We can connect to the challenge and send it two numbers, which it will add for
us. If we send something without a space, it will tell us the address of
our input, because instead of %s there is a %p in the format string:
Missing a space; your input was %p\n
Such a nice a infoleak. After some poking around I found that it is a straight
forward stack based buffer overflow:
Also using checksec we can see that NX is disabled.
Yeah exploitation like it’s the 90’s. So we put shellcode on the stack and
overwrite the return address with the address we got from the infoleak. This is
pretty straightforward using a pwntools script.