🚩
Capture the Flag
  • Capture the Flag
  • PicoCTF
    • PicoCTF 2023
      • General Skills
        • chrono
        • money-ware
        • Permissions
        • repetitions
        • useless
        • Special
        • Specialer
      • Cryptography
        • HideToSee
        • ReadMyCert
        • rotation
        • PowerAnalysis: Warmup
      • Reverse Engineering
        • Ready Gladiator 0
        • Reverse
        • Safe Opener 2
        • timer
        • Ready Gladiator 1
      • Forensics
        • PcapPoisoning
        • hideme
        • who is it
        • FindAndOpen
      • Binary Exploitation
        • two-sum
      • Web Exploitation
        • MatchTheRegex
        • findme
Powered by GitBook
On this page
  • Description
  • Solution
  • Flag
  1. PicoCTF
  2. PicoCTF 2023
  3. Binary Exploitation

two-sum

Author: Mubarak Mikail | 100 points

Description

Can you solve this?

What two positive numbers can make this possible: n1 > n1 + n2 OR n2 > n1 + n2

Enter them here nc saturn.picoctf.net 57334. Source

Solution

For this challenge we are given a simple mathematical problem and told to find a solution for n1 and n2. We are also given the source code in C, as shown below. 

% cat flag.c
#include <stdio.h>
#include <stdlib.h>

static int addIntOvf(int result, int a, int b) {
    result = a + b;
    if(a > 0 && b > 0 && result < 0)
        return -1;
    if(a < 0 && b < 0 && result > 0)
        return -1;
    return 0;
}

int main() {
    int num1, num2, sum;
    FILE *flag;
    char c;

    printf("n1 > n1 + n2 OR n2 > n1 + n2 \n");
    fflush(stdout);
    printf("What two positive numbers can make this possible: \n");
    fflush(stdout);
    
    if (scanf("%d", &num1) && scanf("%d", &num2)) {
        printf("You entered %d and %d\n", num1, num2);
        fflush(stdout);
        sum = num1 + num2;
        if (addIntOvf(sum, num1, num2) == 0) {
            printf("No overflow\n");
            fflush(stdout);
            exit(0);
        } else if (addIntOvf(sum, num1, num2) == -1) {
            printf("You have an integer overflow\n");
            fflush(stdout);
        }

        if (num1 > 0 || num2 > 0) {
            flag = fopen("flag.txt","r");
            if(flag == NULL){
                printf("flag not found: please run this on the server\n");
                fflush(stdout);
                exit(0);
            }
            char buf[60];
            fgets(buf, 59, flag);
            printf("YOUR FLAG IS: %s\n", buf);
            fflush(stdout);
            exit(0);
        }
    }
    return 0;
}

If you didn't known any better you would start thinking of numbers to enter into the program to make the mathematical problem work. However, this is not a math problem, it is a binary exploitation problem.

If you know anything about the security of C, then you know it is prone to being exploited due to it's low level interactions with memory and system resources. In this instance we can see that n1 and n2 are defined as integers, and taking a hint from the source code 'checking' for integer overflow, we can exploit the program.

A signed integer in C is 4 bytes or 32 bits. 32 bits can represent 2^23 values (4,294,967,296). Since our program uses signed integers, these values represent integers -2,147,483,648 to 2,147,483,647. We take advantage of these limitations below by exceeding the integer ceiling and causing an integer overflow. 

% nc saturn.picoctf.net 57334
n1 > n1 + n2 OR n2 > n1 + n2 
What two positive numbers can make this possible: 
9999999999
9999999999
You entered 1410065407 and 1410065407
You have an integer overflow
YOUR FLAG IS: picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_fe14e9e9}

Flag

The flag after executing the integer overflow is picoCTF{Tw0_Sum_Integer_Bu773R_0v3rfl0w_fe14e9e9}

PreviousBinary ExploitationNextWeb Exploitation

Last updated 1 year ago