Writeups/1337UP/Babyflow

1337UPEasyCTF Challenge

Babyflow

Babyflow

2024-11-17

#1337UP #Binary Exploit

##Challenge Name: Babyflow

###Solves

>Solves: 438
>Points: 50

###Description

Does this login application even work?!

Attachment: babyflow
Connection: nc babyflow.ctf.intigriti.io 1331

###Approach

>
Analyzing the File Type:
- >We started by identifying the file type of the provided babyflow binary:
  bash
  file babyflow
- >The result indicated that it is an x64 ELF Executable.
>
Executing the Binary:
- >
  After giving the necessary file permissions using chmod:
  
  bash
  chmod +x babyflow ./babyflow
- >
  The binary prompted us to enter a password.
  
  image1
>
Decompiling the ELF File:
- >
  Using a decompiler (e.g., Ghidra or IDA), we analyzed the binary and discovered the hardcoded password:
  SuPeRsEcUrEPaSsWoRd123
  image2
- >
  However, the issue was with the variable local_c, which was initialized to 0. As long as local_c remains 0, the program refuses to reveal the flag.
  
  image3
>
Exploiting the Buffer Overflow:
- >Observing the code, we found that the local_c variable was located near the memory segment for the password input.
- >We crafted a payload to overflow the buffer and overwrite local_c with non-zero values (\x01).
Payload:

plaintext
SuPeRsEcUrEPaSsWoRd123AAAAAAAAAAAAAAAAAAAAAA\x01\x01\x01\x01
>
Getting the Flag:
- >
  Running the binary with the payload revealed the flag:
  INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}
  image4

###Flag

INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}