Pwn - babypwn

A basic binary exploitation.

The challenge hosted a remote service accessible via nc 34.162.142.123 5000 , and the objective was to exploit the binary and execute a hidden function (secret) to retrieve the flag.

chall.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void secret()
{
    printf("Congratulations! Here is your flag: ");
    char *argv[] = {"/bin/cat", "flag.txt", NULL};
    char *envp[] = {NULL};
    execve("/bin/cat", argv, envp);
}

void vulnerable_function()
{
    char buffer[64];
    printf("Enter some text: ");
    fgets(buffer, 128, stdin);
    printf("You entered: %s\n", buffer);
}

int main()
{
    setvbuf(stdout, NULL, _IONBF, 0);
    printf("Welcome to the Baby Pwn challenge!\n");
    printf("Address of secret: %p\n", secret);
    vulnerable_function();
    printf("Goodbye!\n");
    return 0;
}

solve.py

Oberservations in Chall.c :

1. the function secret() prints a message and executes /bin/cat flag.txt using execve(). This is the goal function, but it is not called directly in the program.

2. fixed buffer of 64 bytes (char buffer[64]) is declared, but fgets() reads up to 128 bytes, which can lead to potential buffer overflow. This allows overwriting the return address of the function.

3. since the address of the secret() function is printed at runtime, the exploitation straightforward.

So to overwrite the return addr of vulnerable_function() with the address of secret() i just calculated the offset needed to overwrite the retr addr.

Solution :

1. addr of the secret() function (0x401166) is leaked when the program starts, simplifying the exploit.

2. the payload consists of 72 bytes of padding ('A' * 72) to fill the buffer and overwrite the saved retr addr, followed by the addr of secret().

3. once the function pointer is overwritten, the program flow jumps to secret().

Flag: uofctf{buff3r_0v3rfl0w5_4r3_51mpl3_1f_y0u_kn0w_h0w_t0_d0_1t}