In this challenge debugging was unneccesary .

If I execute it, this is the output:

We can add a text, edit and show it.

The vulnerability

So, I add a text, the max length is 0x30, but if edit the text, there are two options:

When I choose the first option, we can see the vulnerability.

We can write indiscriminately into dest without any length check, and that would cause a buffer overflow into stack. Then, if we create a 0x4A bytes text long, we can overwrite the return address.

The exploit

We could write a full exploit, only if we get a memory leak, and leak the libc  virtual address. For that purpose we could print the .got section value and get the libc function virtual address import for the binary.

In this challenge we got the libc. So, we could get the libc base and another functions.

Now,  it’s only neccesary calling to system and get a shell.

Then we need the libc to preload  and run it at port 42345.

So, launching the exploit…

Finally, we got the flag.

The full exploit can be found here.

The flag is: xiomara{cl!_ed!t0r_pwn!ng_!$_th3_n3w_$3xy}.