vgpass

Problem

A simple buffer over-read on an echo server. The flag may contain Unicode characters.

Solution

The problem description suggests a buffer over-read. Looking at the source code, we can see that we can fill cache with MB_CUR_MAX non-zero bytes so printf("%s\n", cache); (line 33) prints flag as well.

cache is populated using fgetwc (man 3 fgetwc), which reads a wide character using the current locale (set using the LC_ALL environment variable and read using line 19). If any character wider than MB_CUR_MAX (set to the locale of the compiler) (e.g. 厸 (e5 8e b8 in UTF-8 and 8f b4 d4 in EUC-JP, the locale of the container)) is sent, then the flag would be printed.

$ docker-compose up
$ echo '厸' | iconv -f utf-8 -t euc-jp | nc localhost 5000
Welcome!
���CTF{flag}