Rating:
## How to Solve
We got an executable file called "jump".
First step, open it in ghidra.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314121605.png)
You can see the main function, but no function to show the flag is here. So, in this challenge, you need to call the get_flag function.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314121926.png)
Second step, debug jump with GDB.
You know the size of the local_78 variable has 112 characters. Now, see what happens if the size of input character has over 120 characters. (Tips: if an executable file is for 64-bit, you need to add 8 to variable for which you want to generate a buffer overflow.)
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314121650.png)
You can see a string "segmentation fault", and it shows the possibility of getting the RIP register. which is for next command. 126 characters is below.No captcha required for preview. Please, do not write just a link to original writeup here.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314121703.png)
Now, you obtain RIP register. (0x414141414141 means "AAAAAA")
You need to set an address of the get_flag function to RIP register when you get it. (get_flag is at 0x0000004011ab)
Third step, do it like picture below.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314121718.png)
The cat command is used to display the contents of a file, however it is also used to input something using the nc command. In this case, use like "cat filename -".
Then, you will get shell. I used ls command to see what files are in this directory. Finally, you will get the flag.