In this binary a pseudo shell is provided where you can issue these type of commands:

==========Available Commands==========
|enable                               |
|ping                                 |
|tracert                              |
|?                                    |
|shell                                |
|set                                  |
|show                                 |
|credits                              |
|quit                                 |
======================================

However there is one interesting hidden cmd that is ‘flag’. If we send that command a routine is called that will read for us the flag but however we need to be logged in for do this. For login we need the ’enable’ command that will check if the password we submit is equals to one that the program read from a file at the start. So we have somehow know the password. On 0x8049262 a strncpy is performed which will copy 0x20 bytes of our password to $esp+0x18. Then a strcmp between our pwd and the one of the server is performed and after that the result of the strcmp is copied to $esp+0x38. Basically the exploit here is to leak the return value of strcmp by filling the buffer of our pwd with 32 chars, doing so we ensure that we overwrite the buffer and we get the leak. Knowing this value we can bruteforce the password:

http://pastebin.com/BMDdWqi6

Which this script will give: bruT3m3hard3rb4by . Now just log in with that password and take the flag:

The flag is: Dinosaur vaginas

Credit goes to immerse that solved it first, Razor4x