PicoCTF 2018 - Binary Exploitation Challenges
We’ve solved every single last PicoCTF 2018 Binary Exploitation challenge. Read our writeups to up your hacker game and learn what you’ve been missing. For more information on what PicoCTF is, read our introductory Blog Post.
Getting Started
NOTE: As of 2021 the picoCTF 2018 servers are offline. You can no longer download or use any of the challenges. This page is left up strictly as a reference.
Required tools: ssh client
Strictly speaking, you should be able to do almost all of the challenges without any additional tools than what is available on the ssh server.
However, I would recommend downloading the problems and working locally. For Ubuntu systems, you’ll want to do the following:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install -y libc6-dbg lib32stdc++6 libc6-dbg:i386 libstdc++6:i386
Which should allow you to execute 32-bit binaries on a 64-bit Ubuntu installation.
In addition, you’ll likely want to install packages for binutils, python3, pwntools, netcat, and nasm.
Windows Users
Fear not, it is relatively easy to work on these problems from your windows machine (I did). At the end of the day, these are linux binaries, so you will still need access to a linux instance to run them. Both Docker and WSL2 will allow you to have complete linux instances running in a virtual machine. WSL1 is also an option, and will get you surprising far, but the caveat is that 32-bit binaries are explicitly not supported by WSL1, so you will have to run those challenges on the shell server.
List of Challenges
1. buffer overflow 0 (150 Points)
$ ./vuln abcd Thanks! Received: abcdThe trick with this challenge is to make the program segfault (in the right way). The binary already registers a segfault handler that, if successfully executed, will print out the flag. All you have to do? Make it crash!
> Read More
2. buffer overflow 1 (200 Points)
$ ./vuln Please enter your string: abcd Okay, time to return... Fingers Crossed... Jumping to 0x80486b3The training-wheels come off, and you have to use the buffer-overflow vulnerability to execute a specific bit of code at an exact location in memory. The question is, can you get it to work?
> Read More
3. leak-me (200 Points)
$ ./auth What is your name? abcd Hello abcd, Please Enter the Password. password Incorrect Password!It’s still a buffer overflow, but it won’t crash and it won’t execute code. How will you trick it into revealing its secrets?
> Read More
4. shellcode (200 Points)
$ ./vuln Enter a string! abcd abcd Thanks! Executing now... Segmentation faultIn which we hand-craft some artisanal x86 shellcode.
> Read More
5. buffer overflow 2 (250 Points)
$ ./vuln Please enter your string: abcd abcdNow that you’ve got a handle on buffer-overflows, can you figure out how to use your control of the stack to pass arguments into a function?
> Read More
6. got-2-learn-libc (250 Points)
$ ./vuln Here are some useful addresses: puts: 0xf7660150 fflush 0xf765e340 read: 0xf76d5440 write: 0xf76d54b0 useful_string: 0x56624030 Enter a string: abcd abcd Thanks! Exiting now...Time to put all your training to work - there are no more easy
win()s, but at least there’s PIE.
> Read More
7. echooo (300 Points)
$ nc 2018shell.picoctf.com 34802 Time to learn about Format Strings! We will evaluate any format string you give us with printf(). See if you can get the flag! abcd abcdThe trick to this one is all in formatting your query correctly.
> Read More
8. authenticate (350 Points)
$ nc 2018shell.picoctf.com 52398 Would you like to read the flag? (yes/no) yes Sorry, you are not *authenticated*!Did you think
printfwas just for printing values? Naw, it can do more than that.
> Read More
9. got-shell? (350 Points)
$ nc 2018shell.picoctf.com 3582 I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value? abcd Okay, now what value would you like to write to 0xabcd 0 Okay, writing 0x0 to 0xabcd timeout: the monitored command dumped coreYou’re only 4 bytes away from pwn - assuming you can put them in the right spot.
> Read More
10. rop chain (350 Points)
$ ./rop Enter your input> abcdWhen you need something done, a gadget is your friend.
> Read More
11. buffer overflow 3 (450 Points)
$ ./vuln How Many Bytes will You Write Into the Buffer? 10 Input> abcd Ok... Now Where's the Flag?Do you really think a little bird is going to stop us, after all that we’ve learned?
> Read More
12. echo back (500 Points)
$ ./echoback input your message: abcd abcd Thanks for sending the message!With recursion, you can update your
.gotAND have shell too.
> Read More
13. are you root? (550 Points)
$ ./auth Available commands: show - show your current user and authorization level login [name] - log in as [name] set-auth [level] - set your authorization level (must be below 5) get-flag - print the flag (requires authorization level 5) reset - log out and reset authorization level quit - exit the program Enter your command: show Not logged in. Enter your command: get-flag Login first!A tantalizing first taste of memory reuse in heap exploits.
> Read More
14. gps (550 Points)
$ ./gps GPS Initializing..........Done Acquiring satellites.Satellite 0.......Done Satellite 1...Done Satellite 2.....Done GPS Initialized. Warning: Weak signal causing low measurement accuracy We need to access flag.txt. Current position: 0x7fffcd721538 What's your plan? abcd Where do we start? xyz Segmentation fault (core dumped)What happens when you don’t know exactly where to go? Will you crash out, or slide on through?
