Update: they helped a brother out, and the stack is actually executable on those binaries. I found out after mailing the organizers in exasperation. I was under this impression because newly-compiled binaries had no-exec on the stack, and I was off by a little when I tried to exploit it the first time. Doh!
Ha! Last night I read your comment, assumed you were right, and then came up with a solution that did not assume an executable stack. ;P (I'm actually quite glad, as messing around with the stack would have been much harder.)
For both of you, were your solutions 100% reliable? I ended up with an exploit that required a little brute forcing (i.e., just run it a hundred times or whatever).
Neither of our solutions were "reliable", and also required being run in a loop. (I know this about a1k0n's solution, as he sent me an e-mail asking me about my solution).
I actually have a 100% reliable solution that exploits the executable stack on level 04. No need to guess the address of the stack using one side effect that I found in this specific case:
Awesome!! I totally saw that call instruction, and then went on a wild goose chase thinking about how to get the string into that register, totally missing the fact that some of my earlier attempts at using printf had established that the string already happened to be there to begin with. Now I just feel dumb. ;P
