Official Format Discussion

htbapibot · September 4, 2020, 7:00pm

Official discussion thread for Format. Please do not post any spoilers or big hints.

hur · September 14, 2020, 5:52pm

Any nudges for this one? I have figured out a method to write to memory addresses in the stack but can’t really figure out where/how to get to the flag.

wazKoo · September 15, 2020, 12:34am

anyone know if its possible to write less than2 bytes / 4 digit?
%hn seems to be the smallest

SpaceMoehre · September 20, 2020, 1:54am

I could use a nudge too. I‘ve an idea but fail on writing anything

zeuhl · September 23, 2020, 1:45pm

Hi guys. I think i miss something in this challenge. I leak anything in binary and can write anything anywhere, but i can’t found a solution to manipulate/stop the infinite loop.

ROP failed due to infinite loop.
GOT Rewrite failed too due to Full-Relro.

I have leak the PIE, the canary and the libc base address.
This binary seem to be easy …

Can someone help me ?

Thanks in advance

AlexZander · October 11, 2020, 7:33pm

Feel free to dm me for any doubts.

wxadvisor · November 12, 2020, 11:33pm

Done and Dusted! Thx @ollypwn for fun challenge.

BobbyTab1es · January 8, 2021, 1:42pm

If anyone is interested in exchanging and discussing solutions, please feel free to PM me.

Goz97 · March 17, 2021, 10:35pm

Hello, I managed to “solve the challenge locally”, but when I try to connect to the server it raises an error about a file:
“/home/ctf/run_challenge.sh: line 3: 28 Segmentation fault ./format”

I don’t really believe this is due to my script, has someone experienced the same issue?

synap5e · April 30, 2021, 11:37am

I have a payload that makes the binary generate a reverse shell that works on the one I downloaded, but it doesnt work against the remote.
Anyone able to help?

AlexZander · May 2, 2021, 9:53am

Type your comment> @AlexZander said:

Feel free to dm me for any doubts.

Please contact me on discord for quicker response :- Alex Zander#0764

angryant · July 3, 2024, 5:09am

This challenge already took 5 evenings of my life. I have it successfully working pretty much every time, like other people, but it fails to spawn a shell remotely. Could anyone, who successfully solved it, send an MD5 of libc used? I suspect that the one I figured out is just wrong - I checked all matching versions I found on https://libc.rip/ and still all I get are segfaults.

B1nK1ng · August 22, 2024, 5:58pm

Maybe a bit late. ROP is possible in this challenge u just have to be creative:D

B1nK1ng · August 22, 2024, 5:58pm

Spam it. The intended way may not be very reliable.