Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F369542
b01lers22.md
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Subscribers
None
b01lers22.md
View Options
###
WEB2
.
0
glibc
2.33
pain
-
which
means
i
gotta
use
the
ld
trick
again
but
now
how
do
i
debug
it
since
i
cant
ld
the
server
and
expect
ida
to
use
it
to
load
the
program
turns
out
i
can
run
and
attach
the
program
normally
(
or
use
process
options
with
ld
)
then
manually
rebase
the
program
in
ida
right
click
the
module
in
modules
window
,
right
click
jump
to
module
base
,
get
the
base
addr
,
`
edit
->
segments
->
rebase
program
`
and
set
it
to
that
,
uncheck
fix
code
(
idk
if
it
helps
in
making
the
code
not
screw
up
actually
but
ye
)
and
then
breakpoints
and
stuff
should
work
normally
while
i
was
reversing
the
get_input
function
[@
Angus
](
https
:
//maplebacon.org/authors/alueft/) found out if you `localhost:7878/crawl` it doesnt reject it and instead shows `correct the flag "" is valid`
i
was
just
about
to
figure
out
how
retstr
is
made
and
it
seems
like
theres
sth
related
to
arrays
so
i
tested
`
/
crawl
/
a
/
b
/
c
/
`
but
before
that
i
also
tested
out
what
robert
said
where
any
char
would
also
return
200
OK
so
i
was
entering
`
/
a
`
s
i
actually
got
`
sorry
but
flag
"aaa"
is
not
valid
`
instead
so
i
was
like
wait
is
my
theory
correct
but
then
it
says
`
aaa
`
where
i
only
inputted
a
single
a
then
i
remembered
i
entered
a
3
times
before
that
as
standalone
curl
reqs
so
i
tried
```
sh
$
curl
"localhost:7878/a"
$
curl
"localhost:7878/b"
$
curl
"localhost:7878/c"
$
curl
"localhost:7878/crawl"
```
and
it
actually
returned
```
Welcome
to
the
b01lers
flag
verification
service
!
Sorry
abc
is
not
a
valid
flag
.
Error
:
InvalidKeyError
```
eyo
?
so
thats
how
we
input
stuff
then
i
thought
since
empty
string
is
correct
what
if
it
actually
checks
char
by
char
so
i
tried
entering
b
then
crawl
to
validate
and
indeed
it
works
so
i
wrote
a
script
for
it
:
```
py
import
requests
import
string
from
pwn
import
*
context
.
log_level
=
'
CRITICAL
'
flag
=
'
bctf
{
'
while
True
:
p
=
process
([
'
./
lib
/
x86_64
-
linux
-
gnu
/
ld
-
linux
-
x86
-
64
.
so
.
2
'
,
'
--
library
-
path
'
,
'
./
lib
/
x86_64
-
linux
-
gnu
/
'
,
'
./
WEB2
.
0
'
])
p
.
recvuntil
(
'
Welcome
'
)
for
bc
in
r
'
0123456789
abcdefghijklmnopqrstuvwxyz
{}
_
'
:
for
fc
in
flag
:
requests
.
get
(
'
http
:
//localhost:7878/' + fc)
requests
.
get
(
'
http
:
//localhost:7878/' + bc)
resp
=
requests
.
get
(
'
http
:
//localhost:7878/crawl')
if
b
'
Congrats
'
in
p
.
recvall
():
print
(
'
got
'
,
flag
)
flag
+=
bc
break
p
=
process
([
'
./
lib
/
x86_64
-
linux
-
gnu
/
ld
-
linux
-
x86
-
64
.
so
.
2
'
,
'
--
library
-
path
'
,
'
./
lib
/
x86_64
-
linux
-
gnu
/
'
,
'
./
WEB2
.
0
'
])
p
.
recvuntil
(
'
Welcome
'
)
```
but
it
turns
out
it
doesnt
work
well
-
it
gets
stuck
at
`
bctf
{
sorrylno_nfqs_onlylq
`
which
means
theres
more
than
1
possible
correct
returns
for
certain
chars
and
while
i
was
working
on
getting
all
the
possible
correct
returns
instead
of
breaking
directly
ming
got
the
flag
by
guessing
with
english
lmao
and
so
here
it
is
`
bctf
{
sorry_no_nfts_only_flags
}
`
File Metadata
Details
Attached
Mime Type
text/x-python
Expires
Mon, Jul 7, 5:50 PM (1 d, 1 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
50/e9/d6061d219a3ee299bd6d0fd04e8c
Attached To
rCTFD CTF diary
Event Timeline
Log In to Comment