Sanjay C / Palash Oswal
Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this program to protect against buffer overflows. You can view source here. And connect with it using:
nc saturn.picoctf.net 63257
- Maybe there's a smart way to brute-force the canary?
I watched this video and changed parts of the code (assuming pwntools updated).
For script.py, the goal is to brute force the canary. We do this by just looping through a bunch of characters and spamming it on the shell. Each time a correct character is found, the program will print it then terminate. At each correct character, modify line 4 to be one number higher and append the right character to line 5.
Looking at vuln.c tells us the canary is 4 characters long meaning we can stop running script.py once we get 4 characters. We find the canary is "BiRd". When we get to 4 characters, we know the canary and can overflow the buffer. If we run gdb vuln and then disassemble win we can find the address of the win function. After that, we can build the exploit script and run it to get the flag.
picoCTF{Stat1C_c4n4r13s_4R3_b4D_f7c1f50a}