💣 P0wn3d 2

A detailed write-up of the Pwn challenge 'P0wn3d 2' from WolvCTF - 2025

mH4ck3r0n3 Ethical Hacking/CTFs/Jeopardy/WolvCTF-2025/Pwn

24/03/2025 391 words 2 minutes

Contents

/images/WolvCTF-2025/Pwn/P0wn3d2/challenge_presentation.png — Challenge Presentation

📊 Challenge Overview

Category Details Additional Info

🏆 Event WolvCTF - 2025 Event Link

🔰 Category Pwn 💣

💎 Points 50 Out of 500 total

⭐ Difficulty 🟢 Easy Personal Rating: 0/10

👤 Author Didkd Profile

🎮 Solves (At the time of flag submission) 4 solve rate

📅 Date 23-03-2025 WolvCTF - 2025

🦾 Solved By mH4ck3r0n3 Team: QnQSec

Category	Details	Additional Info
🏆 Event	WolvCTF - 2025	Event Link
🔰 Category	Pwn	💣
💎 Points	50	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 0/10
👤 Author	Didkd	Profile
🎮 Solves (At the time of flag submission)	4	solve rate
📅 Date	23-03-2025	WolvCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

You can scream… Whatever. Can you be precise tho? nc p0wn3d2.kctf-453514-codelab.kctf.cloud 1337

🎯 Challenge Files & Infrastructure

Provided Files

Files:

Attached Files

🔍 Initial Analysis

First Steps

This is the second challenge in the P0wn3d series. Since it is very similar to the previous one, I won’t go into details. I’ll leave the link to the previous challenge as it contains all the useful explanations for solving this one: P0wn3d. In this challenge, there are simply two guards instead of one.

🔬 Vulnerability Analysis

Potential Vulnerabilities

Buffer Overflow

🎯 Solution Path

Exploitation Steps

Exploitation

I simply added to the script from the previous challenge the sending of 0xdeadbeef (first guard) instead of 0x42424242. Then, I added the sending of the second guard 0x0badc0de since there is a logical AND in the if statement:
1
2
3
 if (second_words.guard1 == 0xdeadbeef && second_words.guard2 == 0x0badc0de) {
   get_flag();
 }
So, the payload will look like this: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + sending 0xdeadbeef + 0x0badc0de. With the first part, I fill the buf buffer, and then I insert the bytes to fill guard1 and guard2, making the if condition true and calling the get_flag() function, which prints the flag.

🛠️ Exploitation Process

Approach

The automatic exploit is identical to the one from the previous challenge, except now there are two guards, so it sends 0xdeadbeef to pass the first guard and 0x0badc0de for the second guard.

Exploit

🚩 Flag Capture

Flag

wctf{4ll_y0uR_mEm_4r3_bel0ng_2_Us}

Proof of Execution

Automated Flag

Screenshot of successful exploitation

🔧 Tools Used

Tool Purpose

Python Exploit

Tool	Purpose
Python	Exploit

💡 Key Learnings

Skills Improved

Binary Exploitation

Reverse Engineering

Web Exploitation

Cryptography

Forensics

OSINT

Miscellaneous

📚 References & Resources

Similar Challenges

P0wn3d

P0wn3d 3

Learning Resources

https://pwn.guide/free/other/buffer-overflow

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:02	From start to flag
Global Ranking (At the time of flag submission)	8/432	Challenge ranking
Points Earned	50	Team contribution

Created: 23-03-2025 • Last Modified: 23-03-2025 Author: mH4ck3r0n3 • Team: QnQSec