Bug and Primitive

• The program never bounds-checks the index used for nums. Printing with %s treats the indexed address as a pointer to a C-string, enabling an info leak.
• We computed the offset between nums and flag in the binary: flag is at 0x40a0 and nums at 0x4060. Difference is 0x40 bytes → 0x40 / 8 = 8 slots. So index = 8 targets flag.

Exploit Plan

1. Choose 1337 to load the flag from flag.txt into the global flag buffer.
2. Choose 2 (Read data), then enter 8 to leak flag via %s.

Running Locally (via Docker)

Remote Exploit

We added remote support to index/exploit.py (pwntools). It connects and sends the sequence:

Output:

Takeaways

• The intended trick is the hidden loader (1337) plus an OOB %s read to leak the in-memory flag buffer.

🏴Flag

scriptCTF{4rr4y_00B_unl0ck3d_e5cd99f4800b}