Tags: pwn 

Rating:

# 35C3 Junior CTF – poet

* **Category:** Pwn
* **Points:** 44 (variable)

## Challenge

> We are looking for the poet of the year:
>
> nc 35.207.132.47 22223
>
> Difficulty estimate: very easy

## Solution

The challenge involves a simple *buffer overflow* vulnerability. You will have a binary file only.

The program takes two inputs: a poem and the author's name. Based on the words of the poem, the program calculates a score. Reversing the binary you can see which words give which points, the problem is that a limit on the poem's length will prevent to reach the target score (i.e. exactly 1 million).

Analyzing the binary, you can discover that the flag is contained into a text file printed into `reward` function located at `0x0000000000400767`. The label into the `main` where the flow will jump in case of reward will be at `0x00000000004009f2`, so this could be a good target address where to jump via buffer overflow.

The score is calculated with `rate_poem` function located at `0x00000000004007b7`; this function contains a call to `strcpy`, which is vulnerable to buffer overflow. During normal behavior, the `rate_poem` method will return to `0x00000000004009d8` address in `main`.

The final exploit to overwrite that address will be the following.

```
python -c 'print "A"*1024 ; print "a"*40 + "\xf2\x09\x40\x00\x00\x00\x00\x00"' | nc 35.207.132.47 22223
```

This exploit will print the flag.

```
35C3_f08b903f48608a14cbfbf73c08d7bdd731a87d39
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/35C3%20Junior%20CTF/poet/README.md).