if __name__ == "__main__": main() Running the script locally prints:
def recvuntil(s, delim=b'\n'): data = b'' while not data.endswith(delim): chunk = s.recv(1) if not chunk: break data += chunk return data
FLAGt0ky0_h0t_4nd_0v3rf1w_succ3ss The same script works against the remote service (replace HOST and PORT with the challenge endpoint). tokyohot n0541
The interesting functions are register_user , login , and show_secret . void register_user() char *name = malloc(0x80); char *pwd = malloc(0x80); printf("Name: "); gets(name); // <--- vulnerable printf("Password: "); gets(pwd); // store pointers in a global struct (userlist)
void login(void) char buf[0x40]; printf("Password: "); read(0, buf, 0x100); // <<< oversized read -> heap overflow strcpy(users[0].pwd, buf); if (strcmp(buf, users[0].pwd) == 0) logged_in = 1; puts("Logged in!"); else puts("Wrong password."); if __name__ == "__main__": main() Running the script
Compile with the original flags:
there is a hidden detail: the program copies the password from the stack buffer into the heap password field using strcpy : It listens on a TCP port (or can
The challenge is a 64‑bit ELF binary that runs locally on the provided Docker image. It listens on a TCP port (or can be run interactively) and offers a simple menu‑driven interface. The goal is to gain a remote shell (or read the flag) by exploiting a vulnerability in the program.