I Recently participated in the africa battle ctf 2023, In this blog I will cover some of the challenges I tackled. In all honesty, some challenges I tackled during the CTF and some after the CTF.
battleCTF Event Portal
We see a call to puts which prints a statement then we see a printf followed by a scanf which prompts the user for a pass. It is then followed by an if function which we see calls bin/sh else it prints wrong password in the else function. So we need to get the pass so that we can execute the if function to get bin/sh. Looking at the category we see it is an integer overflow challenge. That right away gave me an idea of what I was going to do. When an arithmetic operation on two numbers results in a result that is larger than the largest value that the data type of the integers can represent, this phenomenon is known as integer overflow. This can result in unexpected and possibly inaccurate results since the operation’s result will wrap around to the lowest number that the data type can support.
In C we know the max value is 0xffffffffffffffff . But we see to get the pass we need to do this function “pass * 0x726176656e70776eu == 0x407045989b3284aeu”. Theguyintuxedo explains integer overflow better.
So to get the pass we can write a script to solve that.
1from z3 import *
2
3get_pass = Solver()
4
5x = BitVec("x", 64)
6
7get_pass.add(((x * 0x726176656e70776e) & 0xffffffffffffffff) == 0x407045989b3284ae)
8
9if get_pass.check() == sat:
10 solution = get_pass.model()
11 solution = hex(int(str(solution[x])))
12 solution = solution[2:]
13
14 # Reverse the value
15 value = ""
16 i = int(len(solution) / 2)
17 while i > 0:
18 i -= 1
19 y = solution[(i*2):(i*2) + 2]
20 value += chr(int("0x" + y, 16))
21
22 print("please give me the password .....")
23 print("Here is your password: " +value)
24else:
25 print("something must be wrong!!")
Running that should gives us the answer.
More Coming soon!