Baby's Third

Babies can't count, but they can do binaries?

Author: ElykDeer

readme.txt babysthird

I first ran the binary in order to see what it does.

$ ./babysthird
Enter your password:

Using the checksec utility, I saw the security properties of the file.

$ checksec babysthird 
[*] '/home/hacker/csaw23/babysThird/babysthird'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

• There's two important properties here:

  • NX enabled: This means that the stack is not executable. Therefore we cannot use a shellcode injection.

  • PIE enabled: This means that the executable is positionally independent. So the code and memory regions will have the same address every time we run it.

• Before disassembling the executable, I opened the readme.txt file and saw an interesting line.

Most notably, binutils includes `objdump` and `strings`. One of those are what you need to solve this challenge...

• So, then I used the strings utility to see if the flag was stored somewhere in plaintext.

$ strings babysthird 
/lib64/ld-linux-x86-64.so.2
__cxa_finalize
__libc_start_main
strcmp
puts
__isoc99_scanf
__stack_chk_fail
printf
libc.so.6
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
Enter your password: 
%99s
csawctf{st1ng_th30ry_a1nt_so_h4rd}
Correct!
Access denied.
:*3$"
GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
babysthird.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
_fini
__stack_chk_fail@GLIBC_2.4
printf@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
__isoc99_scanf@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

And there was the flag!

Flag

csawctf{st1ng_th30ry_a1nt_so_h4rd}