Official Scanner Discussion

Official discussion thread for Scanner. Please do not post any spoilers or big hints.

Any hints?

Anyone to discuss the challenge? If so please pm. Have already found something but dunno how to step forward. Thanks

I finally managed to get a shell and flag however it is most likely not the intended solution as it is an unstable exploit which needs some tries. So I am still interested to discuss the intended solution. Thanks.

I may know what you mean by unstable here. It’s because when we perform stack pivot, the new rbp could be controlled by us with a specific address, but the offset to the old one is randomized on stack.

This is indeed a very fun challenge. You cannot just leak information like the normal ctf does. The only problem is that we need to spend quite some time in debugging, since it requires bruteforcing each time… But it’s just like the real life scenario, it’s reasonable to spend such time to achieve the flag.

did anybody ran into an issue where leaking takes a long time when running against the remote? my final exploit took like 5 minutes to run, I’m wondering if the issue is with my pwntools version or network somehow? or did I use the wrong method (0x00)?

Yes, it’s slow, but it’s not really an “issue”, but more so latency of brute forcing over the network. It’s always much faster doing it locally.

actually for me my final exploit takes almost 15 minutes to run (861.58s) which is a bit weird