== Call me more ==

=== Description ===

We are given a mysterious address, can we use it to recover the flag? It doesn't seem to be as easy as the last time.

=== Flag ===

Whatever is set in the environment variable IG_FLAG

=== Public Files ===

No file should be given

=== Challenge internals ===

Classical buffer overflow, but with need to bruteforce the canary flag.

The binary is a tcp server, for every client it forks. Canary flags are shared between forked processes, so it's possible to bruteforce the canary by overflowing a byte of the canary and checking when the applications acts normal and when not. After the canary flag is bruteforced, just replace the ret addr with the given addr.

+-------------------------+-8bytes-+-----------------+-----------------+
|      32 byte buffer     | CANARY |   EBP 8 bytes   |     RET ADDR    |
+-------------------------+--------+-----------------+-----------------+
   ^replace with A           ^bruteforce      ^replace with A       ^replace with addr
       

=== Deployment instructions ===

The server runs by default on port 2345, just deploy in a docker container or something.