Writeup in progress
Currently making the solution for flag leakand the walkthrough will be published here as soon as it's ready.
Check back soon - or follow our latest updates on the homepage- to be notified when the full writeup goes live.
flag leak
Published: July 20, 2023
Want more picoCTF 2022 writeups?
Useful tools for Binary Exploitation
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Binary CalculatorPerform binary arithmetic (add, subtract, multiply, divide) with copyable outputs in every base.
- Bit Shift CalculatorPerform left/right bit shifts and see the result across binary, octal, decimal, and hex.
- Number Base ConverterConvert numbers between binary, octal, decimal, and hexadecimal instantly. Enter any value and see all four bases update in real time.
Related reading
- Format String Vulnerabilities for CTF Binary ExploitationA beginner-friendly guide to format string vulnerabilities in CTF binary exploitation: how printf leaks memory, finding the format string offset, writing arbitrary values with %n, and walking through the picoCTF format string series.
- Using GDB for CTF Reverse EngineeringA practical guide to GDB for CTF competitions: running binaries, setting breakpoints, reading registers, inspecting memory, and tracing through the Bit-O-Asm and GDB baby step challenge series.
What to try next
- Binary ExploitationMedium
Echo Escape 1
Overflow a 32-byte buffer reading up to 128 bytes in the echo service. Overwrite the return address to redirect execution and reveal the flag.
- Binary ExploitationMedium
Echo Escape 2
The developer switched to fgets() but used the wrong buffer size. Exploit the off-by-one to read the flag from memory.
- Binary ExploitationMedium
offset-cycle
Classic ret2win buffer overflow. Find the offset with a cyclic pattern, locate the win function with objdump/pwntools, and add a RET gadget for 16-byte stack alignment if needed.
- Binary ExploitationMedium
tea-cash
Traverse the tcache free list and manipulate heap chunks to redirect a future allocation to the flag's memory address.
- Binary ExploitationMedium
Echo Valley
A PIE binary with printf format string vulnerability leaks the binary base and stack addresses. Use them to bypass ASLR and build a write-what-where exploit.