> Read More
15. can-you-gets-me (650 Points)
$ ./gets GIVE ME YOUR NAME! abcdYour last chance to master buffer overflows - ROP now, or
getsout.
> Read More
16. freecalc (750 Points)
$ ./calc Welcome to heapcalc! This is a postfix calculator. Commands: + * - / = # constant function Example: '1 1 + =' outputs 2. Define functions like ': <name> <opcount> <op1> <op2> ...' Example: ': add 1 +' defines a function add with one operation which executes '+'. Good luck! > abcd Invalid operation 'abcd' >Can you calculate your way out of this mess?
> Read More
17. sword (800 Points)
$ ./sword /* Welcome! */ 1. Forge a sword. 2. Synthesise two sword. 3. Show a sword. 4. Destroy a sword. 5. Harden a sword. 6. Equip a sword. 7. Quit. 1 New sword is forged ^_^. sword index is 0. /* Welcome! */ 1. Forge a sword. 2. Synthesise two sword. 3. Show a sword. 4. Destroy a sword. 5. Harden a sword. 6. Equip a sword. 7. Quit. 3 What's the index of the sword? 0 The weight is 0 The name is (null)It was all fun and games until you got here.
> Read More
18. contacts (850 Points)
$ ./contacts Available commands: display - display the contacts create [name] - create a new contact delete [name] - delete an existing contact bio [name] - set the bio for an existing contact quit - exit the program Enter your command: create abcd Created contact "abcd" Enter your command: display abcd - (No bio)Some times, you’ve got to fake it until you make it.
> Read More
19. cake (900 Points)
$ ./cake * * * * * * * * * * * * * * * ( ) ) (*) (*) ( * (*) | | (*) | |~| |~| | * |~| | | | | |~| | | | | | | | | ,| |a@@@@| |@@@@@@@@@@@| |@@@@a| |. .,a@@@| |@@@@@| |@@@@@@@@@@@| |@@@@@| |@@@@a,. ,a@@@@@@| |@@@@@@@@@@@@.@@@@@@@@@@@@@@| |@@@@@@@a, a@@@@@@@@@@@@@@@@@@@@@' . `@@@@@@@@@@@@@@@@@@@@@@@@a ;`@@@@@@@@@@@@@@@@@@' . `@@@@@@@@@@@@@@@@@@@@@'; ;@@@`@@@@@@@@@@@@@' . `@@@@@@@@@@@@@@@@'@@@; ;@@@;,.aaaaaaaaaa . aaaaa,,aaaaaaa,;@@@; ;;@;;;;@@@@@@@@;@ @.@ ;@@@;;;@@@@@@;;;;@@; ;;;;;;;@@@@;@@;;@ @@ . @@ ;;@;;;;@@;@@@;;;;;;; ;;;;;;;;@@;;;;;;; @@ . @@ ;;;;;;;;;;;@@;;;;@;; ;;;;;;;;;;;;;;;;;@@ . @@;;;;;;;;;;;;;;;;@@@; ,%%%;;;;;;;;@;;;;;;;; . ;;;;;;;;;;;;;;;;@@;;%%%, .%%%%%%;;;;;;;@@;;;;;;;; ,%%%, ;;;;;;;;;;;;;;;;;;;;%%%%%%, .%%%%%%%;;;;;;;@@;;;;;;;; ,%%%%%%%, ;;;;;;;;;;;;;;;;;;;;%%%%%%%, %%%%%%%%`;;;;;;;;;;;;;;;; %%%%%%%%%%% ;;;;;;;;;;;;;;;;;;;'%%%%%%%% %%%%%%%%%%%%`;;;;;;;;;;;;,%%%%%%%%%%%%%,;;;;;;;;;;;;;;;'%%%%%%%%%%%% `%%%%%%%%%%%%%%%%%,,,,,,,%%%%%%%%%%%%%%%,,,,,,,%%%%%%%%%%%%%%%%%%%%' `%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%' `%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%' """"""""""""""`,,,,,,,,,'""""""""""""""""" `%%%%%%%' `%%%%%' %%% %%%%% .,%%%%%%%,. ,%%%%%%%%%%%%%%%%%%%, In total, you have sold $0 worth of merchandise, and have 1 customers waiting. * [M]ake a cake. * [W]ait for customers. * [S]erve a customer. * [I]nspect a cake. * [C]lose the shop. M Making the cake...... Made cake 0. Name> abcd Price> 123 In total, you have sold $0 worth of merchandise, and have 1 customers waiting.Heap baking is a craft, are you up for it?
> Read More
20. no args (1000 Points)
$ ./no-args Vote for your Favorite Problems from picoCTF 2018! 1. Choose a Problem 2. Vote for a Problem 3. View Results 4. Exit 1 Enter the Name of the Problem you want to Vote for abcdFinish this last one and I won’t argue with you about your skills.
> Read More