Very similar to warmup1, but with canary, ASLR all enabled. However, it provides us two printf function which can be used to leak canary and base addresses.
First to leak out canary and stack address, then repeat the function by overwrite first byte of return address (actually we can repea arbitrary times to get everything we want). Then construct ROP chain to leak libc address, finally attack by using the one-gadget.
The program takes in the user input and then printf out. Classic format string challenge. However, I stuck at reruning the printf function to overwrite the return address. I thought of overwrite the chain pointers and get control, but failed because one printf don’t allow to overwrite two places (return address and a pointer)
After looking at the WP in the reference section, they said all the secrets are lie in the source code.
The source code tell us that when it encounters the position character, $, it will store the value of positions into an internal buffer called args_value. So when doing the overwrite by using %n, the value was fatched is the initial value instead of the changed value. To get rid of this, we need to construct payload without the first $ character. Instead, we may use %c or %p to get to the right poisition on stack.
That’s all the information we can get, however, we still can’t know the stack address to do the overwrite. That’s where the bruteforce comes in (but tipically, CTF will not have bruteforce challenges to prevent DDoS the platform).