AngstromCTF - LIBrary in C TODO

After making that trainwreck of a criminal database site, clam decided to move on and make a library book manager ... but written in C ... and without any actual functionality. What a fun guy. I managed to get the source and a copy of libc from him as well.
Find it on the shell server at /problems/2020/library_in_c, or over tcp at nc shell.actf.co 20201.

We're given the file library_in_c.c,

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main() {
	setvbuf(stdout, NULL, _IONBF, 0);

	gid_t gid = getegid();
	setresgid(gid, gid, gid);

	char name[64];
	char book[64];

	puts("Welcome to the LIBrary in C!");
	puts("What is your name?");
	fgets(name, 64, stdin);
	// printf works just like System.out.print in Java right?
	printf("Why hello there ");
	printf(name);
	puts("And what book would you like to check out?");
	fgets(book, 64, stdin);
	printf("Your cart:\n - ");
	printf(book);
	puts("\nThat's great and all but uh...");
	puts("It turns out this library doesn't actually exist so you'll never get your book.");
	puts("Have a nice day!");
}

and a copy of the version of libc running on the server.

As the comment hints, the vulnerability is the insecure use of printf - this is a classic format string vulnerability.

TODO: the rest, ya know\

PreviousAngstromCTF - A Happy Family (pwn part) TODO NextHTB - ropmev2 TODO

Last updated 4 years ago