BabyFlow

Challenge Description

Does this login application even work?!

Solution

When players run the binary, it asks for a password.

./babyflow
Enter password: cat
Incorrect Password!

We can use a tool like ltrace to see if the password is revealed.

ltrace ./babyflow
printf("Enter password: ")                                               = 16
fgets(Enter password: cat
"cat\n", 50, 0x7fe918c2aa80)                                       = 0x7ffe1addfa40
strncmp("cat\n", "SuPeRsEcUrEPaSsWoRd123", 22)                           = 16
puts("Incorrect Password!"Incorrect Password!
)                                              = 20
+++ exited (status 0) +++

It is! Let's try SuPeRsEcUrEPaSsWoRd123.

It's not that easy 😥 Before disassembling the binary, let's see if there's an obvious buffer overflow.

Canaries are disabled, so there's nothing stopping us from "smashing the stack".

We can't forget the password!

Flag: INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}

Source Code

I cba opening the binary in ghidra now so for anybody who's interested, this is how it works; there's a buffer overflow in the password variable, which allows 50 bytes to be written to a 32 byte buffer. Players are required to enter the correct password at the beginning of the input, but by appending additional characters, they can overwrite the admin flag with something other than zero.