# Binary Gauntlet 1

## Problem

> Okay, time for a challenge. gauntlet nc mercury.picoctf.net 32853

* [Program](https://github.com/HHousen/PicoCTF-2021/blob/master/Binary%20Exploitation/Binary%20Gauntlet%201/gauntlet/README.md)

## Solution

1. Decompile the binary using Ghidra:

   `main` function:

   ```
   undefined8 main(void)

   {
       char local_78 [104];
       char *local_10;
       
       local_10 = (char *)malloc(1000);
       printf("%p\n",local_78);
       fflush(stdout);
       fgets(local_10,1000,stdin);
       local_10[999] = '\0';
       printf(local_10);
       fflush(stdout);
       fgets(local_10,1000,stdin);
       local_10[999] = '\0';
       strcpy(local_78,local_10);
       return 0;
   }
   ```
2. Alright, so same program as "Binary Gauntlet 0" except the flag is not printed on a crash and the memory address of `local_78` is printed at the beginning of the program.
3. We can write some shellcode to `local_78`, pad out to the return address, and overwrite the return address with the address of `local_78` that is printed at the beginning.
4. Run the solution [script](https://github.com/HHousen/PicoCTF-2021/blob/master/Binary%20Exploitation/Binary%20Gauntlet%201/script.py) and then run `cat flag.txt` to get the flag.

### Flag

`c6e16a1b4182c2801ed657d4c482af88`