The Plague has tried to make things easy for you in this service, but not too easy. He’s called The Plague, not The Nice Guy. The service should be running at 188.8.131.52:9999.
Tenement is a remote pwnable – it’s a normal x86 binary.
Upon initialization it loads a json file, using libjansson, which contains the flag and an array with memory addresses. The flow goes like this:
The flag is first copied to a malloc’d buffer, prefixed with “PPPP:”
a random memory address is picked from the json’s array mentioned earlier
mmap() is called using this picked address as starting address
the “PPPP:<flag>” buffer is copied over there, and the memory protection is set to PROT_READ
finally, the malloc’d buffer and the stack is “cleaned” (memset) and the json objects “deleted”