# Level5

Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables).
Our goal here will be to change the value of the `jmp` of `exit()` to the address of `o()`, opening a shell.

To do so, we will first dump the stack to know where the buffer is located. 
Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 4th position in the stack.
Now that we know where our buffer is located on the stack, let's exploit printf.

By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, o's address).
Let's overwrite the GOT address of `exit()` by the address of `o()`.
We can get both addresses using gdb.

Putting these all together, here is the command:
`(python -c 'print "\x38\x98\x04\x08" + "%134513824p" + "%4$n"'; cat) | ./level5`