Writeups

View on GitHub

Integer Over

Category : Pwn

We are given a binary.

We decompile the binary in Ghidra. Useful Function:


undefined8 main(void)

{
  long in_FS_OFFSET;
  char local_1d;
  int local_1c;
  int local_18;
  int local_14;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  printf("Give me one param: ");
  fflush((FILE *)0x0);
  local_14 = __isoc99_scanf(&DAT_00400869,&local_1c);
  if (local_14 != 1) {
    puts("I expect a number.");
    fflush((FILE *)0x0);
  }
  local_1d = 0;
  local_18 = 0;
  while (local_18 < local_1c) {
    local_1d = local_1d + 1;
    local_18 = local_18 + 1;
  }
  if (local_1d == -0xe) {
    gimmeFlagPliz();
  }
  else {
    printf("No, I can\'t give you the flag: %d\n",(ulong)(uint)(int)local_1d);
    fflush((FILE *)0x0);
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}


The code asks for one parameter, which is a number. To get the flag, we need to call the gimmeFlagPliz() function, which can only be called if the iterator local_18 (with local_18 and local_1d being equivalent) is -14 or -0xe and is of the int datatype. It is compared to the input parameter local_1c which is of the long datatype.

So, after a while, the value will overflow into negative.

The following math help

max(long)+output=input
2147483647+-14=input=2147483634

SSH’ing into the server, we get the flag

ssh -i ssh.key  -p 2223 user@hell-of-a-jail.ctf.insecurity-insa.fr
 ___           _   _            _      ____   ___  _  ___
|_ _|_ __  ___| | | | __ _  ___| | __ |___ \ / _ \/ |/ _ \
| || '_ \/ __| |_| |/ _` |/ __| |/ /   __) | | | | | (_) |
| || | | \__ \  _  | (_| | (__|   <   / __/| |_| | |\__, |
|___|_| |_|___/_| |_|\__,_|\___|_|\_\ |_____|\___/|_|  /_/

===========================================================

      You are accessing a sandbox challenge over SSH
        This sandbox will be killed soon enough.
       Please wait while we launch your sandbox...

===========================================================

Give me one param: 2147483634
INSA{B3_v3rY_c4r3fUL_w1tH_uR_1nt3g3r_bR0}
Connection to hell-of-a-jail.ctf.insecurity-insa.fr closed.