This is the babypwn challenge – what are you waiting for student?
nc baby.uni.hctf.fun 25251
Binary
Libc
Binary Mirror
Libc Mirror

Let’s check the file information first.

It is an 64-bit ELF executable which is dynamically linked and not stripped.

Let’s look at its protections.

It’s stack is not executable.

Now, let’s start the analysis with decompiling its main function.

It calls a function called copy. Let’s decompile it as well.

It has a single scanf call and &unk_402008 points to the string “%s”. It reads a string of arbitrary size into the v1 which is located at [bp-80h]. Therefore, we can overwrite the return address of this function after 0x88 bytes. We can simply create a ROP chain to leak the address of [email protected] by calling [email protected] Then, we can return to main and send another ROP chain to set rdi to “/bin/sh” string and call system.

We can find the pop rdi gadget using ROPgadget.

We found one at 0x0401203.

Let’s find the address of [email protected].

It is 0x401030. Now, we just need to find the address of [email protected]

It is located at 0x403FC8. Now, we can start coding our exploit.

Here is the exploit script that I created in python.

Let’s run it and get our flag.

Here is flag{0h_b4by_b4by_pl3453_d0n’7_cry!}.