Rating: 5.0

An easy but very unique challenge.

You are allowed to sum 5 numbers together. There is an off by one error when inputting the 5 numbers, which lets you actually input 6 numbers.

The 6th number overwrites the pointer to the total variable, which lets you write the sum total of the 6 numbers as a value to whatever memory location you want.

Steps to exploitation:
1. Overwrite exit_got to a pop rdi; ret gadget
2. ROP chain to leak a libc address using puts
3. ROP chain to call system('/bin/sh')

Detailed writeup at the link

Original writeup (https://faraz.faith/2019-10-20-secconctf-2019-sum/).