📓
okman-writeups
  • okman's favourite challenge writeups
  • PWN challenges
    • ALLES!CTF - Jumpy
    • AngstromCTF - A Happy Family (pwn part) TODO
    • AngstromCTF - LIBrary in C TODO
    • HTB - ropmev2 TODO
    • HTB - Format TODO
    • HTB - Old Bridge TODO
    • HTB - No Return TODO
    • HTB - Dream Diary 1 TODO
    • HTB - Hunting TODO
    • HTB - What does the f say? TODO
    • HTB Uni CTF - Robot Factory TODO
    • HTB Uni CTF - Steam Driver TODO
    • PicoCTF - Messy Malloc TODO
    • PicoCTF - Kit Engine TODO
    • PicoCTF - Download Horsepower TODO
    • Zh3r0 CTF - x32x64 TODO
  • Reversing challenges
    • AngstromCTF - Califrobnication
    • AngstromCTF - Masochistic Sudoku TODO
    • AngstromCTF - A Happy Family (reversing part) TODO
    • RedpwnCTF - Chezzboard TODO
    • RACTF - Medea TODO
  • Web challenges
    • ALLES!CTF - Amazing Crypto WAF TODO
    • PwnEd - Cheesecake Complaints TODO
  • Crypto challenges
  • Miscellaneous challenges
    • RedpwnCTF - Albatross
  • HTB machines
    • Compromised TODO
Powered by GitBook
On this page

Was this helpful?

  1. PWN challenges

AngstromCTF - LIBrary in C TODO

PreviousAngstromCTF - A Happy Family (pwn part) TODONextHTB - ropmev2 TODO

Last updated 3 years ago

Was this helpful?

After making that trainwreck of a criminal database site, clam decided to move on and make ... but written in C ... and without any actual functionality. What a fun guy. I managed to get the and a copy of from him as well.

Find it on the shell server at /problems/2020/library_in_c, or over tcp at nc shell.actf.co 20201.

We're given the file library_in_c.c,

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
	setvbuf(stdout, NULL, _IONBF, 0);

	gid_t gid = getegid();
	setresgid(gid, gid, gid);

	char name[64];
	char book[64];

	puts("Welcome to the LIBrary in C!");
	puts("What is your name?");
	fgets(name, 64, stdin);
	// printf works just like System.out.print in Java right?
	printf("Why hello there ");
	printf(name);
	puts("And what book would you like to check out?");
	fgets(book, 64, stdin);
	printf("Your cart:\n - ");
	printf(book);
	puts("\nThat's great and all but uh...");
	puts("It turns out this library doesn't actually exist so you'll never get your book.");
	puts("Have a nice day!");
}

and a copy of the version of libc running on the server.

As the comment hints, the vulnerability is the insecure use of printf - this is a classic format string vulnerability.

TODO: the rest, ya know\

a library book manager
source
libc