Description
Best Hacker's Shoppe! You start with 40 coins but the flag costs 100. Find a way to get more coins.
Setup
Connect via netcat to interact with the shop.
Solution
- Step 1Use a negative quantity to gain coinsFrom the main menu, select option 1 (Buy). Choose item 0 (the cheapest item). When prompted for quantity, enter -99. Because the shop never validates that quantity is positive, it subtracts a negative cost -- which adds coins to your balance. You will now have far more than 100 coins.
Learn more
This is a classic integer sign validation bug. The shop computes your new balance as:
balance = balance - (price * quantity). With a negative quantity, the subtraction becomes an addition. This class of bug has caused real-world financial exploits in video games and occasionally in production payment systems where quantity fields lack server-side non-negativity checks. - Step 2Buy the flag and decode the outputNow select option 1 again and buy item 2 (Fruitful Flag). The shop outputs the flag as a space-separated list of decimal ASCII values. Use Python to convert each number to its corresponding character.python3 -c "print(''.join([chr(x) for x in [112,105,99,111,67,84,70,123,98,52,100,95,98,114,111,103,114,97,109,109,101,114,95,55,57,55,98,50,57,50,99,125]]))"
Learn more
The flag is output as decimal ASCII code points separated by spaces.
chr(x)converts an integer to the corresponding Unicode/ASCII character. Joining the characters gives the flag string. This encoding is trivially reversible -- it provides no obfuscation, but is a common pattern for flag delivery in binary/remote challenges.
Flag
picoCTF{...}
The shop never validates that quantity > 0 -- supplying a negative quantity causes the balance to increase instead of decrease.