• Category: Exploitation
• Points: 80
• Solves: 174
• Description:

See if you can pop this calc.

Running at calcpop-4gh07blg.9447.plumbing port 9447

calcpop.tar.gz 42928687007cc7a92fc0ac6028cf8f6

## Write-up

We can connect to the challenge and send it two numbers, which it will add for us. If we send something without a space, it will tell us the address of our input, because instead of %s there is a %p in the format string:

Missing a space; your input was %p\n


Such a nice a infoleak. After some poking around I found that it is a straight forward stack based buffer overflow:

Also using checksec we can see that NX is disabled.

Yeah exploitation like it’s the 90’s. So we put shellcode on the stack and overwrite the return address with the address we got from the infoleak. This is pretty straightforward using a pwntools script.

The flag was: 9447{shELl_i5_easIEr_thaN_ca1c}