Teaser Dragon CTF 2019 - rms
Sep. 26th, 2019 11:04 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mephi42Convince rms.hackable.software:1337 (binary) to download http://127.0.0.1:8000/flag
Naive attempts fail with "localhost not allowed". A quick look with angr-management shows that the check is performed by calling
A way around is to use hostname
Naive attempts fail with "localhost not allowed". A quick look with angr-management shows that the check is performed by calling
gethostbyname2(AF_INET6) (with fallback to gethostbyname2(AF_INET4)) followed by comparison with inaddr6_loopback or 127.* depending on which of the two calls succeeded.A way around is to use hostname
0. It resolves to IPv4 address 0.0.0.0, which is not matched by either check, but will represent the current host when passed to connect().
