Https- Bit.ly Crackfire -

# ---------------------- CONFIGURATION ------------------------ binary = "./crackfire" elf = ELF(binary) context.binary = binary context.log_level = "info"

printf("Enter the secret code:\n"); scanf("%s", buf); // <-- NO length limit scanf("%s", ...) reads until whitespace, no size check → . But more importantly, later there is a printf that prints the user‑controlled string without a format string : https- bit.ly crackfire

The binary is compiled PIE, so we need to of _start (found via readelf -s crackfire | grep _start → 0x4006f0 ) to get the load address: By combining an info‑leak with a one‑shot ret2win

Challenge type: Binary exploitation (pwn) – 64‑bit Linux Difficulty: Medium / Hard (depends on the exact variant) Points: 500 (CTF typical) TL;DR – The binary is a simple “crack‑the‑code” game that reads a user‑supplied string, checks it against a secret flag stored in the binary, and then prints “Access granted!” on success. The binary contains a classic format‑string vulnerability that lets us leak the address of the secret and later overwrite the check function’s return address to jump to win . By combining an info‑leak with a one‑shot ret2win payload we obtain the flag. Below is a step‑by‑step walkthrough that shows the thought process, the tools used, and the final exploit script (Python + pwntools). Feel free to copy the script and adapt it for the exact binary you downloaded from the short link. 1. Getting the binary The challenge link ( https://bit.ly/crackfire ) resolves to a zip file containing: the tools used

The is stored in the binary as a global:

$ ./crackfire Welcome to CrackFire! Enter the secret code: > If you type anything other than the hidden code you get: