PicoCTF 2018 - Binary Exploitation Challenges

We’ve solved every single last PicoCTF 2018 Binary Exploitation challenge. Read our writeups to up your hacker game and learn what you’ve been missing. For more information on what PicoCTF is, read our introductory Blog Post.

Getting Started

Required tools: ssh client

Strictly speaking, you should be able to do almost all of the challenges without any additional tools than what is available on the ssh server.

However, I would recommend downloading the problems and working locally. For Ubuntu systems, you’ll want to do the following:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install -y libc6-dbg lib32stdc++6 libc6-dbg:i386 libstdc++6:i386

Which should allow you to execute 32-bit binaries on a 64-bit Ubuntu installation.

In addition, you’ll likely want to install packages for binutils, python3, pwntools, netcat, and nasm.

Windows Users

Fear not, it is relatively easy to work on these problems from your windows machine (I did). At the end of the day, these are linux binaries, so you will still need access to a linux instance to run them. Both Docker and WSL2 will allow you to have complete linux instances running in a virtual machine. WSL1 is also an option, and will get you surprising far, but the caveat is that 32-bit binaries are explicitly not supported by WSL1, so you will have to run those challenges on the shell server.

List of Challenges

1. buffer overflow 0 (150 Points)

$ ./vuln abcd
Thanks! Received: abcd

The trick with this challenge is to make the program segfault (in the right way). The binary already registers a segfault handler that, if successfully executed, will print out the flag. All you have to do? Make it crash!
> Read More

2. buffer overflow 1 (200 Points)

$ ./vuln
Please enter your string:
Okay, time to return... Fingers Crossed... Jumping to 0x80486b3

The training-wheels come off, and you have to use the buffer-overflow vulnerability to execute a specific bit of code at an exact location in memory. The question is, can you get it to work?
> Read More

3. leak-me (200 Points)

$ ./auth
What is your name?
Hello abcd,
Please Enter the Password.
Incorrect Password!

It’s still a buffer overflow, but it won’t crash and it won’t execute code. How will you trick it into revealing its secrets?
> Read More

4. shellcode (200 Points)

$ ./vuln
Enter a string!
Thanks! Executing now...
Segmentation fault

In which we hand-craft some artisanal x86 shellcode.
> Read More

5. buffer overflow 2 (250 Points)

$ ./vuln
Please enter your string:

Now that you’ve got a handle on buffer-overflows, can you figure out how to use your control of the stack to pass arguments into a function?
> Read More

6. got-2-learn-libc (250 Points)

$ ./vuln
Here are some useful addresses:  
puts: 0xf7660150
fflush 0xf765e340
read: 0xf76d5440
write: 0xf76d54b0
useful_string: 0x56624030
Enter a string:
Thanks! Exiting now...

Time to put all your training to work - there are no more easy win()s, but at least there’s PIE.
> Read More

7. echooo (300 Points)

$ nc 2018shell.picoctf.com 34802
Time to learn about Format Strings!
We will evaluate any format string you give us with printf().
See if you can get the flag!

The trick to this one is all in formatting your query correctly.
> Read More

8. authenticate (350 Points)

$ nc 2018shell.picoctf.com 52398
Would you like to read the flag? (yes/no)
Sorry, you are not *authenticated*!

Did you think printf was just for printing values? Naw, it can do more than that.
> Read More

9. got-shell? (350 Points)

$ nc 2018shell.picoctf.com 3582
I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?
Okay, now what value would you like to write to 0xabcd
Okay, writing 0x0 to 0xabcd
timeout: the monitored command dumped core

You’re only 4 bytes away from pwn - assuming you can put them in the right spot.
> Read More

10. rop chain (350 Points)

$ ./rop
Enter your input> abcd

When you need something done, a gadget is your friend.
> Read More

11. buffer overflow 3 (450 Points)

$ ./vuln
How Many Bytes will You Write Into the Buffer?
Input> abcd
Ok... Now Where's the Flag?

Do you really think a little bird is going to stop us, after all that we’ve learned?
> Read More

12. echo back (500 Points)

$ ./echoback
input your message:
Thanks for sending the message!

With recursion, you can update your .got AND have shell too.
> Read More

13. are you root? (550 Points)

$ ./auth
Available commands:
        show - show your current user and authorization level
        login [name] - log in as [name]
        set-auth [level] - set your authorization level (must be below 5)
        get-flag - print the flag (requires authorization level 5)
        reset - log out and reset authorization level
        quit - exit the program
Enter your command:
Not logged in.
Enter your command:
Login first!

A tantalizing first taste of memory reuse in heap exploits.
> Read More

14. gps (550 Points)

$ ./gps
GPS Initializing..........Done
Acquiring satellites.Satellite 0.......Done
Satellite 1...Done
Satellite 2.....Done
GPS Initialized.
Warning: Weak signal causing low measurement accuracy
We need to access flag.txt.
Current position: 0x7fffcd721538
What's your plan?
Where do we start?
Segmentation fault (core dumped)

What happens when you don’t know exactly where to go? Will you crash out, or slide on through?
> Read More

15. can-you-gets-me (650 Points)

$ ./gets

Your last chance to master buffer overflows - ROP now, or gets out.
> Read More

16. freecalc (750 Points)

$ ./calc
Welcome to heapcalc!
This is a postfix calculator. Commands: + * - / = # constant function
 Example: '1 1 + =' outputs 2.
Define functions like ': <name> <opcount> <op1> <op2> ...'
 Example: ': add 1 +' defines a function add with one operation which executes '+'.
Good luck!
> abcd
Invalid operation 'abcd'

Can you calculate your way out of this mess?
> Read More

17. sword (800 Points)

$ ./sword
/* Welcome! */
1. Forge a sword.
2. Synthesise two sword.
3. Show a sword.
4. Destroy a sword.
5. Harden a sword.
6. Equip a sword.
7. Quit.
New sword is forged ^_^. sword index is 0.
/* Welcome! */
1. Forge a sword.
2. Synthesise two sword.
3. Show a sword.
4. Destroy a sword.
5. Harden a sword.
6. Equip a sword.
7. Quit.
What's the index of the sword?
The weight is 0
The name is (null)

It was all fun and games until you got here.
> Read More

18. contacts (850 Points)

$ ./contacts
Available commands:
        display - display the contacts
        create [name] - create a new contact
        delete [name] - delete an existing contact
        bio [name] - set the bio for an existing contact
        quit - exit the program
Enter your command:
create abcd
Created contact "abcd"
Enter your command:
abcd - (No bio)

Some times, you’ve got to fake it until you make it.
> Read More

19. cake (900 Points)

$ ./cake
              *                                             *
                           *             *
      *                                                               *
                               (             )
                       )      (*)           (*)      (
              *       (*)      |             |      (*)
                       |      |~|           |~|      |          *
                      |~|     | |           | |     |~|
                      | |     | |           | |     | |
                     ,| |a@@@@| |@@@@@@@@@@@| |@@@@a| |.
                .,a@@@| |@@@@@| |@@@@@@@@@@@| |@@@@@| |@@@@a,.
              ,a@@@@@@| |@@@@@@@@@@@@.@@@@@@@@@@@@@@| |@@@@@@@a,
             a@@@@@@@@@@@@@@@@@@@@@' . `@@@@@@@@@@@@@@@@@@@@@@@@a
             ;`@@@@@@@@@@@@@@@@@@'   .   `@@@@@@@@@@@@@@@@@@@@@';
             ;@@@`@@@@@@@@@@@@@'     .     `@@@@@@@@@@@@@@@@'@@@;
             ;@@@;,.aaaaaaaaaa       .       aaaaa,,aaaaaaa,;@@@;
             ;;@;;;;@@@@@@@@;@      @.@      ;@@@;;;@@@@@@;;;;@@;
             ;;;;;;;@@@@;@@;;@    @@ . @@    ;;@;;;;@@;@@@;;;;;;;
             ;;;;;;;;@@;;;;;;;  @@   .   @@  ;;;;;;;;;;;@@;;;;@;;
             ;;;;;;;;;;;;;;;;;@@     .     @@;;;;;;;;;;;;;;;;@@@;
         ,%%%;;;;;;;;@;;;;;;;;       .       ;;;;;;;;;;;;;;;;@@;;%%%,
      .%%%%%%;;;;;;;@@;;;;;;;;     ,%%%,     ;;;;;;;;;;;;;;;;;;;;%%%%%%,
     .%%%%%%%;;;;;;;@@;;;;;;;;   ,%%%%%%%,   ;;;;;;;;;;;;;;;;;;;;%%%%%%%,
     %%%%%%%%`;;;;;;;;;;;;;;;;  %%%%%%%%%%%  ;;;;;;;;;;;;;;;;;;;'%%%%%%%%
In total, you have sold $0 worth of merchandise, and have 1 customers waiting.
* [M]ake a cake.
* [W]ait for customers.
* [S]erve a customer.
* [I]nspect a cake.
* [C]lose the shop.
Making the cake......
Made cake 0.
Name> abcd
Price> 123
In total, you have sold $0 worth of merchandise, and have 1 customers waiting.

Heap baking is a craft, are you up for it?
> Read More

20. no args (1000 Points)

$ ./no-args
Vote for your Favorite Problems from picoCTF 2018!
1. Choose a Problem
2. Vote for a Problem
3. View Results
4. Exit
Enter the Name of the Problem you want to Vote for

Finish this last one and I won’t argue with you about your skills.
> Read More