Rating: 5.0

# IRS - Exploitation - 100 points

> Good day fellow Americans. In the interest of making filing your tax returns as easy and painless as possible, we've created this nifty lil' program to better serve you! Simply enter your name and file away! And don't you worry, everyone's file is password protected ;)
> nc irs.pwn.republican 4127
> or backup:
> nc irs-2.pwn.republican 4127
> irs
> irc: pige0n

First version of this program had the actual flag embedded in the given binary, which made the challenge more of a very easy RE than exploitation. The second version had the flag replaced, and you had to do some _actual_ exploitation.

The flaw in the program is that `gets` is used to get the answer to the `y/n` question after editing a tax record, which leads to a standard buffer overflow which can then be used to ROP. It's made slightly harder by the fact that the version on the server does not match _exactly_ the version given (Because of the replaced flag) so some offsets are slightly different. The simplest solution is to just use `printf` in the PLT to write out various parts of the program until you find `main`, which sets the flag as the password at the beginning of the function. The revealed flag is `flag{c4n_1_g3t_a_r3fund}`

Original writeup (https://github.com/ymgve/ctf-writeups/tree/master/hackthevote2016/exploitation100-irs).