UofT CTF 2025
Baby Pwn 2 [100 pts]
Here’s a baby pwn challenge for you to try out. Can you get the flag?
nc 34.162.142.123 5000
Author: atom
We’re provided the binary along with the source file:
checksec
output:
NX
is disabled –> implies shellcode is likely the solution.
We also have a simple buffer overflow of 128 bytes read into the 64 byte buffer
. And we’re given a stack leak of the address of buffer
.
Basically, we can just write shellcode into buffer
, and then overwrite saved RIP with the address of buffer
that was leaked by the program. Then, the program will jump to our shellcode instructions in buffer
, and run whatever we want!
For the shellcode, we can create a pretty simple one to call system("/bin/sh\x00")
(null-terminated because that’s how C interprets strings!).
Here’s the exploit:
And we get the flag!
uoftctf{sh3llc0d3_1s_pr3tty_c00l}
Full script: