> For the complete documentation index, see [llms.txt](https://picoctf2019.haydenhousen.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://picoctf2019.haydenhousen.com/binary-exploitation/got.md). # GoT ## Problem > You can only change one address, here is the problem: program. It is also found in /problems/got\_3\_4ba3deeda2ea9b203c6a6425f183e7ed on the shell server. Source. * [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/GoT/vuln/README.md) * [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/GoT/vuln.c) ## Solution 1. The program asks for an address to overwrite with user-supplied data. One prompt for the address and another prompt for the input value. 2. `puts` and `exit` are the only two functions called after the write, so we need to change the behavior of one of the two functions. Because ASLR is enabled, we need to look for things that stay constant. One of these things is the Global Offset Table. The [Global Offset Table](https://www.youtube.com/watch?v=kUk5pw4w0h4) allows a C program to call libc libraries and serve as a jumping point for the program. If we modify this jumping point, we can make the program execute code at a different address than intended. 3. So we want to select the GOT address of the `puts` function and overwrite it with the address of the `win` function. `pwntools` makes this easy: ```python exit_got = exe.got['exit'] win_addr = exe.symbols['win'] ``` 4. Then we simply send the addresses over and get the flag: ```python io.sendlineafter("Input address\n", str(exit_got)) io.sendlineafter("Input value?\n", str(win_addr)) ``` 5. Run the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/GoT/script.py) like so: `python script.py USER=username PASSWORD=password` ### Flag `picoCTF{A_s0ng_0f_1C3_and_f1r3_1ef72b2d}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://picoctf2019.haydenhousen.com/binary-exploitation/got.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.