# Stonks (20)

## Problem

I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn't believe you if you told me it's unsecure! [vuln.c](https://mercury.picoctf.net/static/fdf270d959fa5231e180e2bd11421d0c/vuln.c) `nc mercury.picoctf.net 16439`

## Solution

This is a format string vulnerability.

Note that the `user_buf` is printed directly without any format specifier.

```c
    char *user_buf = malloc(300 + 1);
    printf("What is your API token?\n");
    scanf("%300s", user_buf);
    printf("Buying stonks with token:\n");
    printf(user_buf);
```

We will send a series of `%llx` strings, which stands for long long hex values. This will print the stack values:

![](/files/-MX2mdudSzH5nODQqHmi)

We can then look for what may be strings. Taking into consideration the range of ASCII values that correspond to alphabets, this portion looks interesting:

`7b4654436f636970|345f7435306c5f49|306d5f796d5f6c6c|626337635f79336e`

It is in little endian, so we would need to convert it to big endian first. We have:

`7069636F4354467B495F6C3035745F346C6C5F6D795F6D306E33795F63376362`

which when converted, gives us the following string:

`picoCTF{I_l05t_4ll_my_m0n3y_c7cb`

We are missing part of the flag, and that is due to the next element in the stack, `ffa8007d65616336`, which is `366361657D00A8FF` in big endian. Note the `\x00` byte - that is the string terminator. The remaining part of the flag is `6cae}`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.zeyu2001.com/2021/picoctf/stonks-20.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.