Simple ret2win. It calls gets on rbp-0xd0, and there's a function called flag that grabs the flag from flag.txt
0xd0 + 8 bytes of padding + address of ret + flag function. Address of ret is needed on remote because stack alignment is a bitch
Lets look into this. Let's first of all disassemble main. We'll notice lots of logic going on, and lots of functions - eat, zzz, etc. We also see some variables - once, sleepy, hungry, etc. These have to do with making your pwnagotchi happy. Is this important? No, not at all.
The main thing is that there is a gets call on rbp-0xc. This means that we instantaneously have a buffer overflow vulnerability. 0xc is 12, and 12 + 8 = 20, so we will have 20 bytes until the return address. This is confirmed by pattern.py.
No PIE, NX. My first instinct was ROP, but there wasn't enough gadgets. So I used ret2libc instead.
There's no PIE in the binary, so the GOT and the PLT stay constant. This allows us to execute a simple ret2plt attack, calling puts@plt on puts@GOT, and leaking the puts libc address. This libc address can be used to find the libc version of the remote instance, which is libc6_2.27-3ubuntu1_amd64. From there, we can call main again, and execute a simple ret2libc attack.
There's two things stopping us here, which I'll review.
First of all: main has some weird logic at the beginning. What actually happens is not important, what you need to know is that it can detect whether you've done weird stuff and called it again. When it detects this, it says "um, this is awkward" and quits. How do we bypass this? Simple. We jump to the specific instruction in main which starts our input, and continue from there.
Second thing: quite subtle. When we execute this attack remotely, everything goes smoothly. However, once we hit the final payload, things stop working. we get an EOF.
It's important to review what's happening. When our remote exploit does not work, the "pwnagotchi name is not happy!" message does NOT show up. What does this mean? It means we likely a hit a problem with the stack. You guessed it, stack alignment.
We can add a simple ret gadget in the middle of our payloads(0x400285) and our exploit succeeds! Script below
My fakestack pointer was a pointer to a random page mapped read-write in memory, so that the program could resume and make local variables like normal.