Tags: got-overwrite bof pwn rop
Rating:
# SECCON CTF 2021
## Average Calculator
> 129
>
> Average is the best representative value!
>
> `nc average.quals.seccon.jp 1234`
>
> Author: kusano
>
> [`average.tar.gz`](average.tar.gz)
Tags: _pwn_ _x86-64_ _bof_ _remote-shell_ _rop_ _got-overwrite_
## Summary
Basic leak libc and get shell with second pass ROP, however it's not just a simple BOF, we'll have to do a little bit of work.
## Analysis
### Checksec
```
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
```
No PIE, no canary = easier BOF/ROP/GOT overwrite.
### Source Included
```c
int main()
{
long long n, i;
long long A[16];
long long sum, average;
alarm(60);
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
printf("n: ");
if (scanf("%lld", &n)!=1)
exit(0);
for (i=0; i
