Tags: null-byte-poisoning 

Rating: 5.0

# Bop It
### Category: binary
### Description:
Can you [bop it](bop_it)? [Source](bop_it.c). Connect with `nc shell.actf.co 20702`.
### Author: kmh

### Solution:
In this challenge we got an ELF in which there is a little game that consist in sending the first letter of what it gives us unless we get `Flag it!`.
If we get flag statement it reads the flag from the file and asks us for it so it can check the two strings. Whenever we send a string it sets `guessLen` to the return vale of `read` function which returns the amount of data readed. If we send a wrong flag it builds an error string with what we sent but there is a problem: the buffer is built with the return value of `strlen` on our string incremented by 35, in the end it prints out this buffer with the length set with guessLen. How can we exploit this? With a NULL byte overflow!
If we send a `\x00` followed by a random data we increment the return value of guessLen but not the value of strlen so we can build a small `wrong` buffer but guessLen is still large enough to leak memory! Let's build a python automation script to play it and spray random data:

from pwn import *
import time

def run(size):
p = remote('shell.actf.co', 20702)
exploit = '\x00' + 'A'*size

while True:
a = p.readuntil('it!')
if 'Bop' in a:
if 'Twist' in a:
if 'Pull' in a:
if 'Flag' in a:
a = p.recvall()

for i in range(35, 150, 10):
Let's run it and after some attempt we get the flag!

### Flag:

Original writeup (https://github.com/r00tstici/writeups/blob/master/angstromCTF_2020/bop_it/README.md).