Very practical for a beginner, THANKS. #hint: replace the 'return address' with the 'win()' function address. (you can find it using any debugger as 'gdb' is), then using python2 to inject it (or overflow it) into the binary. (Ensure the address is in 'raw binary' value !).

Basically it is similar to RET2WIN attack as we have to overwrite the return address with the address of win function...hence we'll get the flag :)

GOOD

fuck python3

It happened to me that the address box returns: 8b 86 04 08, when in reality it is: 86 85 04 08, for this reason I could not find the flag, it always returned the message: "timeout: the monitored command dumped core"

CTFlearn{c0ntr0ling_r1p_1s_n0t_t00_h4rd_abjkdlfa}

have some guides?

goodthings

really suitable for a newer!

broo.. i couldn.t paste the sting which has the address it magically includes a c2 how to do it..

EDITED AFTER COMPLETION: learned few new things.. good challenge took 2 days

The liveoverflow video can be found on youtube: https://www.youtube.com/watch?v=8QzOC8HfOqU&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&index=15

I wish these liveoverflow links you posted still worked.

why the hell would python3 print c2's ,what are this c2's

what are they

Very practical for a beginner, THANKS. #hint: replace the 'return address' with the 'win()' function address. (you can find it using any debugger as 'gdb' is), then using python2 to inject it (or overflow it) into the binary. (Ensure the address is in 'raw binary' value !).

fuck python3

thanks, python3.... python2 is the way to go

To anyone who can read this, kindly use python2 when working with bin xploits. Python 3 has an annoying byte-ascii conversion

Not if you use sys.stdout.buffer.write instead of print.

assembly language and gdb, stack must understand.