not, most functions will terminate with leave then ret. Your processor stores two pointers to the stack in registers. These registers are called rbp and rsp. Normally, they point to the most recent saved Base Pointer, and the top of the Stack.

leave will set rsp to the current value of rbp, which will effectively pop all values off of the stack except for the saved base pointer and saved return pointer. Then, it will pop the saved base pointer into rbp. Now, rsp points to the saved return address.

Our processor has a pointer to program memory of the instruction it is currently executing. This pointer is stored in a register called rip (instruction pointer). Return addresses point to where in the program memory we should jump back to after calling a function. Normally, we calculate this return address right after our function call, then push it to the stack as the signal for a new function stack frame.

When we call ret, we pop the return address off of the stack, and set the instruction pointer (rip) to the return address.

But again, we store the return address on the stack. This means if we have a buffer overflow, can we control where our program returns to?

You can view in gdb or a disassembler the location programs store functions. If you dont want to use such tools, objdump -d challenge will also print out the dissassembly of all the functions, and their hex locations.

Fall CTF

Attempt to Bug Bounty 3. Once you do, you can read the next section to have the necessary knowledge for Bug Bounty 4 and 5.

How do Programs Read and Execute Code?

We mentioned before that the processor maintains a position in program memory of the current instruction it is executing. This pointer is again stored in the instruction pointer register: rip. Now, assembly just assembles into bytes. It's just a very simple abstraction layer over actual bytes that the processor reads as machine codes. This means, that the series of bytes c9c3, if read as code, would be the same as leave; ret.

This means that code, is just data. If we choose our data carefully, we can have our processor run meaningful code.

Fall CTF

In Bug Bounty 4, the stack is executable. What happens when we place code on the stack, and we know the address of the stack?

It might be helpful to google shellcode and shellcode exploits. Additionally, look into the asm() function in pwntools.

Format Vulnerability

printf is a very useful function for printing relevant text, as well as values within our program. If you call printf("hello"), we can expect our program to output "hello". However, we can print values from our program using Format Specifiers. If we include "%d" in our string, we can specify an integer value and print it out as a string:

int x = 15;
printf("%d", x);

Now, our program prints "15". However, in C functions have a fixed number of arguments, right? Well, printf is a variadic function. We can have as many arguments as we need. So if we use %d 3 times, we can place 3 arguments and print all three.

char* buf = "%p%p%p";
printf(buf,ptr1,ptr2,ptr3);

If we directly place a buffer into printf, format specifiers will be handled. The %p specifier will print a number in a pointer format (e.g. 0xcafecafe).

This is extremely unsafe, because if the code doesn't have additional arguments, printf will just look through the stack for all the arguments it needs. If we don't have a stack leak, we could find one by printing values off of the stack until we find a base pointer, and calculate where we need to return to.

One last thing, if we need to use "really far arguments", we can specify positional arguments:

// Prints int4.
printf("%4d",int1,int2,int3,int4,int5)

Fall CTF

Try Bug Bounty 5 to leak the stack and run shellcode.

Everything is C

With FFI to Win, it might feel very similar to earlier Bug Bounty challenges, but on the web! Be on the lookout anywhere you think a service, website, or program might be able to give you access on the host machine.