# American Literature

## Problem

Writing essays is so much fun! Watch me write all these totally meaningful words about other words... Actually, wait. You shouldn't be reading my essays. Shoo!

## Solution

We are given the following source code:

```c
int length;
char essay[50];

setbuf(stdout, NULL);
setbuf(stdin, NULL);
setbuf(stderr, NULL);

...

FILE *fp = fopen("flag.txt", "r");
char example_essay[100];

...
	
fgets(example_essay, sizeof(example_essay), fp);

...
	
fgets(essay, sizeof(essay), stdin);
essay[strcspn(essay, "\n")] = 0;
length = strlen(essay);

...
	
printf(essay);

...
```

This is a typical format string vulnerability, where the user input is passed into `printf()` as a format string. Hence, we can use `%<position>$llx` to view the stack values.

Since the `example_essay` buffer also resides on the stack, we can leak the flag.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-9c1d71a34deb8a8a0a9e2a106e1efff657f570b9%2Fac6d732964e842cfb91e27cdb720e2b3.png?alt=media)

Then, convert the little endian to big endian to obtain the flag.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-6c821fad1d79bdaee383faa99f889de96101a7e6%2Fce8891bbc381450ebeedcbd2b8b0a0a4.png?alt=media